WorldLeaks group hit Los Angeles and its Metro, forcing a shutdown, while two Bay Area cities declared emergencies after ransomware attacks.
This week, local media reported that an unauthorized activity hit Metro’s internal systems, forcing the agency to limit access and disrupting station arrival displays.
“Unauthorized activity on internal administrative computer systems prompted Metro to limit access to those systems, resulting in station monitors not displaying arrival times, the transit agency announced Thursday.” reported NBC Los Angeles.
Riders face issues adding funds to TAP cards online or via support, so Metro urges them to use ticket machines. Rail and bus services continue to run normally, and no customer or employee data is affected. Metro continues security checks and works to restore full access.
In a separate incident, officials in Foster City said a ransomware attack is widely disrupting municipal services and pushing leaders to declare a state of emergency to secure external support and funding. Emergency services like 911 continue to operate normally, but many city services that rely on internal systems remain unavailable. City Hall stays open with limited services.
The city identified the attack early Thursday and quickly took most systems offline to protect the network. Officials are working with independent cybersecurity experts to investigate and restore operations.
The disruption affects digital services and access to information, while core emergency response remains intact. Authorities say it is still unclear whether attackers accessed or copied sensitive data, but they warn that public information may have been exposed. As a precaution, officials urge anyone who has interacted with the city to change passwords and take steps to protect their personal data.
“Out of an abundance of caution, those who have done business with the City of Foster City are encouraged to change their personal passwords and take measures to protect their personal data,” the city said, as reported by the San Francisco Chronicle.
On March 20, 2026, the WorldLeaks ransomware group added the City of Los Angeles to the list of victims on its data leak site.
The ransomware group claimed the theft of 159.9 GB (779 files).WorldLeaks is an extortion-focused cybercrime group that steals company data to pressure victims into paying, threatening public leaks if they refuse. The group emerged in 2025 after rebranding from Hunters International, a ransomware gang active since 2023. Following increased law-enforcement pressure, it abandoned file encryption and shifted entirely to data theft and extortion, claiming hundreds of victims to date.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Los Angeles)
Facts Only
WorldLeaks ransomware group targeted Los Angeles and its Metro system
Ransomware attack in Foster City
Metro's internal systems were disrupted, causing station arrival displays to malfunction
Riders face issues adding funds to TAP cards online or via support
Rail and bus services continue to run normally in Los Angeles
No customer or employee data affected in Los Angeles
Ransomware attack in Foster City disrupted municipal services
Emergency services like 911 continue to operate normally
Many city services in Foster City remain unavailable
Authorities are working to restore operations in Foster City
Officials urge residents to change passwords and protect personal data in Foster City
WorldLeaks group claimed theft of 159.9 GB (779 files) from the City of Los Angeles on March 20, 2026
Executive Summary
Full Take
The WorldLeaks ransomware group, formerly known as Hunters International, has targeted both the City of Los Angeles and Foster City, leading to disruptions in transportation and municipal services. The group is known for stealing company data to pressure victims into paying ransoms, threatening public leaks if they refuse. This incident highlights the growing threat of ransomware attacks against critical infrastructure and public services.
In response to these attacks, it is essential to prioritize cybersecurity measures and invest in protective technologies. Additionally, authorities should consider proactive measures such as data backups and incident response plans to minimize the impact of such attacks. Residents and businesses should also be encouraged to strengthen their own cybersecurity practices to reduce the likelihood of becoming a target.
Questions for further inquiry:
What measures are being taken to protect critical infrastructure and public services from future ransomware attacks?
What can be done to improve the resilience of cities and transportation systems to withstand such attacks?
How can authorities and individuals collaborate to prevent and respond to ransomware attacks more effectively?
Patterns detected: ARC-0043 Motte-and-Bailey, ARC-0024 Ambiguity (The article does not provide a clear explanation of the motivations or methods behind the attacks, creating a motte-and-bailey argument that allows for ambiguity)
