Ransomware is a type of malicious software that makes a victim’s data, system or device inaccessible. It locks the target or encrypts it (converting text into an unreadable form) until the victim pays a ransom to the attacker.
It’s one of the most widespread and damaging forms of cyberattacks affecting organisations around the world. An Interpol report identified ransomware as one of the most widespread cyber threats across Africa in 2024. South Africa reported 12,281 detections and Egypt reported 17,849.
Despite global efforts to curb it, ransomware continues to thrive, driven by cybercriminals seeking quick financial gain. In its first-quarter 2025 report, global cybersecurity company Sophos revealed that 71% of the South African organisations hit by ransomware paid the ransom and recovered their data. But the full cost of a ransomware attack is difficult to quantify. It extends beyond the ransom payment to include revenue losses during the system downtime and potential reputational damage.
Cybercriminals often select organisations where service disruption can cause significant public or operational effects, increasing the pressure to pay the ransom. Power grids, healthcare systems, transport networks and financial systems are examples. When victims refuse to pay the ransom, attackers frequently threaten to leak sensitive or confidential information.
One reason ransomware has become so pervasive in Africa is the continent’s cybersecurity gap. Many organisations lack dedicated cybersecurity resources, along with the skills, awareness, tools and infrastructure to defend against cyberattacks.
In this environment, hackers can operate with relative ease. Every business leader, particularly those overseeing information and communication technology (ICT) or managing sensitive data, should be asking a critical question. Can our organisation survive a ransomware attack?
This is not just a technical issue; it is also a governance matter. Board members and executive teams are increasingly accountable for risk management and cyber resilience.
As a researcher and expert in the governance of information technology and cybersecurity, I see the African region emerging as a hotspot for cyberattacks. Organisations must be aware of the risks and take steps to mitigate them.
Ransomware attacks can be extremely costly, and an organisation may struggle or fail to recover after an incident.
Weaknesses that increase ransomware risk
Telecommunication company Verizon’s data breach report for 2025 revealed that the number of organisations hit by ransomware attacks had increased by 37% from the previous year. This exposes how unprepared many organisations are to prevent an attack.
A business continuity plan details how a business would continue its operations in the event of a business disruption. An ICT disaster recovery plan is part of the continuity plan. These plans are critical in ensuring continuity of operations after the attack, as affected businesses often experience prolonged downtime, loss of access to systems and data, and severe operational disruptions.
Professional hackers actually sell ransomware tools, making it easier and more profitable for cybercriminals to launch attacks without regard for their consequences.
Hackers can infiltrate systems in various ways:
-
weak security controls such as weak passwords or authentication mechanisms
-
unmonitored networks, where there is a lack of intrusion detection systems that can report any suspicious network activity
-
human error, where employees can mistakenly click on e-mail links which contain ransomware.
Poor network monitoring can allow hackers to remain undetected long enough to collect data on vulnerabilities and identify key systems to target. In many cases, employees unknowingly introduce malicious software, links or downloading attachments from phishing emails. Phishing is a social engineering attack that uses various manipulation techniques to deceive a user into disclosing sensitive details, such as payment or login details, or to trick them into clicking on malicious links.
Paying up
Attackers commonly demand payment in Bitcoin or other cryptocurrencies because the payments will be quite difficult to trace. Paying the ransom offers no guarantee of full data recovery or protection against future attacks. According to global cybersecurity company Check Point, notorious ransomware groups like Medusa have popularised double extortion tactics.
These groups demand payment and threaten to publish stolen data online. They often use social media platforms and the dark web – part of the internet which is only accessible by means of special software – allowing them to remain anonymous or untraceable. Their goal is to publicly shame victims or leak sensitive information, pressuring organisations to comply.
These breaches also contribute to phishing scams, as exposed email addresses and credentials circulate across the internet, which leads to more data breaches. Websites such as Have I Been Pwned can assist in checking whether your email has been compromised in any previous data breach.
Organisational resilience against ransomware
Organisations should strengthen their cybersecurity in several ways.
-
Put strong technical and administrative measures in place to keep data safe. They include effective access controls, network monitoring tools and regular system and data backups.
-
Use tools that block malware attacks early and provide alerts when suspicious activities occur. This includes using strong endpoint protection ensuring that any device which connects to the network has intrusion detection systems that help spot unusual network activity.
-
Equip staff with the knowledge and vigilance to detect and prevent potential threats.
-
Develop, document and communicate a clear incident response plan.
-
Bring in external cybersecurity experts or managed security services when the organisation does not have skills or capacity to handle security on its own.
-
Develop, maintain and regularly test business continuity and ICT disaster recovery plans.
-
Obtain cyber-insurance to cover the risks that can’t be completely prevented.
Ransomware attacks are a serious and growing threat to individuals and organisations. They can cause data loss, financial losses, operational disruptions and reputational damage. There are no security measures that can fully guarantee complete protection from such attacks. But the steps outlined here might help.
Thembekile Olivia Mayayise does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.
