In a targeted ransomware attack, hackers took down the computer network of the City of Johannesburg, South Africa Oct. 24, stealing data from the city and threatening to release it unless the ransom payment is made.

The group behind the attack, going by the name of Shadow Kill Hackers, is demanding a payment of four bitcoin ($39,457) by 5 p.m. local time Monday to prevent the release the data it has stolen. The group claims the data includes passwords and other sensitive data, such as finance and personal population information.

City of Joburg is HACKED. Time is running out… pic.twitter.com/H1b4vbK7rB

— Shadow Kill Hackers (@ShadowKillGroup) October 25, 2019

According to the ransom note, if the payment is made the data will be destroyed and the group will provide details to Johannesburg’s information technology staff on how it managed to steal the data, plus related security issues on the city’s network.

On the ransomware angle, Johannesburg was attempting to restore critical systems over the weekend, since its call center, website and e-services platform were taken down in the attack. As ZDNet noted, the attack on South Africa’s main financial center, accounting for 16% of the country’s gross domestic product, has also delivered a noticeable blow to the country’s economy.

This isn’t the first attack targeting Johannesburg. City Power, the city-owned electricity provider, was crippled by ransomware in July.

“Extortion is a well-established approach for cybercriminals and is used through tactics that include threatening denial of service, doxing, and ransomware,” Matt Walmsley, EMEA director at threat detection firm Vectra AI Inc., told SiliconANGLE. In this case, he added, the ransom isn’t very high, so it may be aimed at encouraging the city to pay.

“Cybercriminals are increasingly making rational economic decisions around targeting organizations and demand ransom levels that they believe will have a higher likelihood of payment,” Walmsley said. “Cybersecurity teams supporting the city will undoubtedly be working flat-out to confirm the extent of any attack to aid officials in deciding if they should pay.”

Tim Erlin, vice president of product management and strategy at enterprise cybersecurity firm Tripwire Inc., noted that it appears that the city has decided to restore from backup rather than pay the ransom.

“If they’re able to do so effectively, that’s the right path to take,” he said. “For the folks who set up and manage the city’s backups, this is the time where that work pays off.”

The problem with paying a ransom, he added, is that it makes ransomware more attractive to criminals. But, he noted, “it’s always easy to recommend not paying a ransom when it’s not your data or services that are being held hostage.”

Photo: Chris7cn/Wikimedia Commons