[BreachExchange] ‘Death Kitty’ Ransomware Linked to South African Port Attack

[Sophia Kingsbury]

https://finance.yahoo.com/news/death-kitty-ransomware-linked-attack-090000335.html

South Africa’s port and rail company appears to have been targeted with a
strain of ransomware that cybersecurity experts have linked to a series of
high-profile data breaches likely carried out by crime gangs from Eastern
Europe and Russia.

The hackers left a ransom note on Transnet SOC Ltd.’s computers, seen by
Bloomberg News, claiming they encrypted the company’s files, including a
terabyte of personal data, financial reports and other documents. The note
instructed the firm to visit a chat portal on the dark web to enter
negotiations.

A probe into the motive for the attack is still underway, Public
Enterprises Minister Pravin Gordhan said in a statement on Wednesday.
Transnet spokeswoman Ayanda Shezi referred to the minister’s remarks and
declined to comment further.

The cyberattack on July 22 caused the company to declare force majeure at
container terminals and switch to manual processing of cargo. Transnet’s
Durban port alone handles more than half of the nation’s shipments and is
the main gateway for other commodity exporters including the Democratic
Republic of Congo and Zambia.

The disruption follows deadly protests in South Africa earlier this month
that also interrupted operations.

The Transnet ransom note was similar to others seen in recent months,
according to cybersecurity firm Crowdstrike Holdings Inc. It’s linked to
ransomware strains known variously as “Death Kitty,” “Hello Kitty” and
“Five Hands,” said Adam Meyers, vice president of intelligence at
Crowdstrike. Those strains have been observed this year targeting Polish
video game maker CD Projekt and exploiting security vulnerabilities in
SonicWall products.

Many organizations still don’t have a robust cybersecurity risk management
policy, and that means “industries like logistics and critical
infrastructure are vulnerable to attack,” said Lisa Donnan, a partner at
cyber investment group, Option3Ventures. There’s also a global shortage of
cybersecurity workers as incidents are increasing along with the average
ransom price rising to $200,000 from $5,000 in 2018, she said.

‘Ripe Target’

Transnet made for a “ripe target” because its ports are critical to the
country and the broader region, Donnan said in an emailed response to
questions. “Unfortunately, many organizations find out after an attack that
cybersecurity is a business issue not an IT issue,” she said.

The location and identity of the Transnet hackers is unclear. Meyers said
they were likely of Eastern European or Russian origin, where many
ransomware groups are based.

Some advertise their exploits online and use forums on the dark web to hire
hackers to work with them, but the gang associated with “Death Kitty” and
its variants have kept a lower profile, according to Meyers. “We have not
observed any recruitment or selling of anything consistent with this
ransomware, so it is either a closed group or a private service that
doesn’t advertise.”

Transnet has fully restored operations at the nation’s ports after
reinstating its automated terminal-operating system. Other systems are
being brought up in a staggered manner, Gordhan said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210729/59d15803/attachment.html>