Johannesburg, the biggest city in South Africa and the 26th largest city worldwide, has shut down its website, billing, and electronic services after being hit by a serious network attack, the second one in three months, municipality officials said.

A group calling itself Shadow Kill Hackers took to Twitter to take credit for the attack, claiming it took Johannesburg's “sensitive finance data offline.” The group is demanding four Bitcoins, valued at about $32,000 US, for the safe return of the data.

A Johannesburg spokesman said the city took down the site after it detected a breach and that so far no formal ransom demands had been made. He also played down the extent of the breach.

“It was picked up very early while it was at the user level, before it reached the applications level where critical information sits," he told a TV news reporter. “So for us it was important that we safeguard the information first, before we start with the remedial work.”

All your servers have been hacked

Accounts on Twitter tell a different story. In this purported image of the ransom note, which is addressed to “Joberg city,” attackers claim to have full control over the city's network. Rather than encrypting the data and demanding a ransom in return for the encryption key, the attackers appear to threaten to publish the data unless the money is handed over.

“All of your servers have been hacked,” the note states. “We have dozens of backdoors inside your city.” The note goes on to demand the Bitcoin ransom by Monday. “If you don’t pay on time, we will upload the whole data to anyone on the Internet,” the note continues. “If you pay on time, we will destroy all the data we have, and we will send your IT a full report about how we hacked your system and your security...”

The group’s Twitter messages also say the site outages weren’t the result of Johannesburg officials taking their systems offline as the officials claimed, but rather the hacking group turning off the city’s domain name system, which is used to help translate domain names into IP addresses. Another Twitter message posted what are purported to be screenshots showing DNS controls and an Active Directory set up for Johannesburg City network.

This is the second breach in the past three months to hit the city. In July, Johannesburg’s municipal power provider suffered a ransomware attack that left residents without electricity.

In the first nine months of this year, at least 621 government entities, healthcare service providers, school districts, colleges, and universities have been hit by ransomware, according to recent reports from security firm Emsisoft. At least 68 of those attacks were on state, county, and municipal entities. An attack in June on Baltimore cost the city at least $18 million. Three Florida cities were also infected this year.

Emsisoft spokesman Brett Callow told Ars that the Johannesburg attackers appeared to be new to the ransomware scene.

“The personalized login screen message is quite unusual and not one we’ve seen before,” he said. “Nor is the email address provided in the ransom note one that we’ve seen used in other attacks (it has also never been used in any previous submission to ID Ransomware).”

The Johannesburg spokesman, meanwhile, said the city’s IT staff is working around the clock to get systems back online.