[BreachExchange] City of Joburg says it knows who ransom hack attacker is, refuses to pay off criminals

Tue Oct 29 10:03:22 EDT 2019

https://www.theregister.co.uk/2019/10/28/johannesburg_ransomware_payment_demand_refused/

Several hours past the payment deadline, Johannesburg has vowed not to
give in to criminal hackers who demanded £29,000 (4 bitcoins) not to
publish its data, four days after the South African city shut down its
public sector networks in response to the breach.

Several "customer facing systems – including the city's website,
e-services, and billing system[s]" – have remained offline since they
were pulled down Thursday night "as a precaution" after a "network
intrusion", which the city first announced just after 11pm local time
on 24 October.

In a statement issued this afternoon, city councillor Funzela Ngobeni
said: "I can confirm that the city will not concede to their demands
and we are confident that we will be able to restore systems to full
functionality."

The ransom demand, for 4 bitcoins, expired at 17:00 local time (15:00
UTC) today.

Ngobeni, the city's elected finance chief, said that Joburg
authorities had managed to switch on some of the city's billing and
CRM systems as well as various others, including library admin and
land ownership databases.

"I acknowledge the impact of this on our customers – specifically
those who have joined our environmental drive to reduce paper usage by
registering to receive their statement by email," he added.

As reported everywhere last week, a crew calling themselves Shadow
Kill Hackers claimed responsibility for the hack, with a ransom note
reportedly stating: "We have control of everything in your city. We
also compromised all passwords and sensitive data such as finance and
personal population information."

The hackers threatened to publish data they had stolen from the city's
systems unless their ransom demand was met.

Matthew Aldridge, a senior solutions architect at Webroot, opined that
the attackers were probably inexperienced in the arts of criminality,
albeit technically skilled enough to break in and help themselves to
other people's data.

He told The Register: "I do find it interesting that the attackers
chose not to encrypt any of the City's systems – that would give them
a much stronger hand to play. As things stand, they are relying on
having enough backdoors into the network to be sure that they can't
all be closed off before the City brings their systems back online.
This could be a sign of an inexperienced or weak adversary."

Aldridge added: "The comment made by the City that they will be
looking for a potential insider threat or disgruntled former employee
as part of their investigation could also relate to this."

Authorities in Joburg, the largest city in South Africa*, also said
they "know where the attack (hacker) comes from" as this article was
being written, with 80 per cent of systems said to be coming back
online by the end of the day.

Infosec biz Emsisoft told The Register that the attack malware might
have been custom-made, pointing to the personalised login screen
("quite unusual", as the firm's Brett Callow told us) and the fact
that the email address in the ransom note wasn't one they had seen
being used elsewhere.

Back in July, Joburg electricity company City Power was infected with
ransomware that prevented pre-paid meter customers from topping up
online, potentially leaving locals in the dark. ®

* at 1,645 km², it is slighter bigger than Greater London