Johannesburg Ransomware Attack Leaves Residents in the Dark

The virus affected the network, applications, and databases at City Power, which delivers electricity to the South African financial hub.

Kelly Sheridan, Former Senior Editor, Dark Reading

July 25, 2019

4 Min Read

Johannesburg's City Power, the municipal entity delivering power to the South African financial hub, was hit with a ransomware attack that encrypted its network, databases, and applications.

The attack struck Thursday morning and prevented residents from buying electricity, uploading invoices, or accessing the City Power website. Officials said it also affected response time to logged calls, as some of the internal systems to dispatch and order material were slowed down.

"Ransomware virus is known globally to be operated by syndicates seeking to solicit money," the City of Joburg tweeted after the attack. "We want to assure residents of Johannesburg that City Power systems were able to proactively intercept this and managed to deal with it quickly." The city, which owns City Power, notes there was no personal data compromised in the attack.

Johannesburg implemented temporary measures to help those affected. Suppliers seeking to submit invoices were told to bring them to City Power offices; customers were asked to log calls on their cellphones using the mobile site, as they couldn't access the utility's website. Residents called a local radio station to say the attack had left them without power, Reuters reports.

At the time of the attack, City Power spokesperson Isaac Mangena said to News24 that cold weather could lead to unplanned outages, as the electrical system overloads with higher demand. Plans were in place to deal with unplanned outages, he added; City Power had sent more technicians to regions of the city where unplanned, repeated outages frequently occur.

City Power and Johannesburg officials have been regularly posting updates to both entities' Twitter accounts; the City of Joburg most recently reported most of the IT applications and network affected by the attack "have been cleaned up and restored."

Johannesburg joins a growing number of cities targeted with ransomware as criminals take aim at municipalities around the world. Other victims include Baltimore, Atlanta, and Riviera Beach, Florida. While security experts typically recommend not paying ransom — and US mayors have committed to follow their advice — unprepared victims may have no choice. Riviera Beach recently paid $600,000 to its attackers, a decision that could potentially have "far-reaching consequences," said Ilia Kolochenko, founder and CEO of security company ImmuniWeb.

Kolochenko anticipates attacks like these will continue. "Cities, and especially their infrastructure sites, are usually a low-hanging fruit for unscrupulous cyber gangs," he says. "These victims will almost inevitably pay the ransom as all other avenues are either unreliable or too expensive." What's more, he adds, is cryptocurrencies can't be traced back to the attackers; as a result, most get away with it.

Cybercriminals are taking the time to profile and target entities that are more likely to pay more money, says Matt Walmsley, Vectra's director of EMEA. City Power was an appealing target: The broad scope of disruption to its databases and other software, affecting most its applications and networks, suggests ransomware was able to quickly spread throughout the organization.

"The disruption to their services, as well as consumer backlash, will further compound the pressure on City Power's IT and security teams to rapidly restore systems to a known good condition from backups, or chance of paying the ransom," Walmsley explains.

Kolochenko also notes the risk of dangerous ransomware attacks will grow unless governments develop and enforce security regulations to protect their cities. Humans feel very real effects of ransomware in incidents like these: Following the City Power attack, Twitter posts reflected the struggles of individuals and families who found themselves without power. Future incidents could affect airports, for example, and other components of critical infrastructure.

Related Content:


Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

About the Author(s)

Kelly Sheridan

Former Senior Editor, Dark Reading

Kelly Sheridan was formerly a Staff Editor at Dark Reading, where she focused on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial services. Sheridan earned her BA in English at Villanova University. You can follow her on Twitter @kellymsheridan.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights