Downtime across several Telkom systems, including its call centre, is due to a ransomware attack, MyBroadband has learned from sources.
Staff working remotely are also unable to connect to servers and have said that they can’t connect to the Telkom virtual private network.
News of the ransomware attack follows severe disruptions at Telkom since Friday, 29 May, when the company informed clients on Twitter that its call centres are experiencing “technical disruptions”.
On Saturday, Telkom announced that some of its services had been restored, but that its call centres were still offline.
“Our technicians are attending to the issues. Thank you for your patience and we apologise for the inconvenience,” Telkom stated.
On Monday the vice-chancellor and principal at University of Johannesburg, Professor Tshilidzi Marwala, stated that system problems at Telkom were preventing free data allocations from going out to students.
“I apologise to our UJ students who are expecting data from Telkom. Telkom has system problems and are attending to the matter. We shall update you as soon as they have resolved the matter,” Marwala said.
This would not be the first time Telkom has fallen victim to a ransomware attack.
In 2017 the company was a victim of the global WannaCry attack. The outage prevented subscribers from using Telkom’s USSD menu or app, which means they could not buy bundles.
Speculation in the industry is that Telkom has fallen prey to the PonyFinal ransomware. Microsoft Security Intelligence posted about the attack on 27 May.
“PonyFinal is a Java-based ransomware that is deployed in human-operated ransomware attacks,” Microsoft stated.
“While Java-based ransomware are not unheard of, they’re not as common as other threat file types. However, organizations should focus less on this payload and more on how it’s delivered.”
Microsoft warned that PonyFinal attackers have been seen gaining access through brute force attacks against a target company’s systems management server.
The actual ransomware is then delivered through a Windows installer – an MSI file – that contains two batch files and the ransomware payload.
UVNC_Install.bat creates a scheduled task named “Java Updater” and calls RunTask.bat, which runs the payload, PonyFinal.JAR.
“PonyFinal is at the tail end of protracted human-operated ransomware campaigns that are known to stay dormant and wait for the most opportune time to deploy the payload,” Microsoft said.
Telkom acknowledged MyBroadband’s request for comment regarding the attack on its systems and said it would provide answers as soon as it could.