Editor's Note
Over the past four issues we have covered what POPIA requires, how attackers exploit your staff, the new obligations on financial services businesses, and why your IT provider is not your security provider. Each of those issues pointed toward a gap. This issue is about what falls through that gap.

Ransomware is not an abstract threat. It is a business-stopping, data-destroying, reputation-ending event that is happening to South African organisations with increasing frequency and at rapidly escalating cost. Here is what you need to understand.

RANSOMWARE IS COMING FOR SOUTH AFRICAN BUSINESSES

The Numbers Have Changed

South Africa is the most targeted country in Africa for ransomware attacks, accounting for 40% of the continent's incidents. The median ransom demand reached R17 million in 2025, with recovery costs averaging R24 million.

To be clear about what recovery costs mean: that figure is not the ransom alone. It includes the cost of restoring systems, rebuilding data, managing legal and regulatory exposure, communicating with affected clients, and the operational impact of days or weeks of downtime. Sixty percent of attacks on South African companies resulted in data being encrypted, higher than the 50% global average.

South African organisations were attacked 2,145 times per week on average in January 2026, a 36% increase year-on-year. The trajectory is not improving.

Why SMEs Are in the Crosshairs

The popular assumption is that ransomware groups target large organisations with deep pockets. That was once roughly true. It is no longer the primary model. Attackers increasingly view SMEs as low-hanging fruit due to weaker cybersecurity defences, outdated systems, and inconsistent patching practices. Smaller businesses are attacked at volume, many simultaneously, precisely because the defences are lower and the effort per successful attack is less.

Twenty-two percent of ransomware attacks in South Africa were triggered by malicious emails. Fifty-eight percent of South African organisations cited lack of expertise as the main operational root cause, and fifty-three percent said unknown weaknesses in their defences played a role in ransomware exposure.

Those three statistics point to the same place: most South African SMEs do not know what vulnerabilities exist in their environment until something goes wrong. By then, the attacker has already been inside.

What Ransomware Actually Does to a Business

The moment ransomware executes, the clock starts. Files are encrypted across every connected device and server it can reach. Backups stored on the same network are typically encrypted too. The business cannot access its own data. Operations stop. Client-facing systems go down. In manufacturing or professional services, that means the business is not trading.

The attacker then demands payment in exchange for a decryption key. Paying does not guarantee recovery. While 90% of South African organisations that had data encrypted were able to recover it, and 71% of those that paid the ransom received working decryption keys, the median payment still rose nearly threefold from R2.7 million to R8 million.

Under POPIA, a ransomware incident that results in the encryption or exposure of personal information is a reportable breach. The clock on notifying the Information Regulator and affected data subjects starts immediately. Most businesses hit by ransomware are trying to restore operations while simultaneously managing a regulatory notification obligation, with no prior plan for either.

The Protection Gap

There is a significant difference between having antivirus software and having endpoint protection. Antivirus is signature-based, it looks for known threats by matching against a database of previously identified malware. Ransomware variants are updated constantly specifically to evade signature-based detection.

Effective endpoint protection operates differently. It monitors behaviour, how processes interact with files, what network connections are being made, whether a process is attempting to encrypt files at unusual speed, and responds autonomously when it detects suspicious activity. Modern endpoint protection can isolate a device from the network within seconds of detecting ransomware behaviour, limiting how far the encryption spreads. It can also roll back encrypted files to a clean state using protected snapshots, meaning recovery takes hours rather than weeks.

The other critical gap is patching. Unknown weaknesses in defences played a role in 53% of South African ransomware incidents. Most of those weaknesses were not unknown, they were unpatched vulnerabilities that had been publicly documented, with fixes available, but never applied. A vulnerability management programme that keeps patch status current and flags unpatched critical vulnerabilities is not optional infrastructure. It is baseline protection.

The Bottom Line

The best ransomware attack is the one that did not happen because the attacker could not get in. That outcome requires two things working together: endpoint protection that detects and responds to ransomware behaviour autonomously, and a vulnerability management programme that closes the doors attackers typically use to get in. Neither is expensive relative to the cost of recovery. Both are significantly more manageable than the alternative.

Aigeus Cyber Briefing

Keep Reading