Netcrook Logo
👤 TRUSTBREAKER
🗓️ 16 Jan 2026   🗂️ Cyber Warfare     🌍 Africa

Railway in the Crosshairs: Qilin Ransomware Hits CFM Mozambique

Mozambique’s national rail operator becomes the latest victim in a wave of ransomware attacks shaking African infrastructure.

In the early hours of January 16, 2026, a shadowy cybercriminal group known as Qilin announced a new conquest: CFM Mozambique. The nation’s state-owned railway and port authority found itself thrust into the harsh spotlight of the global ransomware scene - its name splashed across the dark web as Qilin’s latest trophy. While details remain scarce, the attack sends a chilling message: Africa’s critical infrastructure is now a prized target for sophisticated cyber extortionists.

The digital heist was first flagged by ransomware.live, a watchdog that tracks cyber extortion campaigns. According to their listing, Qilin’s claim surfaced on the same day as the alleged attack. The group’s modus operandi typically involves infiltrating networks, encrypting crucial files, and threatening to leak stolen data unless a hefty ransom is paid.

CFM (Caminhos de Ferro de Moçambique) is no ordinary target. As the backbone of Mozambique’s transport system, its railways and ports are lifelines for regional trade and economic stability. An attack on such critical infrastructure isn’t just a digital inconvenience - it’s a threat to national security and commerce.

While the technical specifics of this breach remain under wraps, Qilin’s past operations suggest a sophisticated playbook. The group often exploits weak points in network security, using phishing, stolen credentials, or software vulnerabilities to gain a foothold. Once inside, they move laterally, seeking out sensitive data and system controls before deploying their ransomware payload.

What sets this incident apart is its geopolitical context. African institutions have historically reported fewer ransomware incidents than their Western counterparts, but that’s changing fast. As digital transformation accelerates across the continent, cybercriminals are following the data - and the money. CFM Mozambique’s breach is a stark reminder that no sector or region is immune.

The disclosure on ransomware.live comes with a caveat: the platform indexes only public claims and does not distribute stolen data. This transparency, however, is double-edged - alerting the world to the attack, but also potentially pressuring the victim to negotiate with criminals.

As CFM Mozambique grapples with the aftermath, the incident underscores a troubling reality: ransomware is now a global threat, indiscriminate and relentless. For African infrastructure operators, the message is clear - cybersecurity can no longer be an afterthought.

WIKICROOK

  • Ransomware: Ransomware is malicious software that encrypts or locks data, demanding payment from victims to restore access to their files or systems.
  • Dark Web: La Dark Web è la parte nascosta di Internet, accessibile solo con software speciali, dove spesso si svolgono attività illegali e si garantisce l’anonimato.
  • Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.
  • Payload: A payload is the harmful part of a cyberattack, like a virus or spyware, delivered through malicious emails or files when a victim interacts with them.
  • Critical Infrastructure: Critical infrastructure includes key systems - like power, water, and healthcare - whose failure would seriously disrupt society or the economy.
Qilin Ransomware CFM Mozambique Cybersecurity
TRUSTBREAKER TRUSTBREAKER
Zero-Trust Validation Specialist
← Back to news