Defiant councillor says city government on course to restore 80% of systems

City chiefs in the South African city of Johannesburg have refused to comply with a ransom demand, the deadline for which has now expired.

Attackers threatened to publish data that they found on city systems unless a ransom of four bitcoins was paid to the tune of ZAR500,000 ($34,000).

A group calling themselves the Shadow Kill Hackers claimed responsibility for the breach, first reported on October 24.

A deadline for payment was set almost four days later on October 28.

The city then decided to shut down its public sector networks “as a precaution”.

Nthatisi Modingoane, spokesperson for the City of Johannesburg, told The Daily Swig that the attackers “might have some information, but not critical information”.

This was because the city was able to “intercept the attack at the user level”, Modingoane said.

The investigation, which is ongoing, initially suggested that city employees only had access to data kept on staff “workstations”.

In a TV interview with SABC News, Modingoane also admitted that the authorities “didn’t know who to hand the bitcoins to”.

In a statement issued yesterday (October 28), councillor Funzela Ngobeni said “the city will not concede to [the attackers’] demands”.

He also expressed confidence that systems would be restored “to full functionality” and that they were on the cusp of restoring “80% of our systems”.

Some “critical customer facing systems” – related to billing, property valuation, land information, eHealth and libraries – were already back up and running, he added.

The municipality’s Twitter account has advised customers to use alternative payment methods such as EFT, EasyPay outlets, or the post office.

Modingoane told The Daily Swig that the city was hardening its IT systems before bringing them back online in a phased rollout.

Jo’burg cyber-attacks

This is the second time within a few months that municipal targets in Johannesburg have fallen victim to some form of cyber-attack.

In July, publicly-owned electricity company City Power, which powers Johannesburg, revealed that a ransomware virus had encrypted all of its databases, applications and networks – potentially preventing pre-paid meter customers from topping up online.

During a press conference discussing the latest attack, Cyril Baloyi, the city’s group ICT chief, said: “We do have a plan that was approved on October 3 on how we’re going to deal with those loopholes, but unfortunately the attack hit before that plan could be implemented.”

Shadrack Sibiya, head of group investigation and forensics, told the assembled media that “we do know where the attack came from”, but declined to comment further.

In the written statement, councillor Ngobeni, the city’s elected head of finance, suggested the attack was “timed to coincide with all city month end processes affecting both supplier and customer payments.”

The councillor said officials had “vowed not to rest until we have gotten to the bottom of this matter”.

Modingoane said that investigators are continuing to monitor all platforms for signs that the attackers have followed through on their threat.

At the time of speaking – more than 22 hours since the deadline passed – he said: “We haven’t noticed anything.”

READ MORE Ransomware still dominates the cyber threat landscape in 2019 – Europol report