Ransomware in SA: What Business Owners Need to Know.

Published: 7 May 2026  |  By AOLC

Every week, another South African business discovers that its files are locked, its systems are down, and a criminal on the other side of the world is demanding payment in cryptocurrency to restore access. Ransomware is no longer a threat reserved for large corporations — it targets small law firms, accounting practices, medical offices, schools, and logistics companies with equal enthusiasm.

The good news is that ransomware is preventable. The bad news is that most businesses do not take action until after they have been hit. This guide explains what ransomware is, why South Africa is an increasingly attractive target, how attacks unfold, and — most importantly — what you can do to protect your business before the criminals come knocking.

What Is Ransomware?

Ransomware is a type of malicious software (malware) that encrypts your files — documents, spreadsheets, databases, emails, photos — and demands payment in exchange for the decryption key. Once your files are encrypted, they are completely unreadable without that key. The attacker then displays a ransom note, usually demanding payment in Bitcoin or another cryptocurrency within a set deadline, after which the price doubles or the key is destroyed permanently.

Modern ransomware operations are run like businesses. Criminal groups maintain help desks, offer "customer service" to victims who struggle to pay, and even provide trial decryption of one or two files to prove they have the key. Some groups also steal your data before encrypting it and threaten to publish it publicly — a technique called double extortion — which creates additional pressure to pay and creates a POPIA compliance problem on top of everything else.

Why South African Businesses Are a Target.

South Africa's cybersecurity maturity lags significantly behind North America and Western Europe, yet our businesses process real money, store valuable personal data, and operate in a connected digital economy. That gap between exposure and protection is exactly what ransomware operators look for.

Several local factors make South African SMEs particularly vulnerable:

• Under-resourced IT — Many businesses rely on ad hoc IT support rather than managed IT services, which means patches are delayed, monitoring is absent, and vulnerabilities go undetected for months.
• Load shedding — Power cuts force businesses to use UPS devices, generators, and LTE failover connections. Each of these introduces additional network complexity and, in many cases, bypasses standard security controls.
• Weak backup culture — Backups are either non-existent, untested, or stored on the same network as production systems — meaning ransomware encrypts the backup too.
• POPIA pressure — Under the Protection of Personal Information Act, a data breach must be reported to the Information Regulator and affected data subjects. Criminals know this creates urgency to pay quietly rather than report.
• Remote work sprawl — Many staff members connect to business systems from home using personal devices and consumer-grade routers, dramatically expanding the attack surface.

How Ransomware Gets In.

Ransomware does not materialise out of thin air. It gets into your business through specific, well-understood entry points. Understanding these is the first step to closing them:

• Phishing emails — The most common entry point. A staff member clicks a malicious link or opens an infected attachment, and the ransomware installer runs silently. Phishing attacks in South Africa have become increasingly sophisticated, with criminals crafting emails that mimic trusted vendors, banks, and even SARS.
• Exposed Remote Desktop Protocol (RDP) — Many businesses expose Windows Remote Desktop to the internet to allow staff to work from home. Attackers scan for these open ports and brute-force weak passwords to gain direct access to your server.
• Unpatched software — Outdated Windows, unpatched VPN appliances, and old versions of software like Adobe Reader or Microsoft Office contain known vulnerabilities that ransomware uses as automated entry points. Patching is not optional.
• Compromised credentials — Usernames and passwords stolen from previous data breaches are sold on the dark web. If your staff reuse passwords, attackers may already have valid credentials for your systems.
• Malicious USB devices — Less common but still relevant, particularly in manufacturing and logistics environments where USB drives move between personal and work computers.
• Supply chain compromise — Attackers compromise a trusted software vendor or IT service provider and use that access to deploy ransomware across their entire client base simultaneously.

What Happens During an Attack.

A ransomware attack is rarely a sudden event. In most cases, attackers have been inside your network for days or weeks before they detonate the ransomware — using that time to map your systems, steal credentials, disable backups, and identify your most critical data. When they finally trigger the encryption, they do it in a coordinated burst that hits as many systems as possible simultaneously.

From the business owner's perspective, the experience typically begins with staff reporting that files are "corrupted" or applications are throwing strange errors. Within minutes, it becomes clear that the entire network is affected. A ransom note appears on screens — a countdown timer, a payment address, and instructions. At this point, every minute of inaction costs money.

How to Protect Your Business.

The businesses that survive ransomware attacks intact are rarely lucky — they are prepared. The following measures, implemented together, dramatically reduce both your risk of infection and the damage if an attack does succeed:

• Tested, offsite backups — Your most important protection. Backups must be stored separately from your production network (ideally in immutable cloud storage), automated daily, and tested monthly with an actual restore drill. A backup you have never tested is not a backup.
• Patch management — All operating systems, firmware, and third-party software must be patched within 72 hours of a critical vulnerability disclosure. Automated patch management is a core component of managed IT services.
• Multi-factor authentication (MFA) — Enable MFA on every system accessible from the internet: email, VPN, remote desktop, cloud applications. MFA stops credential-based attacks even when passwords are compromised.
• Endpoint Detection and Response (EDR) — EDR tools monitor device behaviour in real time and can detect and isolate ransomware activity before it spreads. This is a significant upgrade from basic antivirus. Our managed security service includes EDR across all protected endpoints.
• Email filtering and sandboxing — Advanced email filtering blocks malicious attachments and links before they reach your staff. Sandboxing opens suspicious files in an isolated environment to test for malicious behaviour.
• Security awareness training — Your staff are the last line of defence. Regular cyber awareness training teaches employees to recognise phishing attempts, handle suspicious files correctly, and report incidents immediately.
• Network segmentation — Dividing your network into isolated segments limits how far ransomware can spread. If your accountant's PC is compromised, it should not have direct access to your production server.
• Incident response plan — Know in advance who to call, what to disconnect, and how to communicate with staff and clients if you are hit. A written plan reduces panic and speeds recovery.

---

If You Are Hit: What to Do Next.

If you suspect a ransomware attack is underway, speed matters. Every second the ransomware continues to run, more files are encrypted. Follow these steps immediately:

• Isolate immediately — Disconnect infected machines from the network by unplugging ethernet cables and disabling Wi-Fi. Do not turn machines off — forensic analysis of running memory may be possible.
• Call your IT provider — Contact your managed IT provider or AOLC immediately. Do not attempt to restore systems yourself without professional guidance.
• Do not pay without advice — Before paying anything, consult a cybersecurity professional. There may be free decryption tools available, or a clean restore may be possible.
• Preserve evidence — Do not wipe machines before documentation. Photographs of ransom notes, logs, and network traffic captures are important for insurance claims, law enforcement, and post-incident analysis.
• Notify the relevant parties — Under POPIA, if personal data has been compromised, you are legally required to notify the Information Regulator and affected data subjects. Delays in notification attract additional penalties.
• Restore from clean backups — Once systems have been forensically cleared and the attack vector identified and closed, restore from your most recent clean backup. Confirm the backup was not also encrypted before the attack.
• Conduct a post-incident review — Every ransomware incident reveals gaps. Once you are recovered, identify what failed, what worked, and what needs to change to prevent recurrence.

Ransomware is a serious and growing threat for South African businesses of every size. But it is not inevitable. Businesses that invest in proper backups, patching, MFA, staff training, and a managed security service are dramatically less likely to become victims — and far better positioned to recover if they do.

← Back to Blog