• Home
  • /
  • Malware
  • /
  • No let-up in ransomware attacks on South Africa

No let-up in ransomware attacks on South Africa

Christopher Tredger
By Christopher Tredger, Portals editor
Johannesburg, 26 May 2023
John Shier, Field CTO, Sophos.
John Shier, Field CTO, Sophos.

South Africa remains a hot target for cyber criminals, with 78% of organisations hit by ransomware in the past year, according to a report released by IT security company Sophos.

‘The State of Ransomware in South Africa 2023’ report is based on a survey of 200 IT professionals in mid-sized organisations in South Africa between January and March 2023.

The percentage of organisations targeted is higher than last year’s figure of 51%. Globally, 66% of respondents said their organisation had experienced a ransomware attack in the last twelve months.

Exploitation of vulnerabilities was identified as the most common root cause of attack for South African organisations, used in 49% of incidents. Compromised credentials were the second most frequent attack vector, used in 24% of attacks.

Moreover, 89% of attacks resulted in data being encrypted. This is higher than the global average of 76%, and a considerable increase from the 45% reported by South African respondents in last year’s survey.

Anything that improves the ability to detect, investigate and remediate a cyber attack should be seen as a net positive.

John Shier, Field CTO, Sophos.

Data was also stolen in 35% of attacks where data was encrypted, higher than the global average of 30% , while 100% of South African organisations whose data was encrypted got data back, slightly above the global average of 97%.

The survey found that 45% of those that had data encrypted in South Africa paid the ransom, slightly down from both last year’s rate of 49% and the 2023 global average of 47%.


Sophos believes ransomware will remain a serious threat in the foreseeable future, spurred on by growth of the ransomware-as-a-service cyber crime business model. According to this model, operators develop software that is then sold to affiliates who then use it to launch attacks.

John Shier, Field CTO, Sophos, says: “The rate of ransomware attacks has levelled off this year and is expected to remain steady for the foreseeable future."

He advises South African businesses to invest in security technologies that will not only make them more resilient to attack but also improve their ability to detect and remediate threats faster.

The company believes cyber security insurance can improve the security posture of an organisation.

“This is due to the increased requirements for obtaining a policy," explains Shier. "Anything that improves the ability to detect, investigate and remediate a cyber attack should be seen as a net positive. However, this is offset by the fact that organisations with a standalone cyber insurance policy are 43% more likely to pay the ransom than organisations with no coverage. While there have been reported cases of cyber criminals using a cyber policy as leverage, it should not deter organisations from obtaining one as it can help with recovery costs.”

Sophos advises businesses to strengthen their defensive shields with:

  • Security tools that defend against the most common attack vectors, including endpoint protection with strong anti-exploit capabilities to prevent exploitation of vulnerabilities, and zero trust network access (ZTNA) to thwart the abuse of compromised credentials.
  • Adaptive technologies that respond automatically to attacks, disrupting adversaries and buying defenders time to respond.
  • 24/7 threat detection, investigation, and response, whether delivered in-house or in partnership with a specialist managed detection and response (MDR) service provider.

It also emphasises the need to maintain good security hygiene, including timely patching and regularly reviewing security tool configurations.

Highlights: The State of Ransomware in South Africa 2023

  • 24% of South African organisations that had data encrypted used multiple recovery methods in parallel.
  • Two respondents from the South African whose organisation paid the ransom shared the exact amount. One of these respondents reported paying US$5-million or more.
  • Excluding any ransom payments, the average (mean) bill incurred by South African organisations to recover from a ransomware attack was reported at US$0.75-million, including costs of downtime, people time, device cost, network cost, lost opportunity, et cetera. This is considerably less than the global average cost of US$1.82-million.
  • 82% of private sector South African organisations hit by ransomware said the attack caused them to lose business/revenue, slightly lower than the global average of 84%.
  • 53% of South African organizations took up to a week to recover from the attack. 29% took up to a month while 19% took between one and six months.
  • 98% of South African organizations say they have some form of cyber insurance with 47% having a standalone cyber policy and 51% having cyber as part of a wider business policy. By comparison, globally, 91% have cyber coverage with 47% having a standalone policy and 43% a wider business policy that covers cyber.
  • 98% of South African respondents whose organisation had purchased cyber insurance in the last year said the quality of their defences had a direct impact on their insurance position; 66% said it impacted their ability to get coverage.
  • 61% said it impacted the cost of their coverage (the premium).
  • 19% said it impacted the terms of their policy, for example the total amount of coverage or sub-limits.