Land Bank declines to confirm R50m ransom claim as cyber investigation continues

The Land and Agricultural Development Bank of South Africa (Land Bank) has declined to confirm or deny reports that cybercriminals demanded a R50 million ransom following a cybersecurity breach last month, saying it will not comment on alleged ransom demands while investigations are ongoing.

This comes after the Land Bank reported a "temporary disruption affecting certain internal IT systems" that occured on 12 January, after which it took offline the affected systems as a precautionary measure to protect its operations and information. 

However, a source close to the situation has claimed that the bank’s IT systems were hacked and that the perpetrators allegedly demanded a R50m ransom. It remains unclear whether any ransom was paid.

In an emailed response to BR on Friday, the bank confirmed it experienced a cybersecurity incident caused by an unauthorised third party that deployed ransomware, which encrypted part of our server environment. However, it refused to engage on specific details relating to any possible ransom.

“As a matter of security and investigative protocol, the Bank does not comment on specific aspects of threat actor engagement, including any alleged ransom demands, while the forensic process is ongoing,” the bank said. 

While questions remain about whether a ransom was demanded — and if so, how much — the bank has made clear that it will not discuss such matters publicly while investigations are ongoing.

“Our focus remains on system recovery, protecting stakeholders, and supporting law enforcement efforts,” it said.

Sources also indicated that employee laptops were confiscated and new devices issued following the breach. The bank confirmed that employee devices were temporarily collected for comprehensive security scanning and cleansing as part of containment and remediation measures.

"This is a standard precautionary step in cyber incident response aimed at ensuring all endpoints are secure before being returned to service. These actions reflect our commitment to maintaining a resilient and secure technology environment," it said.

"Preliminary forensic findings indicate that the threat actors accessed a limited set of organisational data. At this stage, there is no indication that the Bank’s core banking systems have been affected nor any indication of unauthorised transactions, or impact on customer funds. However, the review process has not yet concluded." 

The matter has been reported to the police and all relevant regulatory authorities have been notified in accordance with legal requirements.

The bank said independent cybersecurity specialists, supported by leading IT service providers, have been tasked with identifying the root cause of the breach and implementing additional safeguards to strengthen the bank’s technology environment.

Cybersecurity experts said the pattern described is consistent with a potential ransomware attack and concurred that the bank followed the correct standard operating procedure post the attack.

Martin Potgieter, regional chief technology officer at Integrity360, said organisations must be prepared not only to defend against attacks but also to respond effectively when breaches occur.

"While the Land Bank may not have confirmed or denied ransomware, in situations like these it is very likely that it is a ransomware attack. With 90% of ransomware attacks the threat actors also steal a copy of the data to attempt extortion as a secondary means of monetising the attack," Potgieter said.

"In most cases threat actors will attempt to delete the victim's data backups, so that it is not easily possible to recover. For this reason it’s imperative that organisations maintain an immutable backup strategy." 

This is not the first time the Land Bank has faced a cyber threat. On Christmas Eve in 2010, hackers attempted to steal R150m after obtaining passwords with the alleged assistance of insiders. Suspicious transfers were detected by Absa, preventing the bulk of the theft. The Land Bank recovered all but about R400,000.

Belgium Campus iTversity researcher, Jacqui Muller, said when an organisation experiences a cyber security breach, the response must be immediate, structured and aligned with both technical best practice as well as regulatory requirements.

"The first priority is containment, and which involves isolating affected systems, revoking compromised access, resetting credentials and preventing further spread within the network. Actions such as confiscating or replacing employee laptops are often part of forensic preservation and containment protocols, rather than an indication of the breach’s scale," she said. 

"Following containment, an independent forensic investigation is essential to determine how the attack occurred, whether data was accessed or exfiltrated, and whether ransomware was deployed. This process must preserve evidence properly and inform both legal and regulatory obligations." 

Cybercrime has become a growing global threat, with estimated worldwide losses from cyber attacks reaching approximately $10.5 trillion annually. On average, experts estimate that hackers can remain undetected within an organisation’s systems for roughly 277 days before being discovered or launching an attack.

Christopher Thornhill, CEO of Phangela Group, a security company providing risk-based protection services across industries, including banking, echoed the need for a structured, end-to-end response.

"This includes conducting an independent post-incident assessment, mapping system and supply-chain exposure, tightening access controls, and implementing continuous monitoring to detect follow-on threats," Thornhill said.

"Equally important is reviewing governance and decision-making processes to ensure cyber risk is treated as an operational issue, not just an IT function." 

BUSINESS REPORT