30 July 2021

Death Kitty ransomware reportedly behind the attack on South African ports


Death Kitty ransomware reportedly behind the attack on South African ports

South Africa’s state-owned ports and freight rail operator Transnet that was hit by a cyberattack last week appears to have been targeted with a strain of ransomware called Death Kitty, according to Bloomberg News.

Due to the cyberattack the Johannesburg-based company, which operates major South African ports, including Durban and Cape Town, and a large railway network, was forced to declare “force majeure” and halt operations at container terminals in Durban, Ngqura, Port Elizabeth and Cape Town. At the time, Transnet said it had identified and isolated the cause of disruption to its IT systems, but had not provided any further details.

In a ransom note left on Transnet’s computers, the attackers claimed they encrypted the company’s files, including 1TB of personal data, financial reports and other documents. The note also contained a link to a chat portal on dark web used for negotiations with victims.

According to Adam Meyers, vice-president of intelligence at Crowdstrike, the ransom note left by Transnet attackers is similar to those linked to ransomware strains known as Death Kitty, Hello Kitty, or Five Hands. Earlier this year, the Hello Kitty ransomware was observed in attacks targeting the video game maker CD Project Red and exploiting vulnerabilities in SonicWall appliances.

Meyers said that the hackers behind the Transnet attack were likely of Eastern European or Russian origin, where many ransomware groups are based.

While many ransomware groups advertise their exploits online and post ads to recruit new affiliates on hacker forums, operators behind Death Kitty and its variants mostly keep quiet.

"We have not observed any recruitment or selling of anything consistent with this ransomware, so it is either a closed group or a private service that doesn’t advertise," Meyers said.


Back to the list

Latest Posts

ShadowSyndicate ransomware group targeting Aiohttp flaw

ShadowSyndicate ransomware group targeting Aiohttp flaw

Organizations are urged to update to Aiohttp v3.9.
18 March 2024
The International Monetary Fund discloses cyberattack affecting 11 email accounts

The International Monetary Fund discloses cyberattack affecting 11 email accounts

The organization did not share any additional details regarding the nature of the attack.
18 March 2024
E-Root Marketplace operator sentenced to 3.5 years in prison

E-Root Marketplace operator sentenced to 3.5 years in prison

It is estimated that over 350,000 compromised credentials were listed for sale on the E-Root Marketplace.
18 March 2024