Ransomware recovery costs South African businesses R24 million on average, report finds

 A new cybersecurity report from Sophos has revealed a sharp rise in the number of South African organisations paying ransoms to cybercriminals, with average recovery costs now at R24 million. The State of Ransomware in South Africa 2025 report is based on responses from 154 local businesses that were hit by ransomware in the last year.

South African organisations fell victim to ransomware due to compromised credentials used in 34% of attacks. Another reason was exploited vulnerabilities, which were the start of 28% of attacks. Malicious emails were used in 22% of attacks.

A lack of expertise was the most common operational root cause, cited by 58% of South African respondents. This was followed by a lack of protection cited by 55% of organisations. 53% said that a weakness in their defenses that they were not aware of played a factor in their organisation falling victim to ransomware.

The report shows that 71% of organisations paid the ransom to recover their encrypted data - a dramatic increase from just 43% in 2024. Meanwhile, fewer businesses are using backups to recover, with that number dropping from 72% to just 35% in the past year.

According to Pieter Nel, Country Manager for Sophos South Africa, this is a worrying shift. “The fact that more South African organisations are choosing to pay ransoms - while relying less on backups - shows that many are not adequately prepared for cyberattacks. It’s critical that we change this trajectory by investing in stronger defences and better recovery planning.”

The report also found that the median ransom demand is now R18m – up from R2.8m last year. However, the median ransom paid rose to R8.3m, nearly three times more than in 2024.

Meanwhile, South African organisations are getting faster at recovering from a ransomware attack, with 47% fully recovered in up to a week, an increase from the 41% reportedlast year. 19% took between one and six months to recover, a drop from last year’s 26%.

On top of the financial damage, the human impact was also significant. Among organisations where data was encrypted 76% of IT teams felt increased pressure from leadership; 47% reported higher levels of anxiety and stress and 42% experienced a sustained increase in workload.

Sophos is encouraging all businesses, large or small, to strengthen their cyber resilience by using strong passwords and enabling multi-factor authentication; keeping systems up to date and patched; making regular backups and testing recovery plans and educating employees about common scams as well as considering professional cybersecurity support like Managed Detection and Response (MDR) services.

“Ransomware doesn’t only target big corporations - it affects schools, small businesses, and even healthcare providers,” says Nel. “It’s more important than ever that all South Africans, whether consumers or business owners, take cybersecurity seriously.”

BUSINESS REPORT