The hacking group holding Cell C ransom

The group behind the recent Cell C data breach, RansomHouse, infiltrates organisations through phishing attacks, exploiting vulnerabilities, or leveraging poor cybersecurity practices.

Cell C disclosed that it was the victim of a cyberattack that exposed the data of a limited number of people on 8 January 2025, and roughly two days later, it revealed that RansomHouse had claimed responsibility for the attack.

Fortunately for the South African mobile operator, the group, which emerged in March 2022, claims to focus on data theft rather than encrypting victims’ systems to distinguish itself from traditional ransomware groups.

This is according to Diana Selck-Paulsson, lead security researcher at Orange Cyberdefense, who added that RansomHouse exfiltrates sensitive data from breached systems and demands payment for not leaking it.

Rather than encrypting systems, this approach allows RansomHouse group members to avoid detection for longer, as there is no immediate operational disruption.

The group has significantly impacted South Africa in recent years, attacking Checkers owner Shoprite in June 2022 and Cell C in November 2024.

“However, given the fact that these Cyber Extortion (Cy-X) operations operate globally, we don’t see South Africa proportionally heavily impacted by this particular Cy-X operation,” said Selck-Paulsson.

She added that there are currently no other known RansomHouse victims exposed in South Africa but noted that the victimisation process can take several weeks or months.

RansomHouse posted a sample of the data it stole from Cell C on the dark web, revealing that it had infiltrated 2TB of data from the mobile operator’s systems.

“Our investigation into this matter is still ongoing, and we are working diligently to gather all the facts,” said Cell C.

“We can confirm that the threat actors involved in this incident have identified themselves as Ransomhouse.”

It added that it had no additional verified information regarding the attackers’ identities and that its forensic experts are investigating.

The list of files in the RansomHouse sample includes what appear to be customer call records, identity document scans belonging to a former exco member, and the front pages of non-disclosure agreements involving Cell C.

Also included were the first pages of several customer contracts and screenshots that appear to show Cell C’s financial data, including a balance sheet and statements showing revenue and profit.

However, Cell C has told MyBroadband that the compromised data is unstructured, making it difficult to analyse.

South Africa is a prominent target for cybercrime

Orange Cyberdefense said it has identified South Africa as an increasingly prominent target for cyberattacks.

Its latest CyXplorer report, which focuses on cyber extortion, revealed that Africa experienced a 100% increase in threats between April 2023 and April 2024.

It notes that South Africa accounted for the majority of incidents.

“In our latest investigation of the ongoing Cy-X threat in our Security Navigator 2025 report, we found Africa to be the 11th most impacted region, 40% of the victims were from South Africa,” said Selck-Paulsson.

However, the firm observed a slight decrease in threats between October 2023 and October 2024.

“This is a very typical development of this very dynamic ecosystem that often goes about their criminal business based on opportunities they can leverage,” added Selck-Paulsson.

She warned that the Cy-X landscape is evolving rapidly. New actors, aggressive threats, and increasing cross-border threats are emerging globally.

Companies, particularly those in countries like South Africa, must take proactive action to mitigate the risks of these dynamic threats.

“Signs of desperation in the Cy-X ecosystem are evident, such as last year’s attack on South Africa’s National Health Laboratory Service (NHLS) during a health outbreak,” said Selck-Paulsson.

“This underscores the critical need to protect vital infrastructure against increasingly aggressive and indiscriminate threats.”

Organisations must enhance their resilience with robust cybersecurity strategies and implement real-time threat monitoring, incident response planning, and collaboration across all sectors to protect themselves.

“Cy-X actors are now targeting sensitive sectors, exposing private communications, and naming individuals, amplifying harm and creating psychological and reputational impacts,” said Selck-Paulsson.