Ports Halted by Ransomware
On July 22, 2021, the container terminals at Durban, Cape Town, and Ngqura went silent. A ransomware attack had frozen the operational technology behind roughly 60% of South Africa's containerised trade, forcing staff back to pen and paper just as civil unrest, a week prior, had already stripped the country of 40,000 tons of cold-storage capacity. What followed was six days of manual cargo tracking, refrigerated goods racing against spoilage, and a hard lesson in what happens when a cyberattack and a physical crisis collide at once.
“That day, the attack disrupted operational technology that was essential for port logistics. This resulted in a complete halt of container movements across major terminals, including those in Durban, Cape Town, and Ngqura. The organization was forced to declare force majeure because the automated operational systems were no longer usable.
With digital systems unavailable, business continuity plans had to be activated. Staff attempted to switch to manual, paper-based processes for vessel tracking, cargo release, and truck access. At Durban Container Terminal, which handles around 60% of South Africa’s containerised trade, the high cargo volumes made manual processing exceptionally challenging.
“Staff attempted to switch to manual, paper-based processes for vessel tracking, cargo release, and truck access.”
The damage was substantial. All container-handling systems froze, bringing cargo movement and vessel operations to a standstill. Severe backlogs and bottlenecks quickly developed, especially at the Port of Durban. Manual processing significantly increased turnaround times, resulting in operational strain on frontline employees.
Refrigerated cargo was particularly vulnerable. The ports faced a shortage of reefer plug points during the backlog, placing cold-chain goods at risk. Port workers were under intense pressure as they attempted to sustain operations manually. Businesses reliant on imports and exports, such as agriculture, automotive, and mineral exporters, were affected, while the public experienced indirect impacts through delays in supply chains that influence food and industrial goods availability.
“Refrigerated cargo was particularly vulnerable. The ports faced a shortage of reefer plug points during the backlog, placing cold-chain goods at risk.”
The level of impact varied across stakeholder groups. Importers and exporters handling refrigerated goods faced high spoilage risks due to delays. Small and medium businesses had limited alternative logistics options. Agriculture and cold-chain sectors were doubly affected, particularly because civil unrest the week before had already damaged infrastructure and contributed to 40,000 tons of lost cold-storage capacity nationally. Truck drivers and port workers endured long waiting times under manual clearance procedures.
For operational staff, the most difficult aspect of the response was the loss of system visibility. With operational technology systems down, real-time scheduling and cargo data were unavailable, forcing staff to make decisions with incomplete information. This created operational confusion and contributed to fatigue on the ground.
“With operational technology systems down, real-time scheduling and cargo data were unavailable, forcing staff to make decisions with incomplete information.”
Recovery was slowed by several factors. The ransomware had encrypted core enterprise systems, requiring major rebuilding efforts, including restoration of identity services such as Active Directory. National security considerations also limited the amount of technical detail shared publicly, affecting coordination. Heavy reliance on integrated digital logistics systems meant that fallback paper-based methods were inherently slower. The timing was also unfortunate: civil unrest a week earlier had already disrupted transport routes, and some vessels had begun rerouting away from South African ports, increasing congestion risks.
After days of intensive recovery work, most computer systems were restored by 26 July, and operations across ports were declared fully restored by 28 July, roughly six days from the onset of the attack. However, cargo backlogs continued beyond this period, particularly for cold-chain goods.
The resilience lesson was to integrate cyber incident preparedness with physical crisis management. The combination of a major cyberattack and widespread civil unrest showed the need to plan for multi-hazard scenarios that can compound each other’s impacts.”
“The timing was also unfortunate: civil unrest a week earlier had already disrupted transport routes.”
Barend, South Africa