City of Joburg says it knows who ransom hack attacker is, refuses to pay off criminals

Hayi wena! Jozi officials claim they’ll have 80% of systems back online as deadline expires

Funzela Ngobeni, a Johannesburg city councillor

Joburg finance chief Funzela Ngobeni

Several hours past the payment deadline, Johannesburg has vowed not to give in to criminal hackers who demanded £29,000 (4 bitcoins) not to publish its data, four days after the South African city shut down its public sector networks in response to the breach.

Several “customer facing systems – including the city’s website, e-services, and billing system[s]” – have remained offline since they were pulled down Thursday night “as a precaution” after a “network intrusion”, which the city first announced just after 11pm local time on 24 October.

In a statement issued this afternoon, city councillor Funzela Ngobeni said: “I can confirm that the city will not concede to their demands and we are confident that we will be able to restore systems to full functionality.”

The ransom demand, for 4 bitcoins, expired at 17:00 local time (15:00 UTC) today.

Ngobeni, the city’s elected finance chief, said that Joburg authorities had managed to switch on some of the city’s billing and CRM systems as well as various others, including library admin and land ownership databases.

“I acknowledge the impact of this on our customers – specifically those who have joined our environmental drive to reduce paper usage by registering to receive their statement by email,” he added.

As reported everywhere last week, a crew calling themselves Shadow Kill Hackers claimed responsibility for the hack, with a ransom note reportedly stating: “We have control of everything in your city. We also compromised all passwords and sensitive data such as finance and personal population information.”

The hackers threatened to publish data they had stolen from the city’s systems unless their ransom demand was met.

Matthew Aldridge, a senior solutions architect at Webroot, opined that the attackers were probably inexperienced in the arts of criminality, albeit technically skilled enough to break in and help themselves to other people’s data.

He told The Register: “I do find it interesting that the attackers chose not to encrypt any of the City’s systems – that would give them a much stronger hand to play. As things stand, they are relying on having enough backdoors into the network to be sure that they can’t all be closed off before the City brings their systems back online. This could be a sign of an inexperienced or weak adversary.”

Aldridge added: “The comment made by the City that they will be looking for a potential insider threat or disgruntled former employee as part of their investigation could also relate to this.”

Authorities in Joburg, the largest city in South Africa*, also said they “know where the attack (hacker) comes from” as this article was being written, with 80 per cent of systems said to be coming back online by the end of the day.

Infosec biz Emsisoft told The Register that the attack malware might have been custom-made, pointing to the personalised login screen (“quite unusual”, as the firm’s Brett Callow told us) and the fact that the email address in the ransom note wasn’t one they had seen being used elsewhere.

Back in July, Joburg electricity company City Power was infected with ransomware that prevented pre-paid meter customers from topping up online, potentially leaving locals in the dark. ®

* at 1,645 km², it is slighter bigger than Greater London

Sponsored: Technical Overview: Exasol Peek Under the Hood

READ MORE HERE