Security30.01.2025

South African Weather Service attacked by Russia-linked ransomware group

RansomHub is behind the recent attack on South African Weather Service IT systems, a spokesperson for the agency has told MyBroadband.

The Russia-linked group rose to prominence in 2024 after law enforcement took down LockBit and the ALPHV/BlackCat group pulled an exit scam on its affiliates.

Like many ransomware gangs, RansomHub infiltrates vulnerable systems and networks, steals any data it can find and then encrypts the files, often bringing down an organisation’s entire IT infrastructure.

This allows them to use a double-extortion method to coerce victims into paying them after an attack — firstly, to regain access to their systems, and secondly, to not leak or sell their stolen data online.

According to the SA Weather Service (SAWS), RansomHub has not demanded a specific amount for a file decryptor and protection against a further leak.

This is not unusual, as many ransomware gangs direct victims to dark web instant messaging applications to negotiate terms.

SAWS posted a notice on Monday stating that its systems went down on Sunday evening due to a cyberattack.

The government agency said it reported the attack to the relevant authorities, adding that it was the second in two days after an initial attempt on Saturday, 25 January 2025, failed.

It told MyBroadband on Thursday morning that it has ensured critical services to the marine and aviation sectors, as well as severe weather services, are not interrupted through the use of alternative channels.

“In the meantime, a team of ICT engineers and cyber security experts are working around the clock to recover and restore the compromised systems,” a spokesperson said.

MyBroadband visited RansomHub’s dedicated leak site on the dark web on Thursday, and the SA Weather Service breach was not listed.

The two most current listings are dated 23 January and 27 January 2025.

However, it should be noted that the ransomware-as-a-service group works with a network of affiliates. The affiliate responsible for the SAWS breach may not have provided the details to the site’s operators yet.

Offering affiliates an attractive split of extortion payments is one reason for RansomHub’s meteoric rise in the past year.

It reportedly initially offered affiliates a 90-10 split, with the attackers keeping 90% of the take while the RansomHub mothership keeps 10%.

According to the group’s website, this has since been changed to an 85-15. The Register reports that this is still more attractive than the 80-20 or 70-30 splits typically offered by other ransomware operators.

Cybersecurity firm ZeroFox tracked RansomHub’s rise in 2024, reporting that the group accounted for about 2% of all attacks in the first quarter, 5.1% in Q2, 14.2% in Q3, and about 20% in Q4.

ZeroFox analysts said RansomHub was the most prominent ransomware and data exfiltration group of 2024.

“The greatest threat in early 2025 will very likely emanate from RansomHub,” ZeroFox warned.

While its growth will almost certainly plateau, ZeroFux said it was likely that the collective will continue to attract experienced affiliates and remain the most dangerous ransomware and data exfiltration threat this year.

RansomHub has a set of rules affiliates must abide by or face expulsion from the group.

“We do not allow Commonwealth of Independent States countries, Cuba, North Korea and China to be targeted,” it states.

However, it also assures that it is not politically motivated.

“Our team members are from different countries and we are not interested in anything else, we are only interested in dollars.”

RansomHub said re-attacks are not allowed for target companies that have already made payments.

“We do not allow non-profit hospitals and some non-profit organisations be targeted.”

SAWS is the latest in a spate of cyberattacks on government agencies and companies in South Africa.

These include a breach of the Companies and Intellectual Property Commission (CIPC) in March last year and the potential exposure of the data of every registered business, organisation, and their directors.

An earlier breach of the Government Pensions Administration Agency (GPAA) by the ransomware group LockBit had exposed the personal details of every government employee in South Africa.

In June, the National Health Laboratory Service (NHLS) was forced to shut down its IT systems after a hacking group called BlackSuit broke into its servers and stole 1.2 terabytes of data.

Show comments

Latest news

More news

Trending news

Sign up to the MyBroadband newsletter