30 July 2021

Death Kitty ransomware reportedly behind the attack on South African ports


Death Kitty ransomware reportedly behind the attack on South African ports

South Africa’s state-owned ports and freight rail operator Transnet that was hit by a cyberattack last week appears to have been targeted with a strain of ransomware called Death Kitty, according to Bloomberg News.

Due to the cyberattack the Johannesburg-based company, which operates major South African ports, including Durban and Cape Town, and a large railway network, was forced to declare “force majeure” and halt operations at container terminals in Durban, Ngqura, Port Elizabeth and Cape Town. At the time, Transnet said it had identified and isolated the cause of disruption to its IT systems, but had not provided any further details.

In a ransom note left on Transnet’s computers, the attackers claimed they encrypted the company’s files, including 1TB of personal data, financial reports and other documents. The note also contained a link to a chat portal on dark web used for negotiations with victims.

According to Adam Meyers, vice-president of intelligence at Crowdstrike, the ransom note left by Transnet attackers is similar to those linked to ransomware strains known as Death Kitty, Hello Kitty, or Five Hands. Earlier this year, the Hello Kitty ransomware was observed in attacks targeting the video game maker CD Project Red and exploiting vulnerabilities in SonicWall appliances.

Meyers said that the hackers behind the Transnet attack were likely of Eastern European or Russian origin, where many ransomware groups are based.

While many ransomware groups advertise their exploits online and post ads to recruit new affiliates on hacker forums, operators behind Death Kitty and its variants mostly keep quiet.

"We have not observed any recruitment or selling of anything consistent with this ransomware, so it is either a closed group or a private service that doesn’t advertise," Meyers said.


Back to the list

Latest Posts

Cyber Security week in review: December 2, 2022

Cyber Security week in review: December 2, 2022

The world in brief: Samsung, LG, Mediatek certificates used to sign Android malware, researchers detail new exploit framework, and more.
2 December 2022
Security researchers unintentionally crash KmsdBot botnet

Security researchers unintentionally crash KmsdBot botnet

The malware lacked an error-checking mechanism, which allowed the researchers to deactivate it.
1 December 2022
New Heliconia framework exploits n-day flaws in Chrome, Firefox and Microsoft Defender

New Heliconia framework exploits n-day flaws in Chrome, Firefox and Microsoft Defender

The researchers have linked the framework to a Spain-based software company.
1 December 2022