A hacker group going by the name of Shadow Kill Hackers is holding South Africa’s largest city for ransom, demanding 4 bitcoins from Johannesburg authorities, or they’ll upload stolen city data on the internet.
The deadline is October 28, 5 pm, local time, according to a message from the hackers.
“Your servers and data have been hacked,” the note reads. “We have dozens of back doors inside your city. We have control of everything in your city. We also compromised all passwords and sensitive data such as finance and personal population information.”
The message was discovered on city employee computers, in the form of a logon screen.
Authorities immediately responded by shutting down all the IT infrastructure, such as websites, payment portals, and other e-services. A breach was later confirmed via the city’s official Twitter account.
Initially, employees thought they were the victims of a ransomware attack, like the one that hit the city’s power grid in July, attack that left many without electricity for days. However, it was later discovered that city computers were not encrypted.
Furthermore, the hackers went to Twitter to post screenshots showing that they had access to the city’s Active Directory server, even claiming that they were the ones who took down the website after deactivating the DNS server.
City officials were not available for comment. It is unclear if they intend to pay the ransom demand, estimated at around $30,000. In some interviews, city officials also suggested they would be investigating the incident as the work of a disgruntled current or former city employee.
Unrelated DDoS attacks on local banks
On the same day, local media also reported that several South African banks were hit by cyber-attacks attacks, and their services went down. Standard Bank and Absa were two of the five banks that were attacked by what appeared to be DDoS attacks.
Initially, the attacks were reported as coming from the same group, but Shadow Kill Hackers confirmed on Friday that they were not involved in these unrelated attacks.
As ZDNet reported yesterday, over the past week, financial institutions across the world have been getting hit by DDoS attacks and extortion demands. South Africa was one of the countries affected by these attacks, according to a spokesperson from Group-IB, a cyber-security firm that provides security services to financial institutions. The attacks on the South African banks are most likely a coincidence, happening at the same time with the attack on the Johannesburg municipality’s network, but evidence and statements suggests they are not the work of Shadow Kill Hackers.
Article updated with images of the ransom note and the hackers’ tweets.
Article updated on October 29 to add that city officials have not paid the ransom demand. The hackers have not followed through on their threat to release city files.