South Africa’s Finance Minister Enoch Godongwana has disclosed that the Land and Agricultural Development Bank of South Africa was targeted in a ransomware incident earlier this year.
The cyberattack took place on January 12, according to official confirmation.
Details of the breach were made public through a parliamentary response after Adil Nchabeleng requested clarification on how the incident occurred, which systems were impacted, and whether the attackers issued any ransom demands.
In his response, the Minister stated that the attackers demanded 5 Bitcoin, estimated to be worth around R5.4 million. The bank chose not to comply with this demand. He further confirmed that core banking infrastructure and data related to farmers were not accessed or compromised.
Initial investigations revealed that suspicious activity was detected within certain parts of the bank’s IT environment. Further analysis suggested that an external party gained entry by exploiting a vulnerability in an internet-facing server. Following this, ransomware was deployed, leading to encryption of portions of the bank’s server systems as well as several employee laptops.
The attack specifically affected servers operating within virtual environments that run on Microsoft systems. Authorities have identified the perpetrators as part of a Ransomware-as-a-Service group, indicating the use of commercially distributed ransomware tools.
In response to the breach, the bank acted swiftly to contain the damage. Affected systems were isolated, indicators of compromise were removed, and additional security measures were implemented to strengthen defenses.
Officials emphasized that critical platforms, including enterprise resource planning systems, core banking infrastructure, and customer relationship management tools, were not accessed. This was attributed to the fact that the SAP environment is maintained separately from other server systems, providing an additional layer of protection.
However, other parts of the IT environment were significantly impacted. Systems outside the SAP infrastructure were either encrypted or rendered inaccessible to staff, and multiple laptops were also locked by the ransomware.
The attackers reportedly demanded payment in Bitcoin in exchange for restoring access to data and refraining from releasing any stolen information. Despite this, the bank confirmed that it did not make any ransom payment.
During the recovery phase, the bank continued to isolate affected environments, remove malicious traces, and enhance its cybersecurity posture. This included strengthening firewall configurations, patching known vulnerabilities, and improving detection mechanisms to better respond to future threats.
This incident follows a series of cyberattacks affecting organizations in South Africa. In May of the previous year, South African Airways experienced a major cyber disruption that affected its website, mobile application, and several internal systems. Immediate steps were taken at the time to reduce the impact on flight operations and customer services.
The Land Bank attack sheds light on the increasing frequency of ransomware incidents targeting key institutions. It also underscores the importance of proactive cybersecurity measures, including system segmentation, timely updates, and continuous monitoring to prevent and mitigate such threats.
