30 July 2021

Death Kitty ransomware reportedly behind the attack on South African ports


Death Kitty ransomware reportedly behind the attack on South African ports

South Africa’s state-owned ports and freight rail operator Transnet that was hit by a cyberattack last week appears to have been targeted with a strain of ransomware called Death Kitty, according to Bloomberg News.

Due to the cyberattack the Johannesburg-based company, which operates major South African ports, including Durban and Cape Town, and a large railway network, was forced to declare “force majeure” and halt operations at container terminals in Durban, Ngqura, Port Elizabeth and Cape Town. At the time, Transnet said it had identified and isolated the cause of disruption to its IT systems, but had not provided any further details.

In a ransom note left on Transnet’s computers, the attackers claimed they encrypted the company’s files, including 1TB of personal data, financial reports and other documents. The note also contained a link to a chat portal on dark web used for negotiations with victims.

According to Adam Meyers, vice-president of intelligence at Crowdstrike, the ransom note left by Transnet attackers is similar to those linked to ransomware strains known as Death Kitty, Hello Kitty, or Five Hands. Earlier this year, the Hello Kitty ransomware was observed in attacks targeting the video game maker CD Project Red and exploiting vulnerabilities in SonicWall appliances.

Meyers said that the hackers behind the Transnet attack were likely of Eastern European or Russian origin, where many ransomware groups are based.

While many ransomware groups advertise their exploits online and post ads to recruit new affiliates on hacker forums, operators behind Death Kitty and its variants mostly keep quiet.

"We have not observed any recruitment or selling of anything consistent with this ransomware, so it is either a closed group or a private service that doesn’t advertise," Meyers said.


Back to the list

Latest Posts

Turla APT targets entities in US, Germany and Afghanistan with new backdoor

Turla APT targets entities in US, Germany and Afghanistan with new backdoor

The TinyTurla backdoor is used to maintain access to the target system even if the primary malware is discovered and removed.
22 September 2021
Microsoft shares details on huge BulletProofLink PHaaS

Microsoft shares details on huge BulletProofLink PHaaS

BulletProofLink has been active since 2018 and is currently advertised on underground hacker forums.
22 September 2021
US Treasury sanctions Suex cryptocurrency exchange linked to ransomware operations

US Treasury sanctions Suex cryptocurrency exchange linked to ransomware operations

The Treasury Department said that over 40 percent of Suex known transactions is associated with illegal activity.
22 September 2021