In July, the South African city of Johannesburg was targeted by a ransomware attack. As PR News Corp reported back then, the attack forced utility provider City Power to completely shut down. The incident was costly for both the city — the largest in South Africa — and its customers as the expulsion of the ransomware took time. It appears that hackers are not quite finished with the South African municipality, however, as it has recently experienced yet another massive ransomware incident.
According to the local South African news website Business Day, hackers have compromised multiple key networks for Johannesburg. The hackers, calling themselves the Shadow Kill Hackers, released a ransom note which demands four bitcoins by Oct. 28 or else threatens to “upload all the data onto the internet.” They also said the following in the note:
All your servers and data have been hacked. We have dozens of back doors inside your city. We have control of everything in your city. We also compromised all passwords and sensitive data such as finance and personal population information.
The city confirmed the attack in the following tweet from their official account:
Joburg System Breach Update:
☎️Call centre, website & e-services platforms remain off-line💳Municipal account payments can be done via EFT and 3rd party payment services🚨Call 112 in case of emergency ☝️Critical systems are in the process of being restored #JoburgUpdates ^NS pic.twitter.com/pjep99yKCZ
— City of Joburg (@CityofJoburgZA) October 25, 2019
The investigation at the time of this article’s writing is still ongoing and the city of Johannesburg has not paid the ransom (which should never be the choice). It is unknown how the ransomware was able to enter such sensitive networks, especially after such a high-profile incident merely months ago. At this point, it is only speculation, but it is plausible that the city of Johannesburg did not make enough security protocol changes after the City Power incident.
Once the city figures out how to handle this particular incident, the next step should be twofold. One, Johannesburg must implement a total overhaul of its cybersecurity processes. Secondly, investigators need to get a handle on why Johannesburg is specifically being targeted so frequently.
Patrick de Laive