On 23 June 2025, South African vehicle tracking company Netstar experienced a cybersecurity incident that encrypted some of its on-premises servers. Two months later, the INC Ransom group surfaced with bold claims about stolen data and leaked files. Here's what we know, what's been claimed, and what it means for customers and the broader cybersecurity landscape.
The Fast Facts
On 23 June, Netstar suffered a ransomware attack affecting a small subset of on-premises servers
INC Ransom group has claimed responsibility
The group alleges it stole 505 GB of data, including customer information
Netstar says it has found no evidence of data access or removal
The incident was reported to South Africa's Information Regulator in June
Netstar is investigating the leak site claims with third-party forensics
What INC Ransom Is Claiming
The ransomware group has made several assertions that remain unverified:
505 GB of stolen data: INC Ransom claims to have exfiltrated half a terabyte of information
Customer information included: The group alleges the stolen data contains private customer details
Public leak: They say they've posted the data on their restricted-access Tor leak site after Netstar refused to engage
Proof of visibility: Security researchers observed the leak page had around 399 views by midday on 21 August
Our analysis of available darknet data shows the listing exists on INC Ransom's leak site, with OSINT trackers confirming a "Netstar_South_Africa" entry discovered on 20 August 2025. However, the actual contents and legitimacy of any posted data remain unverified.
Netstar's Position
The company has maintained a consistent stance throughout the incident:
Only a small subset of on-premises servers were encrypted during the June attack
Core operations were restored following the incident
No evidence has been found that customer data was accessed or removed
The company reported the incident to regulators promptly and declined to engage with the criminals
Third-party forensics experts are investigating the recent leak site claims
Customers will be notified if the investigation reveals any changes to these findings
Importantly, Netstar has not declared any data breach or confirmed that customer information was compromised.
Why Posted Data Doesn't Prove Everything
The cybersecurity community has learned that ransomware groups sometimes exaggerate their claims or post limited samples while claiming massive data theft. The existence of a leak site posting doesn't automatically validate all allegations about data volume or content.
What we can confirm is that the listing exists, has generated some visibility (as evidenced by the view counter), and appears on legitimate OSINT tracking platforms. However, validating the authenticity and scope of any posted content requires careful forensic analysis.
For Netstar Customers: Practical Steps
While Netstar maintains that no customer data has been compromised, it's always wise to practice good cybersecurity hygiene:
Immediate Actions:
Rotate any passwords that might be reused across multiple accounts
Enable multi-factor authentication on all important accounts
Be extra vigilant about phishing emails, especially those appearing to come from Netstar or Altron
Ongoing Monitoring:
Watch for unusual account activity across your financial and online accounts
Consider credit monitoring services if you're particularly concerned about identity theft
Stay tuned to official communications from Netstar for any updates
The Regulatory Angle
Under South Africa's Protection of Personal Information Act (POPIA), organizations must report data breaches to the Information Regulator when there's a reasonable belief that personal information has been accessed or acquired unlawfully. Netstar's proactive reporting in June demonstrates compliance with these requirements.
If forensic analysis later confirms that personal information was indeed compromised and poses a real risk to data subjects, additional notification obligations may come into play.
Need help understanding your business's cybersecurity obligations? Ubuntu Guard's got comprehensive resources to guide you through compliance and incident response.
Contact our Security Operations Center Ubuntu Guard SOC
Questions Still to Answer
Several key questions remain open as investigations continue:
Will forensic analysis verify any of the posted data as genuine Netstar content?
What specific data categories, if any, were actually affected?
How will the Information Regulator respond if data exposure is confirmed?
What additional security measures will Netstar implement following this incident?
Who Is INC Ransom and Why Should You Care?
INC Ransom isn't just another cybercriminal group. Since 2023, they've perfected a brutal business model: break in, steal everything, encrypt your systems, then demand payment twice. Once for your files back, and again to keep your data private.
The numbers tell the story. They can lock down entire companies in under 24 hours. They've hit 165+ organizations worldwide, from hospitals to government agencies. Recovery costs average $1.8 million before you even consider paying the ransom.
But here's what makes them particularly dangerous for South African businesses: they've made us their primary African target. After attacking South African Airways in May 2025, they're clearly testing our defenses. With 78% of SA companies already hit by ransomware in 2023, we're not just on their radar, we're in their crosshairs.
Most attacks start simple. A believable phishing email lands in your inbox. One click from an employee, and they're inside your network, spreading like wildfire through your systems.
The scary part? Security researchers believe INC Ransom has evolved, possibly rebranding as the Lynx ransomware group. Same tactics, same ruthlessness, potentially broader reach.
If these developments have raised concerns about your organization's cybersecurity posture, don't wait until you become a headline. Contact Ubuntu Guard Cyber for a comprehensive security consultation: wa.me/27791595040
The Bottom Line
Cyber incidents are unfortunately common in today's threat landscape, and how organizations respond often matters more than the initial compromise. Netstar appears to have followed proper incident response protocols: containing the threat, engaging forensics experts, reporting to regulators, and maintaining transparent communication about their findings.
The claims from INC Ransom remain unsubstantiated pending independent verification. While the existence of a leak site listing is concerning, it doesn't necessarily validate the scope or authenticity of alleged stolen data.
For now, customers should remain alert but avoid panic. Netstar has committed to updating stakeholders if their investigation reveals any changes to their current assessment that customer data wasn't compromised.
As this situation develops, we'll continue monitoring for verified information rather than unsubstantiated claims from threat actors who have every incentive to exaggerate their capabilities and impact.
Sources
News24 ITWeb MyBroadband Ransomware.live Trend Micro
Affected by ransomware or want to prepare your business? Ubuntu Guard's Cyber Incident Response service covers rapid breach containment, malware removal, and post-incident recovery for South African businesses.