Johannesburg's City Power, the municipal entity delivering power to the South African financial hub, was hit with a ransomware attack that encrypted its network, databases, and applications.
The attack struck Thursday morning and prevented residents from buying electricity, uploading invoices, or accessing the City Power website. Officials said it also affected response time to logged calls, as some of the internal systems to dispatch and order material were slowed down.
"Ransomware virus is known globally to be operated by syndicates seeking to solicit money," the City of Joburg tweeted after the attack. "We want to assure residents of Johannesburg that City Power systems were able to proactively intercept this and managed to deal with it quickly." The city, which owns City Power, notes there was no personal data compromised in the attack.
Johannesburg implemented temporary measures to help those affected. Suppliers seeking to submit invoices were told to bring them to City Power offices; customers were asked to log calls on their cellphones using the mobile site, as they couldn't access the utility's website. Residents called a local radio station to say the attack had left them without power, Reuters reports.
At the time of the attack, City Power spokesperson Isaac Mangena said to News24 that cold weather could lead to unplanned outages, as the electrical system overloads with higher demand. Plans were in place to deal with unplanned outages, he added; City Power had sent more technicians to regions of the city where unplanned, repeated outages frequently occur.
City Power and Johannesburg officials have been regularly posting updates to both entities' Twitter accounts; the City of Joburg most recently reported most of the IT applications and network affected by the attack "have been cleaned up and restored."
Johannesburg joins a growing number of cities targeted with ransomware as criminals take aim at municipalities around the world. Other victims include Baltimore, Atlanta, and Riviera Beach, Florida. While security experts typically recommend not paying ransom — and US mayors have committed to follow their advice — unprepared victims may have no choice. Riviera Beach recently paid $600,000 to its attackers, a decision that could potentially have "far-reaching consequences," said Ilia Kolochenko, founder and CEO of security company ImmuniWeb.
Kolochenko anticipates attacks like these will continue. "Cities, and especially their infrastructure sites, are usually a low-hanging fruit for unscrupulous cyber gangs," he says. "These victims will almost inevitably pay the ransom as all other avenues are either unreliable or too expensive." What's more, he adds, is cryptocurrencies can't be traced back to the attackers; as a result, most get away with it.
Cybercriminals are taking the time to profile and target entities that are more likely to pay more money, says Matt Walmsley, Vectra's director of EMEA. City Power was an appealing target: The broad scope of disruption to its databases and other software, affecting most its applications and networks, suggests ransomware was able to quickly spread throughout the organization.
"The disruption to their services, as well as consumer backlash, will further compound the pressure on City Power's IT and security teams to rapidly restore systems to a known good condition from backups, or chance of paying the ransom," Walmsley explains.
Kolochenko also notes the risk of dangerous ransomware attacks will grow unless governments develop and enforce security regulations to protect their cities. Humans feel very real effects of ransomware in incidents like these: Following the City Power attack, Twitter posts reflected the struggles of individuals and families who found themselves without power. Future incidents could affect airports, for example, and other components of critical infrastructure.