Ransomware in South Africa: Response & Protection Guide 2026
The largest problem regarding ransomware in South Africa is that a majority of organisations have taken little or no steps to be proactive against these attacks.

When this article was first published in 2023, ransomware in South Africa was still framed around a handful of landmark incidents such as the Transnet port attack. In 2026, it is a permanent feature of the threat landscape. Confirmed ransomware attacks on South African organisations rose by 140% in the first half of 2026, and Check Point recorded local organisations being attacked an average of 2,145 times per week, up 36% year on year.

The economics have changed too. According to Sophos’s State of Ransomware in South Africa report, the median ransom demanded of South African companies jumped nearly sixfold to around R17 million, with average recovery costs of roughly R23 million, excluding any ransom paid. Sixty percent of local attacks resulted in data being encrypted, well above the 50% global average, and only half of affected companies recovered within a week.

This guide covers what has changed, how to protect your organisation, and exactly what to do in the first hours of an attack.

Ransomware in 2026: A Criminal Franchise, Not a Lone Hacker

Ransomware has matured into an industry. Ransomware-as-a-Service (RaaS) operations such as Qilin, Akira and newer entrants like The Gentlemen license their malware to affiliates, provide the infrastructure and negotiation playbooks, and take a cut of the proceeds. An affiliate no longer needs deep technical skill. A convincing phishing email, which generative AI now produces in seconds, is often enough.

South Africa is squarely in the crosshairs. In March 2026 alone, the new XP95 group breached three government entities: the Gauteng Provincial Government (3.8TB of personal data stolen and offered for sale on the dark web), the Gauteng City Region Academy (147GB), and Statistics South Africa, where 154GB comprising more than 453,000 files was exfiltrated from an HR database, with a R1.7 million ransom demanded. In January 2026, the Land Bank refused a $3.1 million demand. May 2026 brought a large-scale extortion campaign against South African web hosts and telecoms providers.

The lesson from these incidents is uncomfortable: most victims were not taken down by sophisticated state-sponsored operations. They were compromised by relatively small groups exploiting unpatched systems, exposed services, stolen credentials and inconsistent cyber hygiene.

The Double Extortion Model

Modern ransomware attacks profit twice. First, the attackers encrypt your systems and demand payment for the decryption keys. Second, before encrypting anything, they quietly exfiltrate your data, then threaten to leak or sell it if you refuse to pay. Even organisations with perfect backups face the second threat, which is why prevention and early detection now matter more than recovery alone.

Increasingly, attackers also skip encryption entirely and move straight to data theft and extortion, or return weeks after an initial breach because the first incident response focused on restoring systems rather than removing the attacker. Persistent access, stolen credentials and poor log visibility let threat actors walk straight back in.

How Attacks Begin

The entry points have barely changed, which is precisely the problem:

  • Phishing emails carrying infected attachments or credential-harvesting links, now written flawlessly by AI
  • Stolen or leaked credentials, often purchased on dark web markets after unrelated breaches
  • Unpatched, internet-facing systems including VPNs, remote desktop services and legacy public portals
  • Compromised suppliers and third parties with trusted access to your environment

Sophos found that 58% of breached South African organisations cited a lack of in-house expertise as the root cause, and 53% pointed to a security weakness they did not know they had.

Protecting Your Organisation: The 2026 Baseline

  1. Maintain offline, immutable backups and test restoring from them. A backup you have never restored is a hope, not a plan. Follow the 3-2-1 rule: three copies, two media types, one off-site and offline.
  2. Patch aggressively, prioritising internet-facing systems, VPNs and anything running legacy software.
  3. Enforce multi-factor authentication everywhere, especially on email, VPNs, remote access and administrator accounts.
  4. Apply least privilege. Attackers cannot encrypt what a compromised account cannot reach. Segment networks so one infected workstation cannot take down the whole estate.
  5. Train your people continuously. Phishing remains the front door. Regular simulations and awareness training measurably reduce click rates.
  6. Monitor for early warning signs, including unusual logins, mass file access and data leaving the network. Dark web monitoring can flag stolen credentials before they are used against you.
  7. Test your defences through penetration testing and vulnerability assessments, so you find the weaknesses before an affiliate does.
  8. Have an incident response plan on paper, offline. If your plan lives on the network that just got encrypted, you do not have a plan.

Hit by Ransomware? The First 24 Hours

  1. Isolate, do not switch off. Disconnect affected machines from the network (unplug cables, disable Wi-Fi), but leave them powered on where possible. Memory contains forensic evidence that is destroyed on shutdown.
  2. Activate your incident response plan and establish out-of-band communications. Assume the attackers can read your email.
  3. Call in professional incident response and digital forensics support immediately. Determining how the attackers got in, what they took and whether they still have access is specialist work, and it decides whether you recover once or get hit again in two weeks.
  4. Preserve evidence. Ransom notes, logs, affected systems and any attacker communications are critical for the investigation, for insurance and for prosecution.
  5. Do not rush to pay. Payment does not guarantee decryption or deletion of stolen data, it marks you as a payer, and on average South African firms that negotiated still paid around 64% of the original demand. Take advice before engaging with attackers at all.
  6. Check for free decryptors. Initiatives such as No More Ransom hold working decryption tools for many older strains.
  7. Notify your insurer early. Cyber policies often require immediate notification and may mandate specific responders.

Your Legal Obligations in South Africa

A ransomware attack involving personal information is a data breach under POPIA. Section 22 requires you to notify the Information Regulator and affected data subjects as soon as reasonably possible after discovering the compromise. Stats SA’s public, no-ransom, regulator-first response in March 2026 is the template.

The Cybercrimes Act criminalises the underlying intrusion, so report the attack to the SAPS and obtain a case number. Businesses in regulated sectors may have additional obligations to notify their regulators. Concealing an incident is not only a compliance failure, it usually makes the eventual reputational damage far worse.

Recovery: The Part Nobody Budgets For

Only half of South African organisations recover within a week. A fifth need one to six months. Recovery means rebuilding from clean backups, rotating every credential in the environment, closing the original entry point, and monitoring intensively for the attacker’s return. It also means a forensic report that answers the questions your board, your insurer, the Information Regulator and possibly a court will ask: how did they get in, what did they access, and is it over?

How DaVinci Forensics & Cybersecurity Can Help

We work with South African organisations on both sides of the incident:

Before an attack: penetration testing and vulnerability assessments, phishing simulations and staff training, advanced backup and email security, dark web scanning for exposed credentials, and governance, risk and compliance support including POPIA readiness.

During and after an attack: digital forensics and incident investigation, evidence preservation for insurers, regulators and court, OSINT tracing of the actors and infrastructure behind the attack, and expert reporting to support recovery and prosecution.

Ransomware is no longer a question of if but when. The organisations that survive it are the ones that prepared before the ransom note appeared.

Contact DaVinci Forensics & Cybersecurity for a confidential consultation, whether you are building your defences or already under attack.

Home » Articles » Ransomware » Ransomware in South Africa: Response & Protection Guide 2026

FAQ: Ransomware in South Africa

How common are ransomware attacks in South Africa? Confirmed attacks rose 140% in the first half of 2026, and South African organisations face thousands of attempted attacks per week. Government, manufacturing, healthcare, education and financial services are all being actively targeted.

Should we pay the ransom? Payment is a last resort and often a mistake. It does not guarantee decryption or deletion of stolen data, and it funds further attacks. Several South African government entities, including Stats SA and the Land Bank, have publicly refused to pay. Take professional advice before making any decision.

Do we have to report a ransomware attack? If personal information was compromised, POPIA requires notification to the Information Regulator and affected individuals as soon as reasonably possible. The attack itself should also be reported to the SAPS under the Cybercrimes Act.

Can encrypted files be recovered without paying? Sometimes. Free decryptors exist for many older ransomware strains, and clean offline backups remain the most reliable recovery route. A forensic assessment will establish your options.

What does ransomware recovery cost in South Africa? Excluding any ransom, the average recovery bill for South African organisations is around R23 million, covering downtime, rebuilding, lost business and response costs. Prevention is a fraction of that figure.

LinkedIn
Facebook
Threads
X
Pinterest
Reddit
WhatsApp
Instagram
]