• Home
  • /
  • Malware
  • /
  • NCape municipality battles devastating ransomware attack

NCape municipality battles devastating ransomware attack

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 03 May 2021

The Nama Khoi Municipality in the Northern Cape Province is struggling to restore IT systems that were hit by a ransomware attack last year.

This was revealed by the municipality’s chief information officer, Brandon Love, in an e-mail interview with ITWeb.

According to Love, on Wednesday, 9 December 2020, the municipality’s ICT systems were compromised by a ransomware virus infection.

He notes the virus, known as Pysa, is a file-encrypting ransomware virus, developed during the COVID-19 pandemic to target local government systems and healthcare systems.

“The said ransomware has completely encrypted all digitally stored information on the municipality’s ICT systems. The result is that all information stored on the ICT networks is inaccessible,” he says.

“All ICT systems were compromised, which include domain services, prepaid electricity services, geographical information systems, anti-virus systems, document management systems, all user data and virtual machines were encrypted.”

He notes that as a result of the encryption, all information stored on the ICT networks, including the online data storage or backups, were inaccessible.

Brandon Love, chief information officer of Nama Khoi Municipality.
Brandon Love, chief information officer of Nama Khoi Municipality.

However, Love says the attackers have not yet demanded any ransom from the municipality.

“The municipality did not pay any ransom, and are not planning to do so. We will use the backups available to restore infected information.”

The municipality has done a forensic investigation into the cause and is currently busy with the rebuild of the entire ICT environment, says Love.

“We have also noticed that the virus is targeting government sectors, with the focus on the healthcare sector. We have further also noticed that not much information regarding this ransomware is available on the Internet, and thus would like to use all possible platforms to share our dreadful experience in an attempt to create awareness regarding this ransomware and warn the rest of the sectors within government.

“It was furthermore noticed that the ransomware has infected various other government sectors throughout the world.”

Love says during the course of the forensic investigation, bat files were observed which the perpetrators used to launch another attack on a secondary target site, which was located in the US.

He explains the user credentials listed within these files contained a 15-character password which consisted of random characters, special characters and numeric values.

Based on this information, Love notes it is suspected that the administrative credentials used during the attack were harvested from the cached credentials stored in memory.

“The ransomware which was deployed during the attack was identified as part of the Mespinoza/Pysa ransomware family. The Mespinoza ransomware was first identified in October 2018. Since December 2019, a new version of Mespinoza was observed. This variant is often called Pysa because it produces encrypted files with the ‘.pysa’ file extension.”

From the attack, access to prepaid electricity services was unavailable for a period of five days.

The municipality was also unable to issue free electricity to indigents during the month of January, but was able to compensate them afterwards.

Nonetheless, Love says the most critical services have been restored to a certain extent to ensure the continuation of service delivery.

“Other services are in the process of being restored. Business continuity and high availability of ICT services has formed the basis of our architectural design based on the impact the ransomware infection had on the operations of the municipality.”

Love believes all services will be restored during the second week of May.

“The reason for this was the delay caused by COVID-19, because hardware had to be imported due to lack of availability in SA.”