Transnet 'Death Kitty' ransomware (South Africa, 2021)
A ransomware attack on South Africa's state-owned logistics firm Transnet shut down operations at Durban, Ngqura, Port Elizabeth and Cape Town container terminals, forcing the operator to declare force majeure. Durban — 60% of Southern Africa's containerised trade — reverted to paper-based clearance for cargo for a week.
- Victim
- Transnet SOC (state-owned freight & port operator)
On 22 July 2021, Transnet — the state-owned operator of South Africa's freight rail and major sea ports — was hit by a ransomware attack severe enough to force the company to declare force majeure at the country's container terminals. Durban, Ngqura, Port Elizabeth, and Cape Town all stopped operating normally.
What happened
The ransomware family was identified by researchers as part of the "Death Kitty" / "HelloKitty" / "Five Hands" cluster — overlapping criminal operations with likely Russian or Eastern European origin. Transnet's container-terminal operating systems were disabled along with much of its corporate IT.
The operational fallback was striking: port workers reverted to manual ship-movement tracking and paper-based cargo clearance. At Durban, which handles roughly 60% of Southern Africa's containerised trade, processing times for imports increased substantially. Transnet declared force majeure at Durban, Ngqura, Port Elizabeth, and Cape Town container terminals — releasing the operator from contractual obligations because of the extraordinary disruption.
Recovery took approximately a week of intense restoration work. Two weeks later, the Minister of Public Enterprises stated that 90% of IT systems had been fully recovered and secured.
Impact
- Container operations at Durban, Ngqura, Port Elizabeth, and Cape Town disrupted.
- Force majeure declared at major South African ports.
- Manual paper-based clearance reverted to for ~a week.
- Substantial regional economic disruption: Durban alone handles ~60% of Southern Africa's containerised trade.
Why it matters
Transnet is the reference case for critical-infrastructure ransomware in sub-Saharan Africa. It demonstrates that even a major state-owned operator running modern container terminals can be reduced to paper-and-pen logistics in under 24 hours, and that the cascading effect can deny services not just to one country but to an entire region's trade flow.
Timeline
Transnet detects a ransomware attack and disables IT systems, halting operations at all major South African container terminals.
Transnet declares force majeure at the Port of Durban, Ngqura, Port Elizabeth, and Cape Town container terminals.
Port workers manually track ship movements and clear cargo via paper-based processes; processing times at Durban — handler of 60% of Southern Africa's containerised trade — increase substantially.
Researchers link the malware to the 'Death Kitty' / 'HelloKitty' / 'Five Hands' families, likely originating from Russia or Eastern Europe.
Most ICT systems and port operations restored within a week; force majeure lifted. Public Enterprises Minister states 90% of IT systems are recovered and secured.
Sources
- en.wikipedia.orghttps://en.wikipedia.org/wiki/Transnet_ransomware_attack
- bloomberg.comhttps://www.bloomberg.com/news/articles/2021-07-29/-death-kitty-ransomware-linked-to-attack-on-south-african-ports
- securityaffairs.comhttps://securityaffairs.com/120596/cyber-crime/transnet-soc-cyber-attack.html
- issafrica.orghttps://issafrica.org/iss-today/cyber-attacks-expose-the-vulnerability-of-south-africas-ports
- resilientmaritimelogistics.unctad.orghttps://resilientmaritimelogistics.unctad.org/guidebook/case-study-17-port-durban-south-africa