A ransomware attack was stopped early at Constantia Pharmacy in Cape Town after cybersecurity forensic investigator Bruce Malaudzi spotted an infected, internet-exposed server and raced to warn the business, reports Cape {town} Etc.
Malaudzi found the system while threat hunting on the device search engine Shodan and noticed file names changing as encryption ran. ‘Part of my job is threat hunting,’ he told MyBroadband.
Cape {town} Etc Discount Alert! Unlock Cape Town’s best experiences for half the price! From unforgettable adventures to hidden gems and mouthwatering restaurants, these limited-time deals won’t last long. Snag your discount before they’re gone!
He traced invoice files and database names to Constantia Pharmacy and found Windows file sharing enabled on root drives with no root password.
The server showed signs of exploitation of a five-year-old SMB vulnerability, CVE-2020-0796.
The attackers used the Want_to_cry ransomware, which appends ‘.want_to_cry’ to files and drops a ransom note demanding payment. Security researchers say the group exploits exposed SMB services and weak credentials to spread.
Around 78% of South African businesses reported at least one cybersecurity incident in the last year, according to cybersecurity research on national attack trends (LinkedIn).
Malaudzi emailed MyBroadband at 04:00 on 3 January 2026 and the journalist team contacted the pharmacy and ProPharm, the supplier of RxWin, which moved quickly to protect customer data. The pharmacy was founded in 1968 and the daughter of the owner helped co-ordinate the response.
MyBroadband
Experts advise businesses to close public SMB ports, patch systems and enforce strong passwords to avoid similar attacks.
Be the first to know – Join our WhatsApp Channel for content worth tapping into! Click here to join!
Also read:
Western Cape Provincial Parliament targeted in cybersecurity attack
Picture: Shahadat Rahman / Unsplash
