{
	"id": "ed7ef36a-4575-4155-8224-782c22eb9171",
	"created_at": "2026-04-06T00:11:08.896162Z",
	"updated_at": "2026-04-10T13:12:36.151723Z",
	"deleted_at": null,
	"sha1_hash": "a508835b8c53da24bebf854db5f333453ec733d0",
	"title": "LockBit takes credit for February shutdown of South African pension fund",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 77859,
	"plain_text": "LockBit takes credit for February shutdown of South African\r\npension fund\r\nBy Jonathan Greig\r\nPublished: 2024-03-12 · Archived: 2026-04-05 17:44:05 UTC\r\nThe LockBit ransomware gang said it was behind an attack on South Africa’s government workers pension fund\r\nlast month, which has hampered the organization’s operations and disrupted pension payments.\r\nThe South African Government Pensions Administration Agency (GPAA) manages the money within the\r\nGovernment Employees Pension Fund (GEPF) — the largest pension fund in Africa — administering the pensions\r\nof about 1.7 million government employees and pensioners as well as their spouses and dependents.\r\nA spokesperson for GEPF told Recorded Future News that it was aware of LockBit’s claims and “extremely\r\nconcerned” about the data purportedly leaked by the gang. The spokesperson noted that they were initially told by\r\nthe GPAA that “no data breach had occurred” after being notified of the cyberattack on February 16.\r\n“This morning, 12 March 2024, following the release of certain GPAA data by LockBit on 11 March 2024, the\r\nGEPF has been informed by GPAA that preliminary investigations has found that the certain GPAA systems were\r\ncompromised,” the spokesperson said.\r\n“The GPAA is investigating the alleged data breach and whether this impacts the GEPF. GPAA has reconfirmed\r\nthat preventative action was taken when it became aware of the attempted access to its systems which included\r\n‘shutting down’ all systems to isolate affected areas. GPAA further confirmed that pension payments are not\r\naffected.”\r\nThe GPAA did not respond to requests for comment. The GEPF spokesperson said it is working with the agency\r\nas well as the South African National Treasury to “establish the veracity and impact of the reported data breach\r\nand will provide a further update in due course.”\r\nLocal news outlets reported that no pension payments went out to recipients starting on February 12, and the\r\norganization’s offices were closed from February 16 to February 21. The office said in a statement that it was due\r\nto “an attempt to gain unauthorized access to [the organization’s] systems.”\r\nService at regional offices were restored afterward, and claims can now be submitted.\r\n“The Government Employees Pension Fund once again apologizes for the inconvenience this has caused to the\r\nmembers, beneficiaries and pensioners. We reiterate that no payments were affected by this incident, and\r\npensioners and members will receive their benefits as per their usual payment dates,” the organization said last\r\nmonth.\r\n“The GEPF assures its members, pensioners, and beneficiaries that their benefits and personal information are\r\nsafe, and that the administration system has not been compromised.”\r\nhttps://therecord.media/lockbit-ransomware-takes-credit-for-south-african-pension-fund-attack\r\nPage 1 of 3\n\nSouth African government institutions have been battered by ransomware gangs over the last year. A state-owned\r\nbank was attacked last June. In September, South Africa’s defense department was hacked by the Snatch gang.\r\nThe gang leaked the personal phone number and email of the country’s president alongside a portion of the 1.6\r\nterabytes of data stolen from the country’s defense systems. The government initially denied the attack before\r\nadmitting that a breach did occur.\r\nLockBit leaking old data\r\nAlthough law enforcement agencies took down LockBit’s infrastructure on February 19, the group on Monday\r\nsaid on its leak site that it was behind the GPAA attack.\r\nCybersecurity expert Valéry Rieß-Marchive said that LockBit might be making new posts to maintain an\r\nappearance that it is still active, but it is simply hawking data stolen during attacks done before the takedown\r\noperation.\r\nLockBit was the most prolific ransomware group in the world before it had its website seized as part of the\r\ninternational law enforcement operation led by the U.K.’s National Crime Agency (NCA), the FBI and Europol.\r\nThe gang tried to revive its floundering operation two weeks ago with a new website, and began to post dozens of\r\nvictims.\r\nRansomware expert Allan Liska said completely shutting down LockBit was always going to be difficult due to\r\nthe large number of affiliates the gang had at its disposal. The NCA said it identified 187 affiliates, but Liska said\r\nthere are likely more.\r\nDespite the continued posting from LockBit, Liska said the takedown does appear to have slowed down the group\r\n— at least for now.\r\n“There are still attacks happening but — so far — there are a lot fewer,” he said.\r\n“But, I also think we need to treat these new attack claims with skepticism (as with anything LockBit claims).\r\nMany, if not most, of the ‘new’ attacks posted by LockBit are recycled from before the [takedown]. [The gang’s\r\nleader] LockBitSupp is trying to save face here, but appears to be doing so, at least in part, by pretending old\r\nattacks are new.”\r\nhttps://therecord.media/lockbit-ransomware-takes-credit-for-south-african-pension-fund-attack\r\nPage 2 of 3\n\nJonathan Greig\r\nis a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since\r\n2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia.\r\nHe previously covered cybersecurity at ZDNet and TechRepublic.\r\nSource: https://therecord.media/lockbit-ransomware-takes-credit-for-south-african-pension-fund-attack\r\nhttps://therecord.media/lockbit-ransomware-takes-credit-for-south-african-pension-fund-attack\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://therecord.media/lockbit-ransomware-takes-credit-for-south-african-pension-fund-attack"
	],
	"report_names": [
		"lockbit-ransomware-takes-credit-for-south-african-pension-fund-attack"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434268,
	"ts_updated_at": 1775826756,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a508835b8c53da24bebf854db5f333453ec733d0.pdf",
		"text": "https://archive.orkl.eu/a508835b8c53da24bebf854db5f333453ec733d0.txt",
		"img": "https://archive.orkl.eu/a508835b8c53da24bebf854db5f333453ec733d0.jpg"
	}
}