The evolution of ransomware means that in 2026, African organisations can expect more targeted phishing attacks, the rise of endpoint detection and response (EDR) killers and AI-powered ransomware.
This is according to cyber security firm ESET’s H2 2025 Threat Report, based on telemetry from threat data sourced in January 2026.
Phishing remains an effective and popular threat vector, and cyber criminals identify SA as a fertile market.
According to the report, 32.5% of cyber attacks targeting Africa were phishing related, while in SA, the statistic is 45.7%.
Allan Juma, lead cyber security engineer at ESET, said: “Traditionally, South Africa is seen as a big economy and slightly more advanced than the rest of Africa… it’s a bigger and more beneficial payday for scammers, so they will go where there is the highest possibility of returns.”
The data available on dedicated data leak sites – often used by ransomware groups to publish data stolen from individuals who refused to pay ransoms – is increasing, notes the research.
Juma cited data from threat intelligence service ecrime.ch, which showed that in 2025, data from 7 826 ransomware attacks were published. That number surpassed 2024’s total by over 2 600, a 50% increase.
“It’s important to note that dedicated leak sites offer a biased picture of reality; they only name victims who refused to pay a ransom.”
Often linked to ransomware attacks is the threat posed by EDR killers, malicious tools designed to disable and bypass endpoint detection.
“Usually, whenever you see the presence of an EDR killer in your environment, it is an indication that there is a more severe attack coming, most likely a ransomware deployment,” Juma added.
The report states that the rising popularity of EDR killers highlights that endpoint detection and response tools remain a significant obstacle for ransomware operators.
This also means EDR killers are likely to stick around for 2026.
On the subject of AI, ESET identified PromptLock in the second half of 2025 as the first known example of AI-powered ransomware.
Tony Anscombe, chief security evangelist at ESET, said the cross-platform malware leverages AI to generate malicious scripts on the fly, which it then executes.
“PromptLock instructs the LLM to create the script based on the feedback that it's gaining from the device,” he added.
“This is interesting, because the AI is actually used during the attack and that’s the first time we’ve seen that.”
Share