City Of Johannesburg Threatened With Ransomware Data Release

Cyber security in South Africa’s biggest city is once again in the news after a ransomware attack on the City of Johannesburg municipality computer network.

The attack shuttered the municipality website, as well as its e-services platform, and the billing system. The attack also led to unauthorised access of sensitive data according to a ransom note.

This is not the first time that the city has been struck. In July a power utility in Johannesburg (City Power), which is responsible for providing electricity to the financial heart of South Africa, suffered a ransomware attack that encrypted encrypted all of its databases, applications and network, which has impacted its services. It should be noted that City Power is owned by the city municipality.

Johannesburg attack

News of the new ransomware attack emerged in a number of Twitter posts, as well as local media outlets.

It was later officially confirmed by the municipality on Twitter.

The attack took place on Friday night, supposedly by a group calling themselves, “Shadow Kill Hackers,” who demanded payment of 4.0 bitcoins ($39,000) by 5pm on 28 October or they will upload all stolen data onto the internet.

The group claims the data includes passwords and other sensitive data, such as finance and personal population information.

“The incident is currently being investigated by City of Joburg cyber security experts, who have taken immediate and appropriate action to reinforce security measures to mitigate any potential impacts,” said the municipality notification. “As a result several customer facing systems – including the city’s website, e-services and billing systems – have been shut down as a precaution.”

And the ransom demand from the hackers has also been published.

“Hello Joburg city!” reads the hackers note. “Here are Shadow Hackers speaking. All your servers and data have been hacked. We have dozens of back doors inside your city.”

“We have control of everything in your city. We also compromised all passwords and sensitive data such as finance and personal population information,” the note read.

“Your city must pay us 4.0 Bitcoins (thats a very small amount of money) to the following address,” the demand read. “If you don’t pay us on time, we will upload the whole data available to anyone in the Internet.”

The note concluded by wishing South African officials a “nice weekend.”

The municipality in an update said that it has managed to restore about 80 percent of its systems, and that it would not pay the hackers.

Expert viewpoints

Experts noted that the ransomware demand is not particularly high, so as to encourage the victim to simply pay up.

“Extortion is a well-established approach for cyber criminals and is used through tactics that include threatening denial of service, doxing, and ransomware,” explained Matt Walmsley, EMEA director at Vectra.

“In the reported case of the city of Johannesburg, the 4 Bitcoin ransom (circa $30K USD / £23.3 GBP / €26.8 EUR) is meaningful but not particularly high and so may be pitched at that level to encourage a decision to pay,” said Walmsley. “Cyber criminals are increasingly making rational economic decisions around targeting organisations and demand ransom levels that they believe will have a higher likelihood of payment.”

“All too often we are reminded that defensive controls are imperfect, and the ability to quickly detect and respond to live attacks that have successfully penetrated an organisation can make the difference between a contained incident and damaging breach,” he said.

Another expert noted that this attack shows how vulnerable local government and cities are to ransomware attacks.

“Once again, this attack is illustrative of how vulnerable city governments are to ransomware attacks,” said Dave Weinstein, CSO for Claroty. “The culprit continues to be legacy infrastructure that is either extremely difficult or cost prohibitive to patch in a timely manner.”

“Unfortunately for many cities, paying the hackers is the best-bad option,” he added. “This only provokes copycat attacks. The best way to reverse the trends we’ve been seeing globally is to have sufficient backups in place so that refusing to pay is a more palpable option.”

Another expert agreed with this assessment.

“Cities and municipalities are a low-hanging fruit for cybercriminals,” said Ilia Kolochenko, founder and CEO of web security company ImmuniWeb. “These victims usually lack the budget and skills to implement a requisite level of protection and continuous security monitoring. Worse, they have critical and/or sensitive IT systems that generate incalculable losses if unavailable.”

“Payments in bitcoins largely exacerbate the situation by making attacks virtually untraceable and non-investigable,” said Kolochenko. “We should expect further growth of ransomware attacks deliberately targeting susceptible cities unless the government urgently subsidies cybersecurity and data protection for its entities.”

Do you know all about security? Try our quiz!