Johannesburg Struggles to Recover From Ransomware AttackIt's the Second Attack to Target South African City This Year
Johannesburg has been hit with a ransomware attack that is crippling municipal services, according to South African news media reports and the city's Twitter feed. City Power, an electric utility owned by the city that was hit by a similar attack in July - also was affected by the latest attack.
In a ransom note posted to the Johannesburg Twitter account Thursday, a group calling itself Shadow Kill Hackers demanded four bitcoins ($33,600) from the city by 5 p.m. on Monday, Oct. 28, threatening to post city data on the internet if the payment is not made, according to The South African.
Although the city took the ransom note down from its Twitter feed, some local residents captured screenshots of the message.
The ransom note stated: "All your servers and data have been hacked. We have dozens of back doors inside your city. We have control of everything in your city. We also compromised all passwords and sensitive data such as finance and personal population information."
The ransomware attack started late Thursday, and city officials continued to struggle to return services to residents of of Monday, according to local media reports. The city of Johannesburg's main website remained down as of Monday, and city officials noted that the municipal IT team took e-service and city websites offline as a precaution. This includes SAP-based payment and customer relationship management systems as well, according to the city's Twitter account. City officials did not say whether they plan to recover the IT systems on their own or pay the ransom.
On Monday, The South African reported that city officials expect to have about "80 percent" of services restored by the end of the business day. The city's Twitter account was still posting messages Monday about the attack and what services remain disrupted.
The City has detected a network breach in its systems ^TK pic.twitter.com/r43iiJiUya— City of Joburg (@CityofJoburgZA) October 24, 2019
"The incident is currently being investigated by City of Joburg cyber security experts, who have taken immediate and appropriate action to reinforce security measures to mitigate any potential impacts," according to the city's Twitter account.
Local news organizations reported that several Johannesburg banks were investigating Thursday cyber incidents, although it's not clear if these were related to the ransomware attack on the city.
Thursday's attack was the second ransomware incident to affect the city of Johannesburg this year.
In July, ransomware hit City Power, which provides electricity for Johannesburg and is owned by the city. That attack knocked out power to some residents, and many could not buy electricity from City Power, pay their utility bills or access other services (see: Johannesburg Utility Recovering After Ransomware Attack).
The strain of ransomware that hit City Power was never revealed, and it's not known if the July incident is connected to Thursday's attack.
On its Twitter feed, City Power urged local residents to use the company's mobile app because some services from its main website were disabled and its call center remained offline Monday.
UPDATE: Please find the media release about COJ hacked computer systems.^JM pic.twitter.com/q7oEwIurpx— @CityPowerJhb (@CityPowerJhb) October 25, 2019
Attacks Against Cities
In the U.S., ransomware attacks that have targeted healthcare organizations, local municipalities, city governments and school districts have been increasing, according to an analysis published earlier this month by security firm Emsisoft.
That report found over 600 ransomware attacks in the first nine months of the year. And while healthcare systems were hit particularly hard, Emsisoft researchers found nearly 70 incidents involving local, city and state governments (see: Just How Widespread Is Ransomware Epidemic?).
Over the last several weeks, however, Emsisoft CTO Fabian Wosar says his firm has noticed ransomware attacks have shifted away from the U.S. toward South Africa, Canada, Spain and Australia. He also noted that the ransom note sent to Johannesburg officials showed a level of customization not previously seen.
"The ransomware used in this attack may be custom," Wosar told Information Security Media Group on Friday. "The personalized login screen message is quite unusual and not one that we've encountered previously."
In addition to tracking the Johannesburg attack, Emsisoft is trying to determine if the recent shift away from U.S. is a new pattern for attackers. "Whether this is coincidental, we can't say, but it certainly appears that bad actors are trying their luck in new territories," Wosar says.
Matt Walmsley, director for Europe, Middle East and Africa at security firm Vectra, says that the relatively small amount of ransom that the Johannesburg attackers are seeking seems to be a way to ensure that something is paid to them.
"Cybercriminals are increasingly making rational economic decisions around targeting organizations and demanding ransom levels that they believe will have a higher likelihood of payment," Walmsley tells ISMG. "Cybersecurity teams supporting the city will undoubtedly be working flat out to confirm the extent of any attack to aid officials in deciding if they should pay."
Over the last year, attackers have had mix success in extorting U.S. cities for ransom. In June, for example, the city of Riviera Beach, Florida, agreed to pay hackers about $600,000 in bitcoin to end a ransomware attack that crippled the city's IT infrastructure for nearly a month.
But the city of Baltimore refused to pay a ransom, with city officials deciding to undergo the process of recovering their IT systems rather than pay for a decryption key. The city reports that it has spent about $18 million so far on recovery costs and buying new equipment.