Cybergangs continually look for new ways to make their ransomware campaigns more effective, but sometimes they just seem to fall in their lap. Learn how ransomware attacks in South Africa’s largest city, Johannesburg, eventually led to a new extortion tactic that is already paying off.
“Oh no, not again” was likely uttered by many Johannesburg residents when they received a tweet from city officials on October 24, 2019. The tweet informed them that the city’s computer systems had been breached — again. Three months earlier, cybercriminals had hacked into the systems in CityPower — a prepaid electricity provider owned by the city municipality — and infected them with ransomware.
The July and October attacks on Johannesburg’s computer systems show how diverse ransomware attacks can be. They also demonstrate how cybercriminals learn from each other and how they are continually adapting their tools and techniques.
A Tale of Two Attacks
The July Johannesburg attack was a classic ransomware campaign. The cybercriminals deployed ransomware that encrypted all of CityPower’s systems, including databases and applications. The cybercriminals then delivered their demands in a typical ransom note. Like most ransomware victims, CityPower was tightlipped about the specifics of the attack. It did not provide any information about the attackers’ identities, how much money they demanded, and whether it paid the ransom. The attackers did not offer up this information, either.
The October attack was far from ordinary. A cybergang called “Shadow Kill Hackers” took credit for hacking into the city’s and CityPower’s systems and stealing data from them. However, the cybergang did not encrypt the systems and data afterward.
With no decryption key to dangle in front of the victims, the cybergang resorted to intimidation to get the city to pay up. It threatened to upload the stolen personal and financial data to the Internet if Johannesburg failed to pay the ransom of 4 bitcoins (about $47,500 USD). The ransom note used to give this ultimatum had a very menacing tone. In one part, it stated “All your servers and data have been hacked. We have dozens of back doors inside your city. We have control of everything in your city. We can shut off everything with a button. We also compromised all passwords and sensitive data such as finance and personal population information.”
Interestingly, the Shadow Kill Hackers came up with an unconventional way to get its ransom note noticed. It incorporated the note into the login screens on employees’ computers.
Despite the threats, Johannesburg refused to pay the ransom. Fortunately, the Shadow Kill Hackers never posted the personal and financial data of Johannesburg’s residents on the Internet.
Failed Extortion Tactic Gets a Second Chance
Although the Shadow Kill Hackers were unsuccessful at getting Johannesburg to pay the ransom, their tactic of stealing data from the victim and then threatening to share it with the world caught the attention of a ransomware gang known as the Maze crew. This gang started using the steal-and-share tactic in its ransomware attacks starting in November 2019. The crew made several adaptations that have greatly improved the tactic’s effectiveness:
- The Maze crew uses the steal-and-share tactic only if a victim doesn’t pay the ransom by the specified deadline. Encrypting the victim’s files and ransoming the decryption key is still the primary extortion scheme.
- The Maze crew publishes a small portion of the stolen data and then threatens to post the rest of it if the ransom is not paid. Besides demonstrating that they are not bluffing, this provides a show of force. It also adds social pressure because customers, suppliers, and others might find out about the attack if the data is published) Sometimes the Maze crew even tells the news media about its threats and informs the victims about doing so in order to exert extra pressure on them.
“Today it isn’t uncommon to hear of a ransomware victim being extorted into paying a ransom under threat of data exposure,” said John Shier, a senior security expert at Sophos. “While it’s still too early to determine if this form of social pressure will be more profitable than more traditional methods, it has heralded a new era in ransomware where social pressure and shaming is being used to increase the attackers’ bottom line.”
JavaScript source code ransomware flickr photo by Christiaan Colen shared under a Creative Commons (BY-SA) license