Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime , Governance & Risk Management

Johannesburg Struggles to Recover From Ransomware Attack

It's the Second Attack to Target South African City This Year
Johannesburg Struggles to Recover From Ransomware Attack
Johannesburg city hall (Source: Jorge Láscar via Flickr/CC).

Johannesburg has been hit with a ransomware attack that is crippling municipal services, according to South African news media reports and the city's Twitter feed. City Power, an electric utility owned by the city that was hit by a similar attack in July - also was affected by the latest attack.

See Also: The Cost of Underpreparedness to Your Business

In a ransom note posted to the Johannesburg Twitter account Thursday, a group calling itself Shadow Kill Hackers demanded four bitcoins ($33,600) from the city by 5 p.m. on Monday, Oct. 28, threatening to post city data on the internet if the payment is not made, according to The South African.

Although the city took the ransom note down from its Twitter feed, some local residents captured screenshots of the message.

The ransom note stated: "All your servers and data have been hacked. We have dozens of back doors inside your city. We have control of everything in your city. We also compromised all passwords and sensitive data such as finance and personal population information.”

The ransomware attack started late Thursday, and city officials continued to struggle to return services to residents of of Monday, according to local media reports. The city of Johannesburg's main website remained down as of Monday, and city officials noted that the municipal IT team took e-service and city websites offline as a precaution. This includes SAP-based payment and customer relationship management systems as well, according to the city's Twitter account. City officials did not say whether they plan to recover the IT systems on their own or pay the ransom.

On Monday, The South African reported that city officials expect to have about "80 percent" of services restored by the end of the business day. The city's Twitter account was still posting messages Monday about the attack and what services remain disrupted.

"The incident is currently being investigated by City of Joburg cyber security experts, who have taken immediate and appropriate action to reinforce security measures to mitigate any potential impacts," according to the city's Twitter account.

Local news organizations reported that several Johannesburg banks were investigating Thursday cyber incidents, although it's not clear if these were related to the ransomware attack on the city.

Second Attack

Thursday's attack was the second ransomware incident to affect the city of Johannesburg this year.

In July, ransomware hit City Power, which provides electricity for Johannesburg and is owned by the city. That attack knocked out power to some residents, and many could not buy electricity from City Power, pay their utility bills or access other services (see: Johannesburg Utility Recovering After Ransomware Attack).

The strain of ransomware that hit City Power was never revealed, and it's not known if the July incident is connected to Thursday's attack.

On its Twitter feed, City Power urged local residents to use the company's mobile app because some services from its main website were disabled and its call center remained offline Monday.

Attacks Against Cities

In the U.S., ransomware attacks that have targeted healthcare organizations, local municipalities, city governments and school districts have been increasing, according to an analysis published earlier this month by security firm Emsisoft.

That report found over 600 ransomware attacks in the first nine months of the year. And while healthcare systems were hit particularly hard, Emsisoft researchers found nearly 70 incidents involving local, city and state governments (see: Just How Widespread Is Ransomware Epidemic?).

Over the last several weeks, however, Emsisoft CTO Fabian Wosar says his firm has noticed ransomware attacks have shifted away from the U.S. toward South Africa, Canada, Spain and Australia. He also noted that the ransom note sent to Johannesburg officials showed a level of customization not previously seen.

"The ransomware used in this attack may be custom," Wosar told Information Security Media Group on Friday. "The personalized login screen message is quite unusual and not one that we’ve encountered previously."

In addition to tracking the Johannesburg attack, Emsisoft is trying to determine if the recent shift away from U.S. is a new pattern for attackers. "Whether this is coincidental, we can’t say, but it certainly appears that bad actors are trying their luck in new territories," Wosar says.

Ransom Demand

Matt Walmsley, director for Europe, Middle East and Africa at security firm Vectra, says that the relatively small amount of ransom that the Johannesburg attackers are seeking seems to be a way to ensure that something is paid to them.

"Cybercriminals are increasingly making rational economic decisions around targeting organizations and demanding ransom levels that they believe will have a higher likelihood of payment," Walmsley tells ISMG. "Cybersecurity teams supporting the city will undoubtedly be working flat out to confirm the extent of any attack to aid officials in deciding if they should pay."

Over the last year, attackers have had mix success in extorting U.S. cities for ransom. In June, for example, the city of Riviera Beach, Florida, agreed to pay hackers about $600,000 in bitcoin to end a ransomware attack that crippled the city's IT infrastructure for nearly a month.

But the city of Baltimore refused to pay a ransom, with city officials deciding to undergo the process of recovering their IT systems rather than pay for a decryption key. The city reports that it has spent about $18 million so far on recovery costs and buying new equipment.

About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.