South Africa is facing a massive ransomware problem

 ·13 May 2023

Ransomware is on the rise in South Africa.

Ransomware is a form of malware that encrypts files and renders these files useless. Criminals then demand a ransom in exchange for decryption.

According to Sophos’ The State of Ransomware in South Africa 2023 report, 78% of South African organisations were struck by a ransomware attack last year.

The report is based on a survey of 3,000 IT/cybersecurity leaders in mid-sized organisations (100-5,000 employees) in 14 countries, with 200 respondents from South Africa.

66% of global respondents said their organisations had experienced ransomware attacks over the last 12 months.

For South Africa, exploited vulnerabilities were the main root of attacks, accounting for 49% of incidents. Compromised credentials were the second largest form of attack, with 24% of attacks.

The amount of data stolen in attacks (35%) was also higher than the global average (30%.)

South Africa’s 78% attack rate was also the most significant increase in the study, jumping from 51% in 2022.


However, as a slight positive, 100% of South African organisations whose data was encrypted got their data back, slightly above the global average of 97%.

Backups are the most common method for restoring data, with 76% whose data was encrypted getting their data via this approach.

The amount of South Africans who had their data encrypted but still paid the ransom declined to 45% from 49% in 2022 – below the global average of 47%.

However, one respondent to the survey said that they paid a $5 million (R94 million) or more ransom.

When excluding ransom payments, the average bill for South African organisations was $0.75 million (R14 million), including downtime, people time, device cost, network cost, and lost opportunities.

However, this is still below the global average of $1.82 million. (R34 million)

82% of private sector organisations said that the attacks resulted in them losing business or revenue – the global average was 84%.

53% of South African businesses said it took them a week to recover. 29% said it took up to a month, while 19% said it took between one and six months.

98% of South African respondents said they had some form of cyber insurance, with 47% having a standalone cyber policy. Globally, only 91% have cyber coverage, with 47% also having a standalone policy.

98% of South African organisations that purchased cyber insurance said that the quality of their defences directly impacted their insurance position.

66% said that it affected their ability to access coverage, while 61% said it impacted the cost of their premiums.

Main areas of attack 

Globally, the education sector was the most likely to experience a ransomware attack in the last year, with 80% of lower education respondents and 79% of higher education respondents being hit.

Sophus said that education struggles due to lower levels of resourcing and technology compared to other industries, with the data showing criminals are targeting their weaknesses.

IT, technology and telecoms reported the lowest level of attacks (50%).

Read: Sharp rise in these asset scams in South Africa

Show comments
Subscribe to our daily newsletter