Play Me

11116258696?profile=RESIZE_400xThe ransomware group Play, which is taking credit for the hacking of Lowell Massachusetts municipal network on 24 April.  Play has released 5 gigabytes of data from that theft and posted it to the dark web.

The cybercriminal group, which has been active since last year, posted a link to the data, which a threat analyst with cybersecurity provider Emsisoft, said is available for viewing and download by any user on that system.  "The info is out there, and while at the moment it's on the dark web, there is no way of knowing where else it may appear, or when it may appear," he said. "There's no way of knowing how many people have now accessed that data or where and when it may subsequently be reshared."

Play's news feed, which lists six pages of cyber-attacks including Lowell, says the data is "Private and personal confidential data, finance, taxes, clients and employee information.  For now partially published compressed 5gb.  If there is no reaction full dump will be uploaded."

The "reaction" is presumed to be payment of Play's ransomware demand.  Emsisoft said demands can range from tens of thousands of dollars to multimillion-dollar payments.  "Ransomware attacks have two parts to them," it said.  "The first part is that the hackers steal a copy of the data.  Then they encrypt and lock the system from those that they've stolen.  Then they ask for a ransom that covers two things: Firstly, unlocking the locked systems, and secondly, destroying that stolen data.  Or supposedly destroying it."

The City of Lowell, which has not updated its website with the status of the hack since 5 May, has also not disclosed the ransomware amount that Play has allegedly demanded.  City Manager Tom Golden said by text last week that, "At this time, Lowell continues to work with our partners in the Federal and State law enforcement."  Paying the ransomware demand is no guarantee of a successful outcome, but the longer the city holds out, potentially more data could be released, Emsisoft explained.  "The city will be deciding whether it needs to pay," the annalysts said.  "And then, it's really quite simple.  If it does decide that it needs to pay, it will get a decryption key and recover [the data] that way.  If they refuse to pay, then Play will probably release the remaining data."

Some hacking cases have resulted in taxpayer or employee financial information ending up online.  But the release of sensitive personnel information is more problematic and harder to manage, according to Callow.  "If things like disciplinary records end up online or allegations of sexual assault, for example, that's not fixable," he said.  "Once that stuff is out there, it's out there forever."

An internal document sent to city employees by Lowell’s Chief Information Officer, whose Management Information Systems falls under the Finance Department led by Chief Financial Officer Conor Baldwin, said that going forward the rebuilt network will only be accessed via multifactor authentication, a verification system in which users receive a code sent to an external device to gain access to the system.  "The use of [multifactor authentication] on your accounts makes you 99% less likely to be hacked," noted Emsisoft.  "It is the single biggest thing that any organization can do to reduce its risk profile.  Every organization should be doing it."

As the city works with its cybersecurity partners to address the crisis, Callow said residents can take steps now to protect their data.  "If I was a taxpayer in Lowell, I would be working on the assumption that whatever information the city held about me was now in the hands of cyber criminals," he said. "It is better to be safe than sorry," and he recommended monitoring financial accounts for irregular or suspicious transactions.

Paying to stop the release of more data does not ensure that the data that has been stolen will be destroyed.  "These people are criminals and there's absolutely no reason to believe that they will do what they say they will do," Emsisoft cautioned.  "This is an attack that they want to be able to monetize. It's as simple as that."

Source: Hackers Post Data to Dark Web After Massachusetts Cyber Attack (

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!