Security news that informs and inspires

Johannesburg Hit With Major Ransomware Attack


The City of Johannesburg has joined the rapidly expanding group of cities, towns, and other government entities that have fallen victim to ransomware attacks and city officials are refusing to pay the attackers’ ransom demands.

The attack on South Africa’s largest city has had a cascading effect, forcing the government’s main website offline, crippled several of its departments, and prevented many of the agencies from being able to accept payments or conduct other transactions. City officials said that the attackers have demanded a payment of four Bitcoins to unlock the compromised systems, but the government is planning to try to restore the systems rather than pay.

“I can confirm that the city will not concede to their demands and we are confident that we will be able to restore systems to full functionality. We have made significant progress and if we continue on this trajectory we should be able to restore 80% of all our systems,” Funzella Ngobeni, a Member of the Mayoral Committee on Finance, said in a statement published Monday.

The attackers hit Johannesburg on Oct. 24 and Ngobeni said that the intrusion has “had a significant impact on our ability to deliver services to our residents.” The city’s main call center for resident information is offline, as are city planning and other systems. The attackers, who call themselves the Shadow Kill Hackers, gave the city government until today to pay the ransom, otherwise they threatened to release all of the city’s compromised data publicly.

The list of municipalities and government agencies that have been hit by ransomware is lengthy and growing by the day. Some of the victims have been large cities, including Baltimore, while others have been small counties or towns. In August, an attacker compromised systems belonging to more than 20 local government agencies in Texas, and in July a Ryuk ransomware attack on the City of New Bedford, Mass., hit 158 machines and included a ransom demand of $5.3 million. The attack on Baltimore in May included a ransom demand of about $100,000, which city officials refused to pay, and turned into a protracted ordeal with city systems down for several weeks and millions of dollars in cleanup and consulting costs.

Ransomware gangs have begun to focus their energies on governments for several reasons, some of which can be quite difficult to address. The biggest issue is that governments are supposed to deliver services to their constituents. When government systems are offline because of a ransomware attack or other intrusion, the government can’t deliver those services and so the attackers have leverage as residents become frustrated. Victimized government agencies are susceptible to public pressure to pay the ransom and get services back online. Also, government agencies, particularly smaller state and local ones, sometimes rely on older software and may not have dedicated security teams to help defend their systems.

Attackers also have the luxury of being able to select likely victims and choose the time of their attacks to exert the maximum amount of pressure. In the case of Johannesburg, the attack hit at a time when the city was in the middle of monthly billing and payment cycles.

“This attack is opportunistic in both its form and its timing. It is opportune in that it is timed to coincide with all City month end processes affecting both supplier payments and customer payments,” Ngobeni said.