Ransomware attack at NHLS: Why cybercrimes are increasing

The use of artificial intelligence (AI) tools may be one of the reasons there has been an increase in cyberattacks on government entities and private companies. 

The latest cybersecurity breach in South Africa has been on IT systems at the National Health Laboratory Service (NHLS), which the Gauteng department of health said had led to delays in processing laboratory tests across public health facilities in the province. 

A cybersecurity expert and senior lecturer from the division of information systems at Witwatersrand University, Thembekile Olivia Mayayise, said there has been an increase in the past few months. She said it was not only ransomware but an increase in different types of scams and cyberattacks such as phishing scams.

She believes the use of AI tools may be fuelling the spike.

“That we cannot run away from because with AI tools you don't need to be an expert user to cause havoc. You don't need to be an expert to write a code or coding that will be malicious,” she said.

Mayayise said phishing e-mails have become a simple thing to create because of the availability of AI tools. Organisations that culturally look after their systems in a certain way may need to strengthen their security systems.

She said the organisations may be in a very difficult position because it is no longer about mastering certain skills. 

“There are platforms people with malicious intentions visit to learn tools and the knowledge about how they can successfully employ the tools.” .

She said organisations that found themselves in a similar position need to go back to the drawing board and try to understand the risks they are facing as far as cybersecurity is concerned. “What do I stand to lose?.”

Mayayise said if systems are compromised, the situation becomes worse as companies and organisations might not have a plan B if they are hit by ransomware.

“You are doomed if you don't have a plan B. You don't know what you are going to do because all your information has been encrypted and even if you pay it does not guarantee you will get your information back.”

Prof Rennie Naidoo from the Wits School of Business Sciences said limited public information exists and scholars tend to rely on media reports, but indications suggest South Africa has seen a significant increase in cyberbreaches.

He said major government cyber-incidents in recent years suggest an increase and listed recent attacks. These include:

• City Power ransomware attack (July 2019) — a ransomware attack on City Power Johannesburg's electricity utility, encrypted databases and network services caused operational disruptions and power outages. 
• City of Johannesburg network breach (October 2019) — The “Shadow Kill” hackers' breach resulted in significant downtime for customer-facing services and a Bitcoin ransom demand. 
• Sabric DDoS attacks (October 2019) — The South African banking sector was disrupted by a wave of distributed denial of service (DDoS) attacks. 
• UIF data leak (May 2020) - changes to the UIF website accidentally leaked employers' confidential information during the Covid-19 pandemic. 
• Department of justice and constitutional development ransomware attack (2021) — a ransomware attack encrypted all systems, causing severe operational disruptions for the department. 
• Transnet cyberattack (2021) — a large-scale attack on Transnet disrupted rail, port, and pipeline operations, highlighting vulnerabilities in critical national infrastructure. 
• Government Employees Pension Fund (2024) — The LockBit ransomware gang claimed responsibility for the February cyberattack on the government workers' pension fund, disrupting operations and pension payments. Despite initial assurances that no breach had occurred, they later confirmed their systems had been compromised.

Naidoo said despite efforts such as stringent data protection laws, the increasing frequency and severity of cyber-incidents suggest the government and private entities need to continuously invest in and improve their cybersecurity capabilities.

“The formal reporting of cyber-incidents is limited, and there is a lack of comprehensive resources and statistics from law enforcement and prosecuting authorities.  

“The Cybersecurity Hub, South Africa’s national CSIRT (computer security incident response team), provides reporting services but does not publicly share incident data, which limits broader awareness and understanding of the threat landscape.”

TimesLIVE