Ransomware with a difference as hackers threaten to release city data

Johannesburg spent the weekend struggling to recover from its second cyberattack this year as it took key services systems offline.

The city first alerted users of the attack via Twitter on Thursday 24 October:

The cyberattack came from a group calling itself the Shadow Kill Hackers. Some media outlets are reporting it as a ransomware attack, but according to a note reportedly sent to city employees and shared on Twitter, the hackers didn’t encrypt data. Instead, they stole it and threatened to upload it to the internet if the City didn’t pay up. The note read:

All your servers and data have been hacked. We have dozens of back doors inside your city. We have control of everything in your city. We also compromised all passwords and sensitive data such as finance and personal population information.

The group reportedly demanded a payment of four bitcoins (£30,347) by 5pm today, Monday 28 October, or they will release the compromised data.

The attack also affected City Power, a city-owned utility providing pre-paid electrical power to residents. It said that it was experiencing call centre problems due to the incident, and urged people to use its mobile app to log power problems instead. It also said that billing systems had been affected:

The City updated citizens on the 25th with several tweets, including this one:

Johannesburg added that its call centre and e-services platforms all remained offline, alongside its website. Cashiers remained offline, it said, adding that people could pay municipal accounts via electronic funds transfer and third party payment systems.

In an interview with a local TV station on Friday, a City spokesperson explained the rationale for shutting down key systems:

We shut down the system as a professional measure to protect the integrity of our data and make sure that the critical information of customers is not compromised…

It was important for us to safeguard systems fast before we began remedial work.

He added that the hackers had compromised systems “at the user level rather than the application level as such”, adding that the application level is where the account numbers were held, and “that part had not been affected as yet.”

The hacking group fought back on Twitter, seeming to refute the suggestion that sensitive customer account data had not been compromised while also stating that they were not responsible for attacks on several South African banks around the same time:

In another tweet on Friday, the group accepted responsibility for hacking resort company First Group SA. That company’s site was also down on Sunday night.

As the reported deadline approached, the hacking group turned up the pressure on the City of Johannesburg:

City Power spokespeople told reporters that the attackers “won’t get a cent”. At the time of writing, that seemed accurate: there were no significant transactions into the bitcoin address reportedly quoted in the extortion note.

This is the second publicly-known attack that the City of Johannesburg has weathered this year. In July, a ransomware infection encrypted City Power’s database, internal network, web apps, and website, making it difficult for people to purchase power from the company.