The city of Johannesburg, South Africa has been hit again by a massive cyber attack which has crippled municipal, utility, health and several other services throughout a significant part of the city. The city, home of over 5 Million citizens reportedly lost a massive amount of sensitive data associated with it citizens and has to shut down entire eservice system for several days depriving its highly tech-savvy metropolitan citizens from all of its eservices.

Its the second time in this year that city’s public service system has witnessed massive cyber attack. In last July Johannesburg’s power delivery system has struck causing power outage to hundreds of thousands population for several days.

The news first brokeout on Oct 24 when City Of Johannesburg unveiled on its official Twitter account that an intrusion has been detected causing unauthorized access to its information system.

The city immediately shut down access to its online services, including the city’s website, e-services and SAP-based CRM billing system.

An hacker group called Shadow Kill Hackers has claimed the responsibility of the attack and has demanded for 4 bitcoins ransom. The said amount had to be paid by Oct 28th 17:00 local time. “We also compromised all passwords and sensitive data such as finance and personal population information,” according to the ransom note left by the attackers.

The Original Note Left By The Attackers As Seen On The Computers Of The Municipality Of Johannesburg

The message was discovered on city employee computers, in the form of a logon screen. As evidence of the compromise Shadow Kill Hackers group posted screenshot on twitter showing that they had access to the city’s Active Directory server.
City of Johannesburg acknowledge the seriousness of the attack but refused to pay ransom. “The City of Johannesburg can confirm that the recent cyberattack on our ICT systems have had a significant impact on our ability to deliver services to our residents,” City Councillor Funzela Ngobeni said in a statement that was published on Facebook on Monday, notably also the ransom deadline set by the hackers (Oct. 28). “I can confirm that the City will not concede to their demands and we are confident that we will be able to restore systems to full functionality.”

By Monday the city had managed to restore most of the customer-facing systems Billing (SAP ISU and CRM); Land Information System; eHealth and Libraries services, Property Valuation System, according to the statement. However citizen complains several malfunctioning including denial of account access.

Victims are usually left with two options during this kind of situation. i.e. paying the ransom in an expectation that the hackers will live upto their promise or restore back the system with backup data. The city possibly has chosen the former option, but possibly ending up losing more money than the other.

The incidents in Johannesburg highlight the grim picture of cyber security and disaster handling mechanism of municipalities and other public service organizations. The municipality may play innocent victim of the targeted attack, however they should not get away for not having proper security and information backup management system in place. The organization must start planning now to outsmart evolving ransomware threat landscape, otherwise larger disasters will be keep occurring with increasing frequency and larger damage.