Transnet ransomware hackers did not get a single cent
Transnet did not pay any money to the hackers responsible for bringing much of the company’s operations to a grinding halt through a ransomware attack on its IT systems in late July.
This was according to public enterprises minister Pravin Gordhan, who recently updated the media on reforms at the state-owned transport company, including plans to draw on private investment to upgrade South Africa’s port infrastructure.
“No ransom was paid,” Gordhan stated in response to a question from journalists.
The minister said the majority of Transnet’s IT systems had fully recovered from the attack.
“About 90% of the IT systems at the corporate centre, freight, rail, port terminals, engineering, pipelines, and the port authority, which is slightly behind, are now fully recovered, and the appropriate security measures have been taken,” the minister stated.
Gordhan said Transnet had demonstrated it had the skills and capability, both in-house and through partners it was able to bring in during the incident, to identify the exact target of the attack and quickly shut down the systems to secure them.
He also praised the company for putting in place operational measures that ensured that within 24 to 36 hours, the ports began to show some semblance of normal activity.
The minister added that further work was being done to ensure that Transnet implemented the lessons learnt from the experience in its IT systems.
He would not elaborate on any progress in identifying the culprits behind the attack, as the matter was still under investigation.
The attack on Transnet brought operations at many of South Africa’s ports to a near-standstill.
Employees were instructed not to use their laptops, desktops, or tablets connected to the Transnet domain. Staff were also told not to access their work emails on any device.
With IT systems offline, Transnet had to rely on manual systems to process incoming and outgoing ships and the movement of containers.
The company declared force majeure on 27 July — a common contract clause that frees all parties from liability when an extraordinary event occurs.
Cybersecurity firm Crowdstrike said the ransomware note found on Transnet’s systems was similar to those left in other attacks in recent months.
Vice president of intelligence at Crowdstrike, Adam Meyers, said it was linked to ransomware strains known as “Death Kitty,” “Hello Kitty,” and “Five Hands”.
These strains were identified in a ransomware attack on Polish video game developer CD Projekt and had exploited security vulnerabilities in SonicWall networking products.