Some residents of Johannesburg were left in the dark as a ransomware attack took out the City’s power servers, preventing residents from being able to purchase and upload electricity units.

The attack was identified in the early hours of Thursday 25 July, according to spokesperson Isaac Mangena. Starting at 8.30am on the 25th, City Power’s official Twitter account, @CityPowerJHB, issued a series of tweets explaining the situation.

According to Adam Oxford, a freelance technology journalist, “Ransomware is a type of cyber attack in which a malicious program finds its way on to a computer system or network, and the damaging payload of that program will be to destroy data or encrypt it to the point where it is irretrievable.”

The attacked company is told to pay a ransom to decrypt data that is comprised in a ransomware attack. Oxford told Daily Maverick that ransoms are usually paid in a cryptocurrency such as Bitcoin into anonymous bank accounts in exchange for a decryption key.

But, according to Mangena, the City refused to pay the ransom. Although he would not reveal the ransom amount, Mangena told Daily Maverick, “As a matter of principle we do not pay ransoms.”

Without a decryption key, the City was left with two options: try to manually decrypt their servers and the affected data, or reconstruct their data and servers using unaffected backups.

In a statement issued a few hours after the attack was revealed on Twitter, City Power claimed that “most of the IT applications and networks that were affected by the cyberattack have been cleaned up and restored” with Mangena telling Daily Maverick the City was using unaffected backups to restore functionality.

“However, due to the sensitivity of this matter and the fact that City Power and its head office where the system is situated is a national key point, some aspects of the matter have been taken up and treated as national cyber security issues.”

While there is a chance that the attack was specifically targeted, Oxford said that phishing emails containing ransomware are frequently sent in bulk without specific targets.

“Most of the ransomware attacks are very highly automated – they’re not particularly targeted at any organisation. They’re distributed via email, they infect systems by people clicking on an email attachment and they can start spreading and encrypting as soon as the attachment is opened.”

City Power has reassured its clients that no personal information was compromised. By close of business on the same day City Power says they discovered the attack, electricity vending had already been restored.

According to Mangena, vending “was our priority as we didn’t want to inconvenience our customers who were unable to purchase electricity in this cold weather”.

However, at the time of publishing late on Thursday, City Power had not yet been able to restore its website’s functionality.

“This is a concern because with today being the 25th it’s the day suppliers will log invoices so that they can be paid for work done. It means they won’t be able to. We have appealed to them to submit directly by physically walking into our offices in Booysens to do the submissions while we are busy with the problem,” Mangena told Daily Maverick.

Despite this, Oxford was impressed with the way City Power managed the situation.

“People don’t talk about when they get attacked, they’re so frightened of brand damage and negative publicity, but actually we should be celebrating organisations that say, ‘Look, ransomware attacks are going to happen to everybody.’ These are highly automated attacks – if you’ve got an email address you are at risk of being attacked by ransomware.” DM