SYS::ONLINE
Wasteland.
Briefs779
Issues14
SinceFeb 2026
LIVE
▣ Breach SA-WEB-HOSTS 2026-05-20

SA Web Hosts and Telecoms: 'Black Matter' DDoS Extortion Campaign

"South African web hosting providers and telecommunications companies are under sustained attack from a threat actor calling itself "Black Matter," which is flooding networks with distributed denial-of-service (DDoS)…"

South African web hosting providers and telecommunications companies are under sustained attack from a threat actor calling itself "Black Matter," which is flooding networks with distributed denial-of-service (DDoS) traffic and demanding cryptocurrency payments to stop. TechCentral editor Duncan McLeod confirmed the campaign is operating at a scale typically associated with major criminal syndicates or nation-state actors, with ransom demands of roughly R16,000 in Monero per victim.

What Happened

A coordinated extortion campaign is hitting South African internet infrastructure providers with large-volume DDoS attacks. The attackers, operating under the "Black Matter" moniker, have flooded victim networks with junk traffic for extended durations, degrading service for hosting customers and telecom subscribers. Affected companies have received emails demanding payment in Monero cryptocurrency to halt the floods.

Security researchers are skeptical that the group is the genuine "Black Matter" ransomware operation, which collapsed years ago. The reuse of the name is widely viewed as either misdirection or branding theatre by a new operator. Attack traffic is being sourced from infrastructure distributed globally, making single-point attribution difficult and consistent with a large, well-resourced botnet or booter service.

What Was Taken

No confirmed data exfiltration has been publicly attributed to the campaign at this stage. The primary impact reported is availability loss across hosting and telecom networks, affecting downstream customers reliant on those providers for connectivity and web services. However, McLeod cautioned that the DDoS activity may be cover for or a probe preceding data theft, warning that "there may be attempts to exfiltrate data going on." Defenders should treat the DDoS as a potential smokescreen rather than the full extent of intrusion activity.

Why It Matters

The economics of this campaign are the most alarming signal. McLeod estimates that mounting attacks of this scale costs the operators in the order of tens of thousands of US dollars per target, while the ransom demand of roughly R16,000 is trivially small by comparison. That gap suggests financial extortion is unlikely to be the real objective. Plausible alternatives include reconnaissance against South Africa's internet backbone, stress-testing defensive capacity ahead of a larger operation, or destabilisation for strategic rather than criminal purposes. For South African ISPs, hosters, and downstream enterprises, the campaign represents both an immediate service-availability threat and a potential precursor to deeper intrusions.

The Attack Technique

The campaign relies on distributed denial-of-service flooding sustained over long durations, with traffic sourced from servers worldwide. The geographic distribution of the attack infrastructure rules out simple upstream blackholing as a defence and is consistent with a large reflected or botnet-driven flood rather than a small-source amplification attack. Extortion is delivered out-of-band via email, with Monero requested specifically for its on-chain privacy properties, which complicate tracing and law enforcement follow-up. No exploit or initial access vector has been disclosed, and the public reporting does not yet confirm whether any intrusion beyond the volumetric layer has occurred.

What Organizations Should Do

  1. Engage upstream transit providers and DDoS scrubbing partners immediately to confirm mitigation capacity and pre-stage traffic diversion playbooks.
  2. Review and rehearse incident response procedures specifically for sustained volumetric attacks, including customer communication templates and SLA exposure.
  3. Treat any DDoS event as potential cover for intrusion activity: elevate monitoring of authentication systems, egress traffic, and admin interfaces during and immediately after attacks.
  4. Refuse to pay ransom demands; the small dollar value and questionable group identity provide no assurance that payment will stop the attacks or that the actor is acting in good faith.
  5. Share indicators, source IP ranges, and extortion email artifacts with national CSIRTs, ISPACs, and industry information-sharing groups to support collective defence.
  6. Audit external attack surface for vulnerable services that could be leveraged in a follow-on intrusion, particularly remote access, management consoles, and customer-facing applications.

Sources: Large-scale cyber extortion hits SA web hosts, telecom companies