Cybercriminals and malicious hacker groups that successfully breached the IT systems of South African companies in the past year raised their ransom demands nearly sixfold in the same period.

According to The State of Ransomware in South Africa Report 2025 by cybersecurity firm Sophos, the median ransom demanded rose shot up from US$165 000 (R2.9-million) in 2024 to a staggering R17-million in 2025.

On average, South Africa firms that fell victim to a ransomware attack and engaged with the attackers ended up paying about 64% of the ransom demanded of them.

“Ransomware remains a major threat to South African organisations. As adversaries continue to iterate and evolve their attacks, it’s essential that defenders and their cyber defences keep pace,” Sonos said in the report. “The best ransomware attack is the one that didn’t happen because adversaries couldn’t get into your organisation.”

In compiling the report, Sophos conducted a survey of 3 400 IT and cybersecurity professionals working in organisations that were hit by ransomware attacks in the last year. More than 150 of the companies surveyed were from South Africa. The survey, which was conducted by a third-party specialist, took place from January to March.

Sophos found that compromised credentials were the most common root cause of security breaches in South African organisations, accounting for 34% of all successful attacks. Exploited vulnerabilities and malicious e-mails were second and third, used in 28% and 22% of all attacks, respectively.

Weak points

Sophos also asked survey respondents about any operational weak points that led to their systems being exploited. Some 58% of those surveyed pointed to a lack of expertise as the leading operational root cause of system breaches, while 53% pointed to a weakness in their defences “they were not previously aware of” as a key factor in successful ransomware attacks.

South African companies were held at ransom for their data in different ways. Some attacks entrenched themselves in a critical part of an organisation’s systems, bringing operations to a grinding halt, usually by encrypting important data. Others did not stay within the hacked organisations’ IT environment, opting to steal data and hold it elsewhere for ransom.

Read: Cell C was hit by ransomware gang

According to Sophos, 60% of the attacks on South African companies led to data being encrypted, higher than the 50% global average. Data encryption was more prominent among South African companies in 2024, when reports of this mode of attack were as high as 76% of the total of compromised companies surveyed.

The upward trend in ransom demand values has coincided with a rise in the amounts paid by victims. Nearly half of all ransom demands on South African companies in 2025 were for $1-million (R17-million) or more. Although only 64% paid the full amount, the median payment rose nearly threefold from R2.7-million to R8-million. Despite this bleak finding, there were some positive signals, too.

“Ninety percent of South African organisations that had data encrypted were able to get it back and 71% of those that paid the ransom and got data back, a considerable increase from the 43% reported last year,” said Sophos.

Potentially more damaging than the cost of a ransom are the effects a breach can have on an organisation’s culture and operations. In cases where data was encrypted, surveyed companies reported increased pressure from senior leaders, increased anxiety or stress about future attacks, higher workloads, and even feelings of guilt among employees. The cost of recovery is another factor that cannot be ignored.

Read: ‘Data incident’ at Standard Bank sparks full-scale probe

“Excluding any ransom payments, the average bill incurred by South African organisations to recover from a ransomware attack in the last year came in at $1.31-million (R23-million), a small increase from the $1.04-million (R18-million) reported by South African respondents in 2024. This includes costs of downtime, people time, device cost, network cost and lost opportunity,” said Sophos.

Get breaking news from TechCentral on WhatsApp. Sign up here.