Ransomware Attacks in South Africa: What You Need to Know

Reading Time: 5 minutes Ransomware Attacks in South Africa: What You Need to Know South Africa is no stranger to ransomware. According to data by Kaspersky, the country saw more than 12 000 ransomware attacks in just the first half of 2021. Whilst the Interpol Cyberthreat Assessment Report places South Africa as the second most targeted country in Africa […]
Ransomware Attacks in South Africa- What You Need to Know
12 Mar, 2022
Reading Time: 5 minutes

Ransomware Attacks in South Africa: What You Need to Know

South Africa is no stranger to ransomware.

According to data by Kaspersky, the country saw more than 12 000 ransomware attacks in just the first half of 2021. Whilst the Interpol Cyberthreat Assessment Report places South Africa as the second most targeted country in Africa – with the average cost to remediate a ransomware attack amounting to R6.4 million in 2021.

There is no secret about the business-breaking risks of a ransomware infection. It can deliver major blows to business continuity, customer satisfaction, shareholder confidence, privacy, and ultimately, your bottom-line.

Understanding the real-world impact on other businesses is critical in developing your own strategy of defence and recovery.

In this article, we cover some of the major ransomware attacks to hit South African businesses and organisations since 2017.

Transnet (July 2021)

Transnet Ransomware














Extreme downtime and disruption followed a ransomware attack at Transnet, which impacted port and container terminal operations in the country. Transet declared force majeure and employed manual systems in the processing of ships and import/export containers as critical software was crippled by the virus.

Numerous ships and trucks were left idle as cargo could not be processed. The hardest hit was the Port of Durban, which handles 60% of South Africa’s container traffic.

Based on the ransomware note, cybersecurity experts believe that HelloKitty (aka DeathKitty) ransomware was behind the attack. HelloKitty was involved in infrastructure attacks elsewhere, mainly a power plant in Brazil and a hospital in the UK.

In a smart move to contain the ransomware spread, Transnet employees were instructed to shut down all devices connected to the Transet network and domain, as well as refrain from accessing emails from their phones and having meetings on MS Teams. Concerns were raised about the ransomware spreading to SARS and Customs, as their IT systems are linked to Transnet.

Transnet did not pay the undisclosed ransom demand. Many ICT systems and port operations were restored over a week and the force majeure lifted thereafter. Two weeks later, Public Enterprises Minister Pravin Gordhan stated that 90% of IT systems were fully recovered and secured.

Read More Here:

Transnet – Data Breaches in South Africa: What You Need To Know

Debt-IN Consultants (April 2021)

Debit-IN is one of the major debt recovery service providers in the country. In April 2021, the company experienced a ransomware attack. At the time, their cybersecurity investigation concluded that no company data was exposed.

Six months later, however, it was shockingly discovered that approximately 1.4 million personal and consumer records of South Africans were exposed on the dark web, along with voice recordings of calls between Debit-IN agents and financial services customers. This included customers of Absa, Standard Bank, and FNB. The exposed data featured full names, ID numbers, contact details, bank account numbers, and even banking transactional data.

Notably, unlike many other major ransomware attacks in South Africa, the Debit-IN attack also involved data theft. Traditionally, ransomware only encrypted data. But some new variants, such as those from the ransomware families REvil, LockBit, and Ryuk, now steal data before encrypting it. This allows ransomware hackers to sell the data – and/or threaten victims that their data would be leaked if the ransom is not paid.

Life Healthcare Group (June 2020)

Multiple hospitals under the Life Healthcare Group suffered a ransomware attack amid South Africa’s first Level 4 lockdown.

The ransomware crippled hospital admissions systems, email servers, and business processing structures, such as patient billing and medical aid claims. Hospital and office staff had to implement manual backup measures which gave rise to obvious business continuity complications and admin delays.

Fortunately, patient care was not affected by the attack.

Disruptions continued for 2-4 weeks until IT systems were fully restored.

Globally, healthcare institutions were prime targets by cybercriminals during the first year of COVID-19. According to a study by IBM Security, cyberattacks (in which ransomware dominated) against medical entities had doubled from 2019.


What Is Ryuk Ransomware? And Why It’s Healthcare’s Biggest Disruptor Since COVID-19

Tracker South Africa (February 2020)

Tracker, the vehicle tracking and recovery company, were targeted in a ransomware attack which disrupted customer access.

Customers reported difficulty in accessing Tracker services, such as the web app, mobile app, call centre, and emergency line. Not all ICT systems were impacted and the company continued to recover stolen vehicles successfully.

Most systems were restored within several days.

City Power (July 2019)

A major ransomware hit on City Power, the municipal-owned power supplier in Johannesburg, had encrypted databases, applications, and the network. This ransomware attack in South Africa also brought down the City Power pre-paid vending system and official website. It prevented customers from purchasing and loading electricity units. Some residents were subsequently left without power.

As a business continuity measure, City Power directed customers to a cellphone app for logging faults. Nonetheless, response to outages was delayed as internal dispatch and ordering systems were also implicated in the attack.

External cybersecurity experts were brought in as City Power worked to clean and rebuild impacted applications which took place gradually over several days


Here’s How Ransomware Attacks Like the One on City Power Work – And Why Some Victims End Up Paying Millions

Telkom (May, 2017)

Telkom Ransomware














Multiple platforms at Telkom were shut down in a global attack by the WannaCry ransomware crypto worm. Telkom USSD menus, the mobile app, website, call centre, SMS line, and voice mail systems, were inaccessible to users.

WannaCry infected computers by exploiting a security loophole in Windows operating systems, primarily Windows 7. Although Microsoft had fixed the vulnerability two months prior, more than 200,000 computers worldwide were not updated timeously; And thus serving as an entry-point for WannaCry to attack the Telkom company network.

According to a statement by Telkom, systems were restored in several days.

Cybersecurity experts regarded the WannaCry infections of May 2017 as the severest cyber-attack in history. The estimated total losses amounted to $4 billion across more than 150 countries. Besides Telkom, it appears that no other major organisation was affected by the WannaCry ransomware attack in South Africa. Affected corporations abroad include Nissan, Honda, FedEx, Hitachi, Maersk, and Boeing.


WannaCry: How the Widespread Ransomware Changed Cybersecurity

Protect Your Business from Ransomware Attacks in South Africa

Concerned about your business?

We’re here to help.

Established in 2008, iSite Computers is a specialist Managed IT Services Provider. Our expert-led cybersecurity team helps small to medium-sized businesses proactively prevent, monitor, and mitigate ransomware threats across their organization.

Start the conversation with us to learn more.

Book a consultation and we’ll assess and discuss your cybersecurity posture for free. Call us directly on 031 812 9650 or email rd@isite.co.za.

Call Isite Computers

Join Our Newsletter

Related Posts



Submit a Comment

Your email address will not be published.