Industry leaders have warned that the ransomware attack on CityPower Johannesburg last week is just another warning to Government and corporates that they are not immune to cyberattacks.
The latest attack caused blackouts across the city as cyber criminals took control of the City’s power servers which prevented residents from purchasing electricity.
CityPower Johannesburg successfully restored its encrypted servers within hours of the security breach being identified. However, experts say it should serve as a warning to other service providers that ransomware could easily debilitate a city. Depending on severity of the attack, it could take days, weeks or months to recover critical data.
Security expert and J2 Software CEO John Mc Loughlin says cities seem to be a preferred target for ransomware nowadays.
“They are often paying criminals millions to recover encrypted critical data in order to quickly restore their services,” he said.
“It is highly recommended that one never pays the ransom because even if one does, there is no guarantee that you will get your information back.
“Regardless, one will have to set up a new system and restore the files that were encrypted. Also remember, with ransomware, the first thing hackers aim to do is to delete backups if they are not segmented from the network.
“Remember, every single recovery method will already be anticipated by the hackers. Although data theft could cause huge damage, there are other threats like ransomware that are more likely and would have a profound effect on any company. Businesses need to assess the kind of attacks that are most probable to hit their networks.”
Mike Bergen of GECI, an international tactical cybersecurity specialist company now in South Africa, says that it was only a matter of time before a high-profile cyberattack was launched on a major South African utility or infrastructure provider. We see these sorts of attacks increasing all around the world, and South Africa is not immune.”
“Cybercrime is a vast and rapidly growing business, tipped to cost businesses and government globally around US$6 trillion by 2021, double what it was in 2015,” explained Bergen.
“It has reached pandemic levels with some 4,000 cyberattacks per day. It’s no longer a question of if an attack will occur, but when one will be hit.”
Bergen believes South African municipalities and utilities may be neglecting basic cybersecurity best practice, which increases their risk exposure.
“Unpatched systems and a tendency to be reactive rather than proactive, contribute to their risk – particularly in the area of cybersecurity for Operations Systems (OT),” he said
Stuart Reed, VP Cyber Security Nominet, says that identifying malware and phishing attacks on the network early is critical to mitigating the risk of a ransomware attack.
“This needs to be combined with basic cyber hygiene, such as not opening attachments or clicking links unless you know they are legitimate, keeping up-to-date with system patches and current versions of malware protection,” said Reed.
“A layered approach to security, combined with robust backups and a well understood incident response, will be fundamental to combating ransomware attacks.
“And, one thing is for sure, City Power and others in the same position should never consider paying out in a ransomware attack. It’s important we don’t normalise ransomware payments that are ultimately just another method of extortion.”
Meanwhile, Dr. Amin Hasbini, Head of the Global Research & Analysis Team for META at Kaspersky, says that to avoid falling victim to such cyber criminal activity, all organisations should:
- Secure all endpoints
- Apply operating system and application updates as soon as they are available
- Backup data regularly and keep backup drives safe or offline
- Don’t routinely assign staff admin rights on computers; and limit access to data to those who really need it
- Educate staff about the tactics employed by attackers. This includes:
- Never clicking on unverified links
- Never opening untrusted emails
- Only downloading from trusted and verified websites
“It should also be noted that while paying the extorters seems like the best option and easiest path to get the data back, it is never guaranteed that the data will be retrieved,” added Dr. Hasbini.
“There have been cases in the past where the attackers do not restore the data; and other cases where they restore some of the data and then demand further payment before restoring the rest of the data.
“Paying only encourages the cybercriminals to continue to develop ransomware-based attacks.”
Stefan van de Giessen, General Manager: Cybersecurity at value-added distributor Networks Unlimited Africa , says that ongoing vigilance, maintenance of systems and a holistic approach to security remains vital for critical infrastructure entities.
“Security needs to have a layered approach, ensuring each level is protected with effective technology,” he said.
“A systematic, unified, layered posture ensures that all attack vectors are covered. An effective IT security ecosystem involves the holistic consolidation of tools and intelligence, and analytics should feature strongly in the technology deployed to protect the network.
“Building a next-generation security solution should include various products that complement each other starting with perimeter protection; end point and secure email solution.
“Having these three is a vital start to your security posture. Once your baseline is established, we need to look at how at how we protect against unknown threats, encryption of your data and ultimately deploy decoys in your network to lure hackers off your network.
“We advise adopting a phased approach to developing a layered posture due to cost and the complexity of management.”
Van de Giessen has outlined a phased approach as follows:
- Investing in a next-gen firewall (NGFW), next-gen antivirus (NGAV) with EDR capabilities and a secure e-mail solution is critical in securing against the most prevalent attacks. It is vital to make sure, when choosing your vendor of choice, that they have been tested by third parties such a Gartner & NSS Labs to ensure security effectiveness
- Protecting your applications that are Internet facing and transacting with customers online – a web application firewall (WAF) and a secure payment gateway will ensure these applications and website are protected, and comply with PCI , POPIA and GDPR compliance irrespective if these are on premise or in the cloud. Onsite and offsite backups are best practice.
- User education and training is essential in making sure that employees are able to recognise and respond accordingly to suspicious and malicious activity. This also means that any threats which bypass security measures are picked up at the last line of defence
- Having an advanced threat protection (ATP) strategy has become necessary as malware and threats are evolving constantly, making it hard to rely on a known signature alone. The need to include an ATP product in your security structure is now more relevant than ever to ensure we can stop zero-day attacks
“It is never easy for an organisation to admit to a cybersecurity breach and we applaud City Power for its honesty in owning up to the reason for their systems outages, as well as for not paying the ransom demanded by the threat actors,” said Van de Giessen.
“At the same time, it should be noted that in being transparent, the organisation also acted according to compliancy principles as outlined by the European Union’s General Data Protection Regulation (GDPR) and South Africa’s Protection of Personal Information Act (POPIA).
“The phased security posture advice outlined above applies to on premise, cloud and hybrid environments. Additionally, device, operating system, software and policy updates should be carried out regularly and stringently to ensure no vulnerabilities can be exploited.”