Ransomware surge: South African companies face soaring demands and steeper recovery costs

A new report reveals that ransom demands in South Africa have skyrocketed, with organizations paying the price in more ways than one. As cybercriminals become more sophisticated, the country grapples with growing encryption rates, skill shortages, and vulnerabilities hidden in plain sight.

Ransomware attacks are tightening their grip on South African businesses, and the financial fallout is growing more severe by the day.

A recent study by cybersecurity firm Sophos, featured by the publication TechCentral, shows a dramatic escalation in both the frequency and financial impact of ransomware incidents. In just one year, the median ransom demanded from South African companies surged from US$165,000 (around R2.9 million) in 2024 to a staggering R17 million in 2025, nearly six times higher.

Even more concerning is the fact that companies are increasingly giving in to these demands. On average, victims in South Africa paid about 64% of the ransom amounts requested, a troubling sign of how effective these attacks have become.

According to Sophos’s State of Ransomware in South Africa Report 2025, 60% of ransomware incidents in the country resulted in data encryption. That’s well above the global average of 50%, highlighting a particular vulnerability in local systems.

The report is based on a global survey of 3,400 IT and cybersecurity professionals, including over 150 South African organizations that suffered ransomware attacks between January and March 2025. The findings suggest that compromised credentials were the most common entry point for attackers, cited in 34% of successful breaches. Exploited software vulnerabilities and malicious emails followed closely, responsible for 28% and 22% of attacks, respectively.

But technology alone isn’t the problem. When asked about the operational factors behind their breaches, 58% of South African respondents pointed to a lack of internal cybersecurity expertise. Another 53% discovered too late that there were weak spots in their systems they hadn’t previously known about.

The methods used by attackers varied. In some cases, critical systems were encrypted, bringing daily operations to a halt. In others, data was exfiltrated and stored externally, with criminals threatening to leak it unless a ransom was paid.

And the stakes are rising. Nearly half of all ransom demands in 2025 exceeded US$1 million, with median payments tripling from R2.7 million to R8 million in just a year.

Despite the grim numbers, the report also points to a silver lining. Organizations that had solid incident response plans in place or worked closely with security partners were able to mitigate damage more effectively. In the end, the best ransomware attack is the one that never succeeds, because it never gets in.