In March 2026, a hacker group called XP95 posted on Telegram claiming it had taken 154GB of data from Statistics South Africa and wanted $100 000 to keep it quiet. Stats SA confirmed the breach, said it would not pay, and reported it to the Information Regulator. This was the third South African government entity hit that month. The Gauteng provincial government had already lost 3.8TB of data, which was then listed for sale on a dark web marketplace for over R400 000. The Gauteng City Region Academy had 147GB of data taken, with XP95 demanding the same $100 000 ransom. XP95 is a new hacker group that operates with an interface designed to mimic Windows 95 and Windows XP. By the standards of the ransomware world, it is relatively small. Stats SA, which produces the local data on which government and business rely, was not taken down by a sophisticated, state-sponsored actor running a years-long operation, but by a group that had barely announced itself.
According to the ‘Interpol Africa Cyberthreat Assessment Report 2025’, South Africa recorded the highest number of ransomware detections in Africa. Sophos’ ‘State of Ransomware 2025’ report found that the median ransom demand in South Africa was at R17mn last year, with recovery costs averaging R24mn. “There’s been a false sense of security based on the fact that we’re far away from Europe or the US,” says Allan Juma, cybersecurity specialist at ESET Southern Africa. “But global ransomware actors are already here, in South Africa, Uganda, Kenya, and they’re expanding their operations.”
People know about the threat of ransomware, but the challenge is they’re not taking the due diligence to ensure that the measures they have put in place are actually watertight.
Allan Juma, ESET Southern Africa
Ransomware attacks are highly lucrative. Ransomware-as-a-Service (RaaS) platforms provide the tools, the infrastructure, and, in some cases, legal support to affiliates that carry out attacks and take a cut of the proceeds. Qilin, a Russia-linked group and one of the most active ransomware operators in 2025, offers affiliates up to 85% of ransom payments and recruits openly on hacking forums, advertising its technical advantages and generous revenue splits. The barrier to entry for RaaS is low. An affiliate doesn’t need deep technical skills; all that’s required is a convincing phishing email, something that GenAI now produces in seconds. The individual carrying out the attack does not build the ransomware. They license it, deploy it and collect their share. It’s a franchise model that’s quickly expanding. “They just need to perfect one act,” says Juma.
The model works because the targets are readymade, and in South Africa, the attack surface is growing. Ransomware groups don’t need to work hard to find away into a business’ systems when basic cyber hygiene is inconsistent and security budgets are stretched. “It’s never a case of if, but more a case of when [the business will be attacked],” says Dale Hurwitz, founder and CEO of software firm Altitude Sync.
He says many SMEs remain in the dark about how they can protect themselves. They don’t know what they’re missing, and often, neither does their managed service provider. “Budget is often a large factor,” says Hurwitz. “Customer engagement and collaboration are also key. It’s not a set-and-forget solution.”
Most organisations know about the threat of ransomware because it’s been covered extensively in the media, at conferences and business forums. But knowing and doing are different things. “The challenge is they are not taking the due diligence to ensure that the measures they have put in place are actually watertight,” says ESET’s Juma. Backups exist but are never tested; playbooks are written but never practised and when an attack finally occurs, the plan that looked solid on paper falls apart. “People act out of fear, out of preservation. We throw each other under the bus, and the response is a puzzle; it’s not coordinated, it’s not structured,” he says. Juma compares ransomware preparedness to car insurance. You buy it not because you plan to crash, but because accidents will happen. The mistake is paying the premium and then neglecting the policy.
And what makes this harder is that the delivery mechanism is outpacing the attack itself. Once attackers get into a system, the technology standing in their way becomes far less of an obstacle. “We’ll see a whole lot more realistic-looking phishing emails and extremely convincing deepfake videos to try to lure individuals into a false sense of security.”
“Cybersecurity is no longer a solo effort,” says Sharon Knowles, CEO of Da Vinci Forensics. “The strongest defence comes from organisations that partner with the right experts and take proactive steps before an attack forces them to react.”
That means legal advisors involved from the moment an incident occurs, communications specialists protecting the organisation’s reputation and technical teams all working together from what many practitioners call an incident response war room.
It’s never a case of if, but more a case of when. Businesses are under constant threat and the level of maturity of security awareness is evident based on the IT tools used.
Dale Hurwitz, Altitude Sync
Organisations need to consider the question of ransomware payment, and this should be answered before an attack arrives, not during one. “That is a conversation that should be had beforehand,” says Juma, “so that when you get there, you can take decisions quickly, because time plays a huge role in getting your data back.”
In South Africa, and under the PoPI Act, paying a ransom does not legally resolve a breach. Organisations remain responsible for the data compromise, regardless of what attackers promise. The Information Regulator has been clear that paying the ransom in exchange for your data does not fulfil the obligation to protect personal data. Ransom demands are made in cryptocurrency, and when the rand weakens, the ransom becomes unaffordable for many small and medium businesses before ethics are considered. “Paying a ransom does not just resolve an incident,” says Knowles. “It helps fund the criminal groups and increases the likelihood that other South African organisations will be targeted next.”
What ransomware negotiations actually look like is also different to how many picture it. A ransom note names the group, the strain, the crypto address and the deadline. Communication happens through email or on dark web pages. “It isn’t really a negotiation,” Juma says. “It’s a set of demands.” If payment does not arrive, company data is posted online. And even if a payment is made, there is no guarantee. Once the data has been exfiltrated and encrypted, it can be leaked, even if a company has been able to restore its data from a backup. In some cases, decryption keys have failed even after payment has been made, leaving organisations with nothing recovered and out of pocket. “Now you’re caught in a difficult place,” says Juma. “You want to pay, but your data has been leaked. Why should you pay when the data is already out there?”
What defines a ransomware incident is not the fact that data has been encrypted, but the calculation between the ransom demand and what the downtime actually costs. “The critical moment always comes when someone is faced with a ransom demand,” says Hurwitz. He has been in situations where a client was hours away from making that call, and the difference, almost without exception, was having the right backups in place. “This is the most critical element of being able to recover,” he says. Immutable backups stored in a separate environment, with no permissions connecting them to the main network, and with good monitoring to detect a threat, can change the outcome. “An average product implemented well will almost always beat the best product implemented poorly,” says Hurwitz.
Cyber resilience, in practice, means keeping systems patched, testing backups regularly, having notification procedures in place before they are needed and building disaster recovery environments that can function independently when the power goes out.
“Organisations should not wait until a breach occurs before deciding how to respond,” says Knowles. “Having notification procedures and documentation prepared in advance makes it far easier to meet reporting requirements and communicate clearly with regulators and the affected individuals.” Most successful ransomware attacks are not technically sophisticated. They get in through misconfigurations and missing patches that careful, consistent maintenance would have caught. “At times it can be a very mundane, repetitive task,” says Juma, “but that’s part of the defence. Boring is good in cybersecurity.”
* Article first published on www.itweb.co.za
Share
