Cyber Incident Victim: Department of Justice and Constitutional Development
Date:
Sep 2021
Location:
South Africa
Summary
A ransomware attack encrypted all systems of South Africa's Justice Department, rendering electronic services inaccessible both internally and to the public. The incident disrupted child maintenance payments, bail services, legal document issuance, email, and website operations, prompting a switch to manual court recordings and document processing. While restoration timelines remained unclear, the department secured outstanding child maintenance funds for future disbursement and partially migrated staff to a new email system. Investigations revealed no evidence of data compromise, and no ransomware group claimed responsibility for the attack.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 6, 2021, South Africa’s Department of Justice and Constitutional Development experienced a ransomware attack that encrypted its entire network, rendering all electronic services inoperable for internal staff and the public. The attack disrupted core judicial functions, including the issuance of letters of authority, bail services, email communications, and access to the departmental website. Child maintenance payments—a critical social service—were immediately suspended due to the system-wide encryption. The department activated its contingency plan to maintain minimal operational continuity, shifting court proceedings to manual processes for recording hearings and generating legal documents. Spokesperson Steve Mahlangu confirmed the severity of the incident, emphasizing that no digital services could function while systems remained encrypted. The department’s inability to process maintenance payments forced beneficiaries to wait indefinitely, though officials assured the public that allocated funds would be securely held until systems resumed.
Restoration efforts faced significant delays, with no definitive timeline provided for full recovery. IT teams prioritized rebuilding infrastructure, including migrating staff to a newly established email system—a step suggesting the department did not pay the ransom. Mahlangu stated that forensic investigations found no evidence of data exfiltration, reducing concerns about sensitive information leaks. Despite this, the prolonged outage highlighted vulnerabilities in critical government infrastructure, particularly the dependency on digital systems for essential public services. No ransomware group claimed responsibility for the attack, leaving the perpetrators unidentified. Manual workarounds allowed courts to operate at reduced capacity, but the backlog of delayed child maintenance payments underscored the attack’s tangible societal impact. The department continued working toward normalization but offered no public updates on final resolution dates or technical details of the recovery process.