A hacker group going by the name of Shadow Kill Hackers has infected the city of Johannesburg’s internal network with ransomware and is holding South Africa’s largest city for ransom.
The hackers are demanding 4 bitcoins to be paid by next Monday, October 28, 5 pm, local time, or they claim they’ll upload the city’s data on the internet.
“Your servers and data have been hacked,” the ransom note reads, according to reports from local media [1, 2, 3, 4] and a screenshot posted on Twitter.
“We have dozens of back doors inside your city. We have control of everything in your city. We also compromised all passwords and sensitive data such as finance and personal population information,” the note said.
Authorities responded by shutting down all the IT infrastructure, such as websites, payment portals, and other e-services. A breach was later confirmed via the city’s official Twitter account.
This is the second time in the past four months that the city’s network was hit by ransomware. In July, hackers installed ransomware on the city power provider’s network, leaving some residents without electricity for days.
Local media also reported that at the same time, several South African banks were hit by cyber-attacks attacks, and their services went down. Standard Bank and Absa were two of the five banks that were attacked by what appeared to be DDoS attacks.
It is unclear if the attacks on the banks were carried out by the same Shadow Kill Hackers group.
As ZDNet reported yesterday, over the past week, financial institutions across the world have been getting hit by DDoS attacks and extortion demands. South Africa was one of the countries affected by these attacks, according to a spokesperson from Group-IB, a cyber-security firm that provides security services to financial institutions. The attacks on the South African banks might be a coincidence happening at the same time with the attack on the Johannesburg municipality’s network.
Article updated shortly after publication to reflect that this is a ransomware incident, and not a data breach, as initial evidence suggested.