Johannesburg, the biggest city in South Africa and the 26th largest city worldwide, has shut down its website, billing and electronic services after being hit by a serious network attack, the second one in three months, municipality officials said.
A group calling itself Shadow Kill Hackers took to Twitter to take credit for the attack, claiming it took Johannesburg’s “sensitive finance data offline.” The group is demanding 4 Bitcoins, valued at about $32,000 US, for the safe return of the data.
A Johannesburg spokesman said the city took down the site after it detected a breach and that so far no formal ransom demands had been made. He also played down the extent of the breach.
“It was picked up very early while it was at the user level, before it reached the applications level where critical information sits,” he told a TV news reporter. “So for us it was important that we safeguard the information first, before we start with the remedial work.”
All your servers have been hacked
Accounts on Twitter told a different story. This purported image of the ransom note, which was addressed to “Joberg city” claimed to have full control over the city’s network. Rather than encrypting the data and demanding a ransom in return for the encryption key, the attackers appeared to threaten to publish the data unless the money was handed over.
“All of your servers have been hacked,” the note stated. “We have dozens of backdoors inside your city.” The note went on to demand the Bitcoin ransom by Monday. “If you don’t pay on time, we will upload the whole data to anyone on the Internet,” the note continued. “If you pay on time, we will destroy all the data we have, and we will send you IT a full report about how we hacked your system and your security….”
The group’s Twitter messages also said the site outages weren’t the result of Johannesburg officials taking their systems offline as the officials claimed, but rather the hacking group turning off the city’s domain name system, which is used to help translate domain names into IP addresses. Another Twitter message posted what purported to be screenshots showing DNS controls and an Active Directory set up for Johannesburg City network.
This is the second breach in the past three months to hit the city. In July, Johannesburg’s municipal power provider suffered a ransomware attack that left residents without electricity.
In the first nine months of this year, at least 621 government entities, healthcare service providers and school districts, colleges and universities have been hit by ransomware, according to security firm Emsisoft recently reported. At least 68 of those attacks were on state, county and municipal entities. An attack in June on Baltimore cost the city at least $18 million. Three Florida cities were also infected this year.
Emsisoft spokesman Brett Callow told Ars that the Johannesburg attackers appeared to be new to the ransomware scene.
“The personalized login screen message is quite unusual and not one we’ve seen before,” he said. “Nor is the email address provided in the ransom note one that we’ve seen used in other attacks (it’s also never been used in any previous submission to ID Ransomware).”
The Johannesburg spokesman, meanwhile, said the city’s IT staff is working around the clock to get systems back online.