Johannesburg Utility Recovering After Ransomware AttackIncident Plunges Parts of South Africa City Into Dark
Portions of the South Africa capital of Johannesburg were left in the dark for a part of Thursday, after an unknown ransomware variant knocked out the local electrical utility's network, databases and applications, according to city officials and local media reports.
See Also: 2021: A Cybersecurity Odyssey
By Friday morning, City Power, which provides electricity for Johannesburg and is owned by the city, had restored power and most services for affected residents. The utility was still in the process of recovering its various IT systems and networks on Friday, according to the local officials.
While the ransomware attack knocked out City Power's website and other applications for most of Thursday, the utility did manage to post a series of tweets to keep residents up-to-date on developments and the recovery effort.
City Power will continue to update customers and all stakeholders about the progress of the recovery and restorations. And about the outcomes of the investigation into the cause of the cyber attack.— @CityPowerJhb (@CityPowerJhb) July 26, 2019
What exact variant of ransomware hit City Power on Thursday is not clear, and the utility did not say if the attackers asked for ransom or if officials paid to restore service. While the attack crippled the utility's IT systems, Johannesburg's official Twitter account stressed that no customer data was stolen or breached during the incident.
#JoburgUpdates @CityPowerJhb: Customers should not panic as none of their details were compromised. We apologise for the inconvenience caused to the people of the City of Joburg. Please be patient with us, we expect to have everything back in order by the end of Thursday ^GZ— City of Joburg (@CityofJoburgZA) July 25, 2019
Throughout most of Thursday, many Johannesburg residents could not buy electricity from City Power, pay their utility bills or access other services since the attack knocked out the utility's customer website. Instead, most were directed to City Power's mobile app, which still worked, according to officials and media reports. On Friday, the main customer website remained offline.
Over the past several months, attackers have increasingly used ransomware to target local government agencies or municipalities instead of larger organizations and businesses.
In May, Recorded Future published a study that found an increase in ransomware attacks targeting local municipalities, state government agencies and smaller cities in the U.S. One motivation is money, but the analysis found that many attackers use the publicity generated by these incidents to advertise their malware to other malicious actors (see: Ransomware Increasingly Hits State and Local Governments).
What many of these localized ransomware incidents have in common is that the attackers are taking advantage of poorly secured IT systems and networks as well as organizations that might not have proper back-up and recovery plans, says Richard Gold, head of security engineering at security firm Digital Shadows.
"Ransomware crews, like the ones who have been knocking over local governments in the U.S., have figured out that the sweet spot is to go after poorly protected organizations that likely do not have good backups or an incident response process in place but have enough sensitive data and enough resources to pay up," Gold tells Information Security Media Group.
What makes the Johannesburg situation more alarming than some of these other local examples of ransomware attacks is the real human cost if the utility took a longer time to recover and restore services, Gold says.
"A quick look at Twitter threads show how people are really affected by this outage, including families with small children and other vulnerable populations," Gold says. "However, the city of Johannesburg looks like they're getting on top of it."
By targeting an electrical utility that provides a vital service to city residents, the attackers might have wanted to maximize the pressure on local officials to pay up quickly, says Matt Walmsley, the director of Europe, Middle East and Africa at security firm Vectra.
"We're seeing ransomware becoming a far more focused tactic where cybercriminals take time to profile and target organizations who they believe will have a higher likelihood of paying a meaningful level of ransom," Walmsley tells ISMG. "The broad scope of disruption to City Power's databases and other software, impacting most of their applications and networks suggest that the ransomware was able to very quickly propagate internally without impediment."
Ransomware on the Rise
Over the last several months, ransomware has grown more lucrative
In the second quarter of this year, the average ransom payment increased by 184 percent to $36,295, compared to $12,762 paid out in the first quarter of 2019, according to Coveware, which published a recent study on these types of attacks (see: Ransomware: As GandCrab Retires, Sodinokibi Rises).
That significant increase reflects the growing prevalence of Ryuk and Sodinokibi, two variants of ransomware that attackers have used to increase their demands on victims. These types of ransomware are predominantly used to target larger enterprises, according to Coveware.
That doesn't mean these two variant are the only strains of ransomware threatening organizations.
Earlier this week, cloud-hosting firm iNSYNQ announced that its infrastructure was attacked by a strain of ransomware called MegaCoretx, a new variant that has crippled the company's business operations for over a week (see: iNSYNQ Continues Recovery From MegaCortex Ransomware Attack).