- Johannesburg was attacked by ransomware actors again, and this time the target was the city council.
- The actors managed to bring all systems down and reportedly asked for a ransom payment in Bitcoin.
- Currently, no email services are available to the municipality employees, and no billings can be made.
The South African capital suffered a ransomware attack on Thursday afternoon, and it is still in the process of recovering, as reported by Reuters. The attack affected all call centers, websites, and online electronic platforms of the metropolitan municipality of the City of Johannesburg, the economic hub of the country. To get an idea about the critical role that Johannesburg plays for South Africa, this city of five million is contributing 16% of the total national economic activity. That said, the disruption in the city council’s network is actually a noticeable blow to the South African economy.
As reported, the hackers demanded ransom in Bitcoin, but this wasn’t officially confirmed. Right now, the IT teams of the City of Johannesburg are striving to get the city’s billing systems, internet, and email back to a working state. One spokesman of the city council told the press that some messages did indeed demand money, while others threatened to physically harm the employees. Their first response was to shut the whole system down in order to prevent a large scale infection. Up to what level they achieved this remains a question at this point.
Back in July, we saw another case of ransomware hitting Johannesburg again, and more specifically, its electric power producer and distributor, "City Power." The ransomware attack encrypted all of their databases, applications, and network, leaving parts of the city in the dark. Whether or not "City Power" paid the ransom back then wasn’t disclosed, but it could have played a role in the actors’ persistence and targeting of the particular city. The City of Johannesburg is just too neuralgic to have any of its vital systems stay offline for long, and actors know it.
Matt Walmsley, EMEA Director at Vectra, a California-based firm that specializes in AI-backed cybersecurity technologies has provided TechNadu the following comment about the recent incident in Johannesburg: “Extortion is a well-established approach for cyber-criminals and is used through tactics that include threatening denial of service, doxing, and ransomware. In the reported case of the city of Johannesburg, the 4 Bitcoin ($34.5k) ransom is meaningful but not particularly high and so may be pitched at that level to encourage a decision to pay. Cyber-criminals are increasingly making rational economic decisions around targeting organizations and demand ransom levels that they believe will have a higher likelihood of payment. All too often we are reminded that defensive controls are imperfect, and the ability to quickly detect and respond to live attacks that have successfully penetrated an organization can make the difference between a contained incident and damaging breach.”