Johannesburg, South Africa, is an alpha city on a booming continent—a financial powerhouse and one of the most important cities in the world. It’s also a repeat victim of hackers who at least twice in three months have shut down important city services and networks.
The new attack: On Thursday night, the city of Johannesburg shut down its website, e-services, and billing as a result of a “network breach which resulted in unauthorized access to [city government] information systems.”
Local media reported that hackers demanded ransom, but city spokesman Nthatisi Modingoane went on television on Friday to assert that there was no “formal demand for ransom.”
“What we do know is that yes, the system was hacked, and we’re doing everything in our power to make sure the system is protected,” Modingoane said. “The hacking happened at the user level, not at the application level, which is where the critical data sits. When we noticed the user level being impacted, we shut down the system as a precautionary measure to protect the critical information of customers.”
City officials don’t know who is behind this latest attack.
“I actually think Johannesburg is doing the right thing here,” said Allan Liska, an analyst at the security company Recorded Future. “They aren't sure of the extent of the attack so they are shutting down systems to conduct an effective incident response. It is incredibly inconvenient for their constituents, but that abundance of caution will allow the city to effective assess any weak points and hopefully patch them before real damage can be done.”
Powerless: With a population well above five million people, Johannesburg is the biggest city to fall victim to ransomware—and now another unspecified hack.
In July, a separate ransomware incident hit the city’s power utility company. Some residents were left without power for days because customers couldn’t pay for their power while the company’s databases were encrypted and, for a time, useless.
Just hours after Johannesburg was hit this week, the South African Banking Risk Information Centre reported that multiple banks were targeted with distributed-denial-of-service attacks, according to local news broadcaster eNCA.
The exact details of that attack remain unclear as well, and banking services have been disrupted to some extent, but the banks say no data breach or risk to customers has occurred. It’s unknown if the two incidents are related or represent two separate hacking groups crossing paths as they simultaneously target South Africa’s capital city.
Ransomware as a business: Criminals searching for vulnerable targets and worthwhile paydays have zeroed in on local governments around the globe. In the United States, at least 80 state and local governments have been hit. At a fundamental level, the reason is obvious.
“It’s hugely profitable,” says Fabian Wosar, the chief technical officer for the cybersecurity firm Emsisoft.
“Back in 2015, there were something like 92 unique ransomware families,” says Ed Cabrera, chief cybersecurity officer of Trend Micro. “By 2016, the number is 247, which is around a 750% increase.” The growth reflects how attractive the attacks are for hackers: “It usually takes months for traditional malware to monetize attacks, but ransomware monetizes within minutes or days.”
And the attacks are getting more sophisticated.
“Before, it was a volume play with spray-and-pray tactics,” Cabrera says. “Now they do a little more homework on access and persistence, so they might have more of a payout toward the end. With ransomware as a service, you’re able to scale quicker and have a bigger return.”