30 July 2021

Death Kitty ransomware reportedly behind the attack on South African ports


Death Kitty ransomware reportedly behind the attack on South African ports

South Africa’s state-owned ports and freight rail operator Transnet that was hit by a cyberattack last week appears to have been targeted with a strain of ransomware called Death Kitty, according to Bloomberg News.

Due to the cyberattack the Johannesburg-based company, which operates major South African ports, including Durban and Cape Town, and a large railway network, was forced to declare “force majeure” and halt operations at container terminals in Durban, Ngqura, Port Elizabeth and Cape Town. At the time, Transnet said it had identified and isolated the cause of disruption to its IT systems, but had not provided any further details.

In a ransom note left on Transnet’s computers, the attackers claimed they encrypted the company’s files, including 1TB of personal data, financial reports and other documents. The note also contained a link to a chat portal on dark web used for negotiations with victims.

According to Adam Meyers, vice-president of intelligence at Crowdstrike, the ransom note left by Transnet attackers is similar to those linked to ransomware strains known as Death Kitty, Hello Kitty, or Five Hands. Earlier this year, the Hello Kitty ransomware was observed in attacks targeting the video game maker CD Project Red and exploiting vulnerabilities in SonicWall appliances.

Meyers said that the hackers behind the Transnet attack were likely of Eastern European or Russian origin, where many ransomware groups are based.

While many ransomware groups advertise their exploits online and post ads to recruit new affiliates on hacker forums, operators behind Death Kitty and its variants mostly keep quiet.

"We have not observed any recruitment or selling of anything consistent with this ransomware, so it is either a closed group or a private service that doesn’t advertise," Meyers said.


Back to the list

Latest Posts

Windows MSHTML bug used in ransomware attacks, Microsoft says

Windows MSHTML bug used in ransomware attacks, Microsoft says

According to the Windows maker, in the wild exploitation of CVE-2021-40444 began on August 18.
17 September 2021
State-backed hackers actively exploiting recently disclosed Zoho RCE bug

State-backed hackers actively exploiting recently disclosed Zoho RCE bug

The targeted entities include academic institutions, defense contractors, as well as critical infrastructure entities.
17 September 2021
Free REvil/Sodinokibi ransomware universal decryptor released

Free REvil/Sodinokibi ransomware universal decryptor released

The tool works for all REvil victims whose files were encrypted in attacks prior to July 13, 2021.
17 September 2021
Featured vulnerabilities
Multiple vulnerabilities in cflinuxfs3
Medium Patched | 17 Sep, 2021
Information disclosure in cflinuxfs3
Medium Patched | 17 Sep, 2021
Information disclosure in Git
Medium Patched | 17 Sep, 2021
Multiple vulnerabilities in GLPI
Medium Patched | 17 Sep, 2021
Multiple vulnerabilities in cflinuxfs3
Medium Patched | 17 Sep, 2021