Ransomware with a difference as hackers threaten to release city data – Naked Security


Johannesburg spent the weekend struggling to recover from its second cyberattack this year as it took key services systems offline.

The city first alerted users of the attack via Twitter on Thursday 24 October:

The cyberattack came from a group calling itself the Shadow Kill Hackers. Some media outlets are reporting it as a ransomware attack, but according to a note reportedly sent to city employees and shared on Twitter, the hackers didn’t encrypt data. Instead, they stole it and threatened to upload it to the internet if the City didn’t pay up. The note read:

All your servers and data have been hacked. We have dozens of back doors inside your city. We have control of everything in your city. We also compromised all passwords and sensitive data such as finance and personal population information.

The group reportedly demanded a payment of four bitcoins (£30,347) by 5pm today, Monday 28 October, or they will release the compromised data.

The attack also affected City Power, a city-owned utility providing pre-paid electrical power to residents. It said that it was experiencing call centre problems due to the incident, and urged people to use its mobile app to log power problems instead. It also said that billing systems had been affected:

The City updated citizens on the 25th with several tweets, including this one:

Johannesburg added that its call centre and e-services platforms all remained offline, alongside its website. Cashiers remained offline, it said, adding that people could pay municipal accounts via electronic funds transfer and third party payment systems.