Subscribe
About

Why ransomware is here to stay

Protecting against the ransomware epidemic has gone beyond protecting against that risky click.
By Tamsin Mackay
Johannesburg, 08 May 2025
Shayimamba Conco, cyber security expert at Check Point.
Shayimamba Conco, cyber security expert at Check Point.

Ransomware attacks rebounded in 2024 after law enforcement took down LockBit and Noberus, two of the most prolific ransomware syndicates. The former was said to have been responsible for around 25% of all victims listed on ransomware leak sites in 2023. In February 2025, the Cybersecurity and Infrastructure Security Agency and the FBI issued urgent warnings about the Ghost ransomware operation, which was carrying out attacks across multiple industry verticals in more than 70 countries. Instead of using phishing tactics, Ghost operatives exploit security vulnerabilities that haven’t been patched.

Conversations around how to prevent, mitigate and defend against ransomware never seem to end. Training, security systems, and expensive managed security services are all designed to prevent that click that introduces the risk. But what more can be done to improve security beyond these parameters?

The importance of Simulation

Close to 70% of small to medium enterprises in South Africa were compromised in the last calendar year, according to the Sophos’ ‘State of Ransomware 2024’ report. The company’s regional SADC head, Pieter Nel, says: “And every single time, customers ask how this is possible when they’ve invested in firewalls and endpoints and solutions that offer 99.98% protection. The problem is people. The number one entry point from all attacks today is not brute force; it’s a user doing something they shouldn’t.”

THE INCIDENT RESPONSE PLAN: ANDILE SOLUTIONS

What should a business be doing to protect itself against threats? And what happens when systems are compromised? Neil Retief, CIO, Andile Solutions, lays out what his company is doing to manage the risks. “Everybody in the company thinks security, no matter what their role or job title, all the way up to the CEO,” he says. The company has also invested in security tools and solutions, has implemented network segregation, and has a “decent” backup policy. The more practice a company has at building and running an incident response simulation, the better it gets at responding, he adds. He prioritises training, and makes sure the company has the right security tools. It also has third-part support, from BlueVision ITM.

“We also have an annual response plan cycle where we re-look at the incident response plan to ensure it aligns with the risks that have been identified as a business,” he says. “It’s essential to continuously focus on this and to have executive buy-in. It’s never going to get easier, but continuous effort ensures our security measures will make a difference.” 

It sounds trite, but the culture of the organisation also goes a long way towards how secure it is. The more security is upheld from the top of the organisation, the more likely it is for people to think about security in their daily work habits. Ivan Burke, head of research, development, and innovation, BlueVision ITM, says: “You have to make sure best practices are actually being applied within the business and have regular cybersecurity incident response simulations – both tabletop exercises and technical approaches – to determine where the business can improve.”

Richard Frost, head of consulting at Armata Cyber Security, says companies should have policies that guide employees around what can or cannot be done, as well as explanations into the reasons why. “Just be aware. Make everyone aware. And try not to overload employees who are already drowning under training, rules, regulations and deadlines. People make mistakes when they’re tired and overwhelmed.”

Shayimamba Conco, cybersecurity evangelist, Check Point Software Technologies, suggests some practical measures companies can put in place to reduce the risk of ransomware. “Implement access controls such as artifact authentication, and always patch and update your systems because the majority of successful attacks have used an exploit in an outdated system. Also, enforce your network segmentation, which is often overlooked when it comes to environment architectures.”

The last involves isolating systems such as domain controllers, file servers and Active Directory, to limit the spread of ransomware. A segmented network can limit lateral movement, buying time for security teams to minimise the damage.

False sense of security

Udhveer Sookraj, a data integration specialist at Insight Consulting, says a large percentage of South African businesses believe they’re prepared for ransomware. “It’s almost a non-concern. They believe they can just regenerate their data and recover it from a backup. The problem is you can’t easily do this and there’s loss of business and data continuity, corrupted data, and an encrypted system to deal with. Their data and business are damaged.”

Should companies then pay the ransomware and be done with it? Globally, there’s some regulatory movement towards governments banning companies from paying ransomware. The UK government, for example, is considering preventing public sector bodies such as the NHS, schools and local councils from paying the criminals. Similar conversations are taking place in the EU, but other countries, including South Africa, remain silent, probably because bans would be difficult to enforce.

Implement access controls such as artifact authentication, and always patch and update your sytems because the majority of successful attacks have used an exploit in an outdated system.

Shayimamba Conco, Check Point Software Technologies

Aaron Thornton, chief services officer, Turrito, says ransoms are also paid in cryptocurrencies, and “until you can properly govern that entire form of economy, it’s almost impossible to enforce the application of a law that says it’s illegal to pay ransomware.” Conco, from Check Point, says he’s seen several cases in which companies have paid the ransom but couldn’t recover their data. “They can’t approach anyone to get a refund, they’ve lost the ransom and their data,” he says. “And if you don’t pay, you can be stung. It’s like a triple extortion. They encrypt your files, demand a ransom and then, if you don’t pay, they exfiltrate your data. There are no guarantees.”

It’s a snowball effect; the more people pay, the more they’re funding sophisticated attacks, the more effective the attacks, the more they’re demanding as ransom.

Pieter Nel, Sophos

Nel, from Sophos, says the problem is that when it comes time to pay, the business has already been compromised and the data lost, but, ultimately, payment comes down to the business value of the data. “The cost of ransomware payments has almost tripled in the past year. It’s a snowball effect; the more people pay, the more they’re funding sophisticated attacks, the more effective the attacks, the more they’re demanding as ransom.”

There’s no 30-day consumer protection act on payments. No way of cancelling a transaction because they didn’t keep their half of the deal. The money and the data are both gone. And the empty files and locked systems are all that’s left behind. That is the true spectre of ransomware.

* Article first published on brainstorm.itweb.co.za

Share