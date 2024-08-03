ZB Financial Holdings, one of the largest financial institutions in Zimbabwe, was attacked by a ransomware gang in July, and had its data leaked to the internet.

From what we understand, the attackers stole files, demanded a ransom to not release them, and when ZB refused, leaked the data on the dark web. It is also possible that the hackers encrypted the ZB’s files to prevent them from accessing the files as part of the attack.

The attack was picked up by cyber security monitoring firms and published on their social media handles. One of these firms said in a post on X that ZB was part of 6 companies hacked for ransomware by the attackers, include a company in South Africa and others in Europe:

We have identified and begun monitoring a new ransomware group named “Mad Liberator”. They have listed 6 victims to their darkweb portal



– ZB Financial Holdings 🇿🇼

– South African Cities Network 🇿🇦

– Crosswear Trading 🇬🇧

– Montero & Segura Procuradores Asociados 🇪🇸

– Ministero della cultura 🇮🇹

– Vitaldent 🇪🇸

The attackers apparently demanded ransom from ZB and when the organisation refused to pay, they released the data they had to the internet.

Techzim was able to view signs that lots of ZB customer and operations data going into Gigabytes had indeed been leaked. The data includes excel files with consumer customer data, business customer data, employee data, account applications and several other data. The file dates look as current as July 2024 but go as far back as 2017 and probably earlier.

Techzim was alerted to the attack a little over a week ago and we wrote to ZB to understand what had happened exactly and for comment, but we didn’t received any official response. Representatives of the company told us several times for more than a week, that they’d respond but did not.

We are however reliably informed that ZB was aware of the attack prior to our enquiry.

It is possible that the attack is linked to a notice to customers that ZB sent out on 16 July. The financial services firm notified customers that its systems were experiencing instability and that technical teams were working flat out.

A week later on the 23rd, the company said everything was normal again.

It’s not clear if the data leak situation is now under control. It is possible that the ransomware gang released some files but are still holding on to more. It is also possible that even though the bank has recovered its systems, it may still not be clear how the attackers got in and may therefore still be vulnerable.

One local cyber security expert we spoke to suspected that the situation was caused by poor patch management:

Ransomware attacks are a direct indicator of lack of a patch management program + weak endpoint security + weak web and email channel security…

Ransomware Gangs

Ransomware gangs attack victims by exploiting vulnerabilities in their computer or just a person’s actions. The ransomware itself encrypts the victim’s files and the attacker then demands a ransom from the victim to restore access to the data upon payment. The ransom can range from a few hundred US dollars to thousands, which the gangs want as cryptocurrency.

A crypto-tracing firm revealed that ransomware payments globally exceeded US $1.1 billion in 2023.

ZB is hardly the only company to be attacked by ransomware gangs in recent history. ZESA, about a year ago was reported to have been hacked by one such group. There have also been murmurs about such attacks on banks that are never disclosed. Ofcourse the problem is that the customers whose data would have been stolen and leaked have no idea about the breaches and the extent of them.

Beyond Zimbabwe, last year, a ransomware attack breached the world’s biggest bank hit China’s ICBC. In the UK the gangs were responsible for stealing NHS health data just last month. Other attacks have been responsible for shutting down casinos in Vegas, ad even attacks on government systems against governments.