Johannesburg - An email attachment harbouring a malicious file is what crashed City Power’s IT system, and experts fear more South African companies will face similar attacks with public data being compromised.
By Friday afternoon, Joburg’s power utility was still trying to restore its IT applications and networks following a ransomware attack at midnight on Wednesday, just before pay day.
City Power’s website was still down, preventing customers from logging electrical faults and suppliers from submitting invoices. Suppliers had to physically travel to City Power head office in Booysens and hand over invoices.
“Our experts have been working day and night and we are expecting that everything will be back on line by Saturday evening (tonight),” said spokesperson Isaac Mangena, adding that this was the first time his company had experienced such an attack.
But while this might be City Power’s first experience of a ransomware attack, experts say they are becoming increasingly common in South Africa, and most are hidden from the public.
“Companies don’t have to disclose such attacks and most do on an ad hoc basis. There may be a lot more ransom or malware attacks on state entities, but they are not disclosed because, obviously, for a reputation perspective you would rather not let people know there has been a data breach,” said Zamani Ngidi, principal cyber risk consultant at Aon South Africa.
“South Africa is in the top three for data breaches.”
Cybercrimes expert Jacques van Heerden agreed, and said he knows of other government departments that have suffered ransomware attacks.
His concern is that the criminals who launched the attack on City Power might still have access to its systems.
“You don’t know how the attackers came in and you don’t know what data the attacker got their hands on,” said Van Heerden.
The usual modus operandi of a ransomware attacker to send an infected file usually is as an email attachment.
Once the malware infects the IT system, it encrypts files. The criminals will then get in contact and offer to send the encryption key for a fee.
The criminals usually ask for payment in cryptocurrency, such as bitcoin which is hard to track. The attackers are invariably in another country which makes them hard to find and prosecute.
Often the ransom isn’t that high, and many companies prefer to pay it rather than spend more on recovering the files.
There is, however, a catch.
Van Heerden knows of instances where companies have paid the ransom, only to be hit a week later.
“It is either you pay the ransom or you close the company down.”
Soon, the new Cybercrime Bill will assist law enforcement in combating ransomware attacks, by making it compulsory for companies to report if they were victims of such crimes.
“In South Africa, because we are not as robust or up to standard as other countries, and because of our lack of regulation, the chances of catching these criminals is low,” said Ngidi.
City Power’s security teams are investigating the origins of the attack and will be implementing measures to prevent a similar attack from happening again.
Mangena said a ransom was demanded, but would not say what the figure was.
The teams are also being assisted by outside cyber security experts.
“The team is also receiving assistance from several national security agencies who view this as a national cyber threat,” said Mangena.
But it is not going to be long before there is another attack on another state institution and another ransom demanded, believes Van Heerden.
“The problem is that it is not going to stop soon.”