Ransomware continues to dominate headlines – and for good reason. The cost of these attacks is growing, both in terms of financial loss and operational disruption. In South Africa, organisations are feeling the full force of this threat, with new data from Sophos’ State of Ransomware in South Africa 2025 report showing an alarming increase in ransom payments, lower reliance on backups and a worrying trend towards post-incident panic rather than proactive defence.
In just one year, the median ransom demand in South Africa jumped from R2.8 million ($165 000) to R17.5 million ($1 million). Even more concerning is that 71% of local organisations hit by ransomware paid the ransom, compared to only 43% the year before. Yet, fewer companies are prepared to recover independently – just 35% used backups to recover encrypted data, down from 72% in 2024. This represents a fundamental shift in how companies are handling ransomware incidents, and not in a good way.
The operational impact is also intensifying. The average cost to recover from a ransomware attack – excluding the ransom – has risen to nearly R23 million ($1.31 million), and includes everything from lost productivity to downtime, device and network repair, and reputational damage.
So, what’s going wrong?
South African organisations still struggle with visibility and prevention. Compromised credentials were the leading technical cause of attacks (34%), followed by exploited vulnerabilities (28%). Operationally, a lack of internal expertise (58%) was the top reason given for falling victim. A further 53% said they were unaware of existing weaknesses until the attack happened.
The solution doesn’t lie in simply hiring more people. Instead, businesses must invest in smarter tools and external support like managed detection and response (MDR). This model gives organisations access to 24/7 monitoring and rapid response capabilities without needing to scale internal teams beyond what’s realistic.
Additionally, prevention must be front and centre. Cyber security frameworks need to include better access controls, strong credential management, regular vulnerability patching and well-tested backup strategies. Organisations also need to revisit incident response plans frequently – not after an attack, but before.
Ransomware isn’t going away. But by transitioning from a reactive to a proactive posture, South African organisations can mitigate the damage, reduce the likelihood of paying a ransom and recover faster and smarter.
Share