Ransomware has been a plague on the private sector for years now, but the past year has seen a sharp increase in attacks on municipalities. These ransomware attacks on cities have tended to be focused on small targets that do not have the IT budget to defend themselves adequately. A crippling attack on South Africa’s largest city may be an indication that cyber criminals are getting bolder and more sophisticated in their campaigns against municipal targets.
With a total population of over nine million people, Johannesburg is considered one of the major nodes in the global economic network and is the country’s center of commerce. The city had already fallen victim to a ransomware attack in July, which left some residents without power for days in the midst of winter. Johannesburg is once again being held for ransom, with hackers this time compromising the city’s entire IT infrastructure.
A total compromise of Johannesburg’s entire municipal network
Johannesburg city employees logged into their workstations on October 24th to find a ransom note waiting for them:
“All of your servers and data have been hacked. We have dozens of back doors inside your city. We have control of everything in your city. We can shut off everything with a button. We also compromised all passwords and sensitive data such as finance and personal population information.”
The hacking group, which calls itself “Shadow Kill Hackers,” demanded a ransom of four bitcoin (about $36,000). The group threatened to make the city’s stolen personal data available to the public on the internet.
The attack differs from the standard ransomware attacks on cities, which usually involve phishing an employee into downloading malware that encrypts the vital contents of the network and demand payment in return for the password. In this case, the hackers posted screenshots on Twitter demonstrating that they had access to the city’s Active Directory server and that they had taken down the city’s website for a period of time.
The claims about the stolen city data have not been verified, but Johannesburg officials shut down the city’s IT infrastructure in response and have opened an investigation. An official commented that the hack may be the work of a disgruntled former employee. Johannesburg residents were left unable to access e-services during the investigation, but were able to pay municipal bills online via third-party services.
Ongoing attacks on Johannesburg
This is not the first or only cyber incident for the city of Johannesburg in 2019.
The previous attack on Johannesburg was a deployment of more traditional ransomware, encrypting the servers of utility company City Power. Citizens were unable to purchase pre-paid electricity or sell back power generated from their solar panels during the outage.
As this more recent attack was occurring, some of the city’s banks were also experiencing heavy distributed denial of service (DDoS) attacks. These were not connected to the Shadow Kill Hackers attack, and are instead believed to be part of an international campaign also targeting banks in a number of other countries.
Ransomware attacks on cities in 2019
The attack in June on Johannesburg reflects a general trend of utility companies being targeted in municipal attacks.
Why utility companies? One managed service provider often handles items like billing for multiple locations. If an attacker compromises the service provider, they also compromise every locality that vendor services. Utility companies need to provide online payment services for residents of the town or city to pay their monthly bills. Vital services that cannot tolerate long periods of disruption, such as hospitals, are also a popular target.
Such was the case in Texas this August, when 22 ransomware attacks on cities occurred. The coordinated ransomware attack appears to have originated from a single threat actor. The attacker asked varying ransoms to de-encrypt municipal systems, up to $2.5 million in one case. The attacks were traced back to the compromise of a third-party software vendor used for billing services in the Texas towns that were attacked.
Most of the ransomware attacks on cities in the first half of 2019 happened in America. Baltimore, Albany and Tallahassee were among the bigger cities hit by these cyber attacks, as well as Cleveland’s Hopkins International Airport. Brett Callow, PR at Emsisoft, believes that criminal preference may now be shifting to other countries:
“There seems to have been a decline in attacks on US-based organizations in recent weeks and a simultaneous uptick in attacks on municipalities, hospitals and schools in other countries (South African, Spain, Canada, Australia, UK). That may or may not be a coincidence, but it certainly seems that big game hunters are increasingly looking for opportunities outside the US.”
Ransomware attacks on cities are almost exclusively financially motivated, with the attackers looking for targets that are susceptible and also have enough wherewithal to pay a ransom demand. Though some American municipalities have disregarded the advice, government agencies such as the Secret Service and FBI have advised that victims not pay the ransom demand.
How cities cope with ransomware
Tim Erlin, VP, product management and strategy at Tripwire comments:
“It appears that the city (Johannesburg) has decided to restore from backup rather than pay the ransom. If they’re able to do so effectively, that’s the right path to take. For the folks who set up and manage the city’s backups, this is the time where that work pays off.
“When victims pay the ransom, it makes ransomware a more attractive means of cashing in for criminals.
“It’s always easy to recommend not paying a ransom when it’s not your data or services that are being held hostage.”
Ransomware attacks on cities are relatively easy to recover from if prepared for in advance, but nearly impossible if those preparations have not been made. In spite of advice from authorities, cities are often left with no resort but to pay the ransom and hope for the best when they do not have an adequate backup system in place.
All types of organizations need to be wary of shady “ransomware recovery firms” that will merely charge their clients a large fee and then use a portion of it to pay the ransom. While some cybersecurity firms may have resources to at least attempt to break encryption, it is very unlikely it will work unless the attackers have been sloppy.
The only real and reliable answer to the threat of ransomware attacks on cities is the practice of regular backups. Ideally, “snapshot” images of entire computer systems taken every few hours combined with regular file-level backups, sent to both a local drive and a secure cloud storage solution.
Of course, this can be cost-prohibitive – particularly for small city governments that might not even have their own independent budgets for IT security. The long-term costs of being hit by ransomware often vastly outweigh the usual pennies-per-gigabyte cost of implementing adequate security measures, however. For example, when faced with a $51,000 ransomware demand in 2018, the city of Atlanta opted not to pay – and then spent over 10 million dollars attempting to recover.