South Africa’s state-owned ports and freight rail operator Transnet that was hit by a cyberattack last week appears to have been targeted with a strain of ransomware called Death Kitty, according to Bloomberg News.

Due to the cyberattack the Johannesburg-based company, which operates major South African ports, including Durban and Cape Town, and a large railway network, was forced to declare “force majeure” and halt operations at container terminals in Durban, Ngqura, Port Elizabeth and Cape Town. At the time, Transnet said it had identified and isolated the cause of disruption to its IT systems, but had not provided any further details.

In a ransom note left on Transnet’s computers, the attackers claimed they encrypted the company’s files, including 1TB of personal data, financial reports and other documents. The note also contained a link to a chat portal on dark web used for negotiations with victims.

According to Adam Meyers, vice-president of intelligence at Crowdstrike, the ransom note left by Transnet attackers is similar to those linked to ransomware strains known as Death Kitty, Hello Kitty, or Five Hands. Earlier this year, the Hello Kitty ransomware was observed in attacks targeting the video game maker CD Project Red and exploiting vulnerabilities in SonicWall appliances.

Meyers said that the hackers behind the Transnet attack were likely of Eastern European or Russian origin, where many ransomware groups are based.

While many ransomware groups advertise their exploits online and post ads to recruit new affiliates on hacker forums, operators behind Death Kitty and its variants mostly keep quiet.

"We have not observed any recruitment or selling of anything consistent with this ransomware, so it is either a closed group or a private service that doesn’t advertise," Meyers said.