City of Johannesburg, on Second Hit, Refuses to Pay Ransom

A Shadow Kill Hackers attack that compromised the city’s network and shut down key services was the second ransom-related attack on the city in months.

The city of Johannesburg, South Africa, is refusing to pay a ransom of four Bitcoins to a hacker group who accessed the city’s network and stole sensitive data, threatening to release it if the ransom wasn’t paid.

It’s the second time in several months that the city has been hit with a cyberattack demanding ransom. In July, a ransomware attack on Johannesburg’s City Power, which is owned by the city itself, left some residents without electricity for days.

The latest saga started on Thursday, Oct. 24, when the company unveiled on its official Twitter account that it had “detected a network breach which resulted in unauthorised [sic] access to its information system.”

The city immediately shut down access to its online services, including the city’s website, e-services and SAP-based CRM billing system, according to the post.

A group called Shadow Kill Hackers quickly claimed responsibility for the attack, according to multiple reports. The group apparently sent the city a ransom note warning them that hackers had “control of everything in your city.”

“We also compromised all passwords and sensitive data such as finance and personal population information,” according to the note.

To prove this, Shadow Kill posted screenshots on Twitter showing that they had access to the city’s Active Directory server, according to reports.

Indeed, the city, home to around 5 million, acknowledged that the attack was serious, but officials still refused to give in to the hackers’ ransom demands, which amount to about $30,000.

“The City of Johannesburg can confirm that the recent cyberattack on our ICT systems have had a significant impact on our ability to deliver services to our residents,” City Councillor Funzela Ngobeni said in a statement that was published on Facebook on Monday, notably also the ransom deadline set by the hackers (Oct. 28). “I can confirm that the City will not concede to their demands and we are confident that we will be able to restore systems to full functionality.”

By Monday the city had managed to restore customer-facing systems from “a technical perspective,” including “Billing (SAP ISU and CRM); Property Valuation System; Land Information System; eHealth and Libraries services,” according to the statement. At the time, Ngobeni said the city still was in the process of returning e-services to normal functionality and apologized for the impact on its customers.

Indeed, when an organization is hit with such an attack, there are typically two options for getting stolen data back: Having an up-to-date backup of your affected systems to restore your data; or paying the ransom, Cesar Cerrudo, CTO of IOActive, said in an email to Threatpost.

Johannesburg apparently has chosen the former option; however, not without a different kind of cost, he said.

“In situations like the one facing Johannesburg, not paying means finding a way to get systems back to normal without a backup,” Cerrudo said. “As the days pass since the attack, we are seeing the strain caused by the lapse in their systems, including wasted time, resources and money.”

Unfortunately, ransomware attacks aren’t going away anytime soon. Security experts predict that organizations will continue to be at risk for these types of attacks that also will come with increasingly more sophistication.

Companies should start planning now for how they will handle future ransomware attacks, whether it means paying ransoms or shoring up their own resources, Cerrudo suggested.

“Nobody wants to negotiate with criminals, but sometimes it’s the smartest option,” he said. “Municipalities need to start acknowledging that they made a mistake by not having proper backups in place instead of playing innocent victims. Ransomware and cyber-criminals are bad, but not having good security and backups is worse.”

What are the top mistakes leading to data breaches at modern enterprises? Find out: Join experts from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure.” Click here to register.

Suggested articles