Nearly 8% of African organisations faced ransomware in 2025 and the attacks are changing shape

Kaspersky's Anti-Ransomware Day report finds 8.13% of organisations in the region faced ransomware in 2025 and identifies a growing trend toward extortion without encryption

Kaspersky, the cybersecurity company headquartered in Moscow that operates threat research and consumer and enterprise security products across more than 200 countries, has published its annual ransomware trends report to coincide with International Anti-Ransomware Day on 12 May. The report, based on data from the Kaspersky Security Network, found that Latin America had the highest share of organisations with ransomware detections in 2025 at 8.13%, followed by Asia-Pacific at 7.89%, Africa at 7.62%, the Middle East at 7.27%, the Commonwealth of Independent States at 5.91% and Europe at 3.82%.

While the overall share of organisations affected by ransomware declined slightly compared to 2024, the report identifies several shifts in how attacks are conducted. One of the most significant is the continued rise of what Kaspersky calls "encryption-less" extortion, where attackers steal sensitive data and threaten to release it rather than encrypting systems and demanding payment for decryption. This approach puts pressure on victims through reputational and regulatory exposure rather than operational disruption, and it sidesteps the defences organisations have built specifically to recover from encrypted systems, such as offline backups.

The report also documents the growing use of tools designed specifically to disable endpoint detection and response (EDR) software, the security systems that monitor devices for suspicious activity, before the actual malware is deployed. These tools have become a standard component of ransomware operations in 2025, indicating that attackers are investing more time in preparing an environment before launching the final stage of an attack.

Another development is the adoption of post-quantum cryptography by some ransomware groups, a shift Kaspersky had previously predicted. Post-quantum cryptography uses encryption methods designed to resist decryption by quantum computers, which means that even as quantum computing matures, data encrypted by these ransomware strains may remain inaccessible to victims and law enforcement.

The role of Initial Access Brokers (IABs), criminals who sell pre-compromised access to corporate networks through underground forums and messaging platforms, continues to expand. RDWeb portals, which allow remote device management through a browser, are increasingly targeted as entry points. This "access-as-a-service" model lowers the barrier to launching ransomware attacks because the attacker does not need to find a way into the network themselves.

On the law enforcement side, authorities seized RAMP, a forum where ransomware operators advertised services, in January 2026, and LeakBase, a platform for distributing stolen data, in March 2026. However, Kaspersky notes that similar platforms tend to reappear after seizures.

Among active groups, Kaspersky identified Qilin as the dominant ransomware-as-a-service operator in 2025 following RansomHub's cessation of operations, with Clop ranked second and Akira third. Looking into 2026, Kaspersky highlights The Gentlemen as a group to watch due to its rapid growth and structured approach to data-centric extortion, noting that it may include operators previously associated with other major ransomware operations.

For South African organisations, the Africa-specific detection rate of 7.62% places the region third globally, above the Middle East, CIS and Europe. The shift toward data theft over encryption is particularly relevant in markets subject to data protection regulations such as POPIA, where the exposure of stolen customer or employee data creates both regulatory and reputational consequences beyond the immediate operational impact of an attack.

"Ransomware has evolved into a highly organised ecosystem focused on monetising stolen data, disabling defences, and scaling attacks with business-like efficiency. Threat actors are quickly adapting, weaponising legitimate tools, exploiting remote access infrastructure, and even adopting post-quantum cryptography years earlier than many expected. The purpose of Anti-Ransomware Day is to raise global awareness about the threats posed by ransomware and to promote best practices for prevention and response, and we urge all users to stay secure, set up layered defences, invest in backups and boost cyberliteracy levels to counter attacks," comments Fabio Assolini, Lead Security Researcher at Kaspersky GReAT.

The full report is available on Securelist.