The sheer scale of the distributed denial-of-service (DDoS) assaults on South African web infrastructure in latest days doesn’t make sense contemplating the comparatively small quantities the attackers try to extort.
A senior South African community safety specialist, who requested for anonymity given the character of his work, advised TechCentral on Tuesday that the ransom of two-and-a-half monero – equating to about R16 000 on the time of writing – pales compared to the associated fee it might have taken to mount the assaults.
To maintain the assaults – which peaked at over 600Gbit/s within the case no less than two internet hosting suppliers and which have run for hours at a time – just isn’t an affordable train. Only one 300Gbit/s assault, in line with the safety specialist, would value no less than US$5 000 per goal.
“A commodity prison would chase the softest targets. Somebody has picked essentially the most consequential ones on this assault. The knock-on map by means of the ISP and reseller chains is strictly the dependency image a hostile actor would wish to validate,” mentioned TechCentral’s supply.
“If this had occurred within the UK, the US or Australia, there would already be a government-level process crew … actively helping the affected centres, exchanging indicators of compromise with overseas counterparts and issuing public technical advisories inside 24 hours.”
Thriller additionally surrounds the true id of the perpetrators of the string of assaults, which started late final week and which have impacted 1-grid, Domains.co.za, Xneelo and Community Platforms, amongst others. The attackers recognized themselves as BlackMatter in extortion e-mails to the affected corporations, although it’s removed from clear whether or not that is the group that’s actually behind the assaults.
BlackMatter?
First coming into prominence in 2021, BlackMatter was a rebrand of DarkSide, a ransomware-as-a-service outfit that was lively between 2020 and 2021.
“BlackMatter operates outdoors of a typical corporate-style entity. This ransomware gang is continually staging its ‘loss of life’ and ‘rebirth’ to shake off regulation enforcement making an attempt to trace them,” mentioned Jayson O’Reilly, MD at cybersecurity specialist CYBER1 Options.
Learn: DDoS extortionists ‘carpet bomb’ South African web hosts
There are different complicating elements that make BlackMatter tough to pin down. In line with O’Reilly, digital deception – the embedding of false flags to confuse forensic investigators – is a component and parcel of BlackMatter code. He mentioned the organisation can be thought to function from “secure haven” jurisdictions, together with Russia and the Commonwealth of Unbiased States, making bodily contact practically inconceivable.
“In addition they do monetary transactions by means of cryptocurrencies like monero and extremely obfuscated crypto mixing companies. So, in a nutshell, they’re enjoying the cat and mouse recreation and successful towards authorities. That is what makes them profitable,” mentioned O’Reilly.
In line with the American Cyber Defence Company, BlackMatter actors have attacked quite a few US-based organisations and have demanded ransom funds starting from $80 000 to $15-million in bitcoin and monero.
The group attacking South African infrastructure corporations in latest days demanded their extortion cash be paid in monero – an almost untraceable type of cryptocurrency. However the small sum of money being extorted from the South African corporations stays the most important puzzle, and doesn’t match with earlier ransomware calls for by BlackMatter.
The carpet bombing assault on South African infrastructure has had a large influence on South African web sites. Xneelo confirmed to TechCentral that its infrastructure was certainly hit by a DDoS assault however that disruption from upstream service suppliers additionally had an influence on end-user connectivity. 1-grid, in the meantime, mentioned the assault pace exceeded 100Gbit/s on its community and focused IP addresses throughout its whole community vary.
Learn: Extortion fears as DDoS assaults hit SA web infrastructure
System monitoring web site Downdetector indicated stories of a disruption at subsea cable operator Seacom on Tuesday morning. Seacom confirmed that the disruption – which it described as momentary – was attributable to DDoS assaults on different service suppliers and never an assault by itself infrastructure, contradicting media stories elsewhere. – © 2026 NewsCentral Media
Get breaking information from TechCentral on WhatsApp. Enroll right here.
