South Africa’s ransomware reckoning: six trends that demand urgent action

South Africa is under siege - not by tanks or drones, but by ransomware.

From hospitals to banking to government departments, cyberattacks are exposing just how fragile our digital infrastructure really is.

Unless we rethink resilience now, the next breach could disrupt far more than just data.

Cybercrime is no longer a rare disruption. It’s a persistent reality. Organisations today don’t ask if they’ll be attacked - they ask how often.

South Africa, alongside Kenya, ranks among the most targeted countries on the continent, with over 12,000 ransomware detections last year.

Industry and Government response

Recent industry reports show South Africa is the most targeted country in Africa for ransomware and infostealer attacks, accounting for 40% of the continent’s incidents. The median ransom demand has surged to R17 million in 2025, with recovery costs averaging R24 million. 

Government statements and the new Cybersecurity Bill highlight the urgency of strengthening defences, but attacks are evolving faster than policy. 

Sector-specific challenges and the impact of load shedding

The telecom sector faces a crisis, with 80% of firms hit by ransomware in the past year. Physical sabotage, such as cable cuts and battery theft, and SIM box fraud compound digital risks. 

Load shedding further weakens resilience, forcing organisations to switch access points and networks, often bypassing security controls and exposing systems to bad actors.

This operational reality means that cyber resilience strategies must account for both digital and physical vulnerabilities, ensuring backup power for critical systems and maintaining offline backups even during outages.

AI-Driven localisation and skills development

AI-driven solutions are increasingly being adopted to address these challenges.

Tools like MalFE, developed by South African researchers, streamline ransomware sample analysis and support machine learning-based detection.

AI can automate threat detection, filter noise, and accelerate response times - attack detection is 39% faster when AI is deployed.

However, over-reliance on AI can create cascading failures during outages, so hybrid strategies that combine automation with human oversight are essential.

Upskilling remains critical, as 67% of South African firms lack in-house AI expertise, making continuous training and education a priority.

Six trends shaping ransomware resilience

While government is finalising a new Cybersecurity Bill to strengthen defences, the threat is evolving faster than policy. Our latest global Veeam 2025 Ransomware Trends and Proactive Strategies report reveals six critical trends shaping the ransomware landscape - and why many organisations remain dangerously exposed.

1. Law enforcement crackdowns are reshaping the threat: Disruption of major groups like LockBit and BlackCat has splintered the ecosystem, giving rise to smaller, harder-to-trace operators. 
2. Data exfiltration is the new normal: Double extortion - encrypting data and threatening to leak it - is now standard practice, raising the stakes for victims. 
3. Ransom payments are dropping : Median demands fell 45% to $110,000 in Q4 2024, suggesting improved resilience - but also more aggressive attackers.
4. Legal risks are rising: Governments are restricting ransom payments, and international frameworks like the Counter Ransomware Initiative are increasing compliance pressure. 
5. IT-Security misalignment is a weak link: 52% of organisations report poor collaboration between IT and security teams, undermining response efforts. 
6. Budgets are up, but execution is lagging: While 95% of organisations increased security spend, implementation is not keeping pace with the threat. 

The leadership imperative: building radical resilience now

Recovery must be treated as a core security control. With 89% of attacks targeting backup repositories, the 3-2-1-1-0 rule - three copies of data, two media types, one off-site, one immutable, zero errors - remains essential. 

Organisations should use sandbox restores to prevent reinfection, enforce strong identity controls such as MFA and least-privilege access, and develop predefined ransom frameworks to avoid chaos during a crisis.

Expert support is invaluable; organisations using incident response specialists are 156% less likely to pay ransoms. Real-world playbooks with verified clean backups and containment steps are vital.

Ransomware is no longer just a technical issue - it’s a test of leadership. The true cost is measured in trust, stability, and lives disrupted.

South African organisations must act now to build radical resilience, leveraging AI, upskilling teams, and adapting to local challenges like load shedding - or risk becoming the next cautionary headline.

Brendan Widlake, Regional Director at Veeam Software South Africa. 

BUSINESS REPORT