South Africa ranks among the top 10 most targeted countries for ransomware globally. In 2025 alone, attacks on local businesses increased by 42%. The targets aren't just banks and government — they're accounting firms, manufacturers, logistics companies, and medical practices. SMBs are targeted specifically because attackers know their defences are weaker.
Here's what works.
Layer 1: Stop it at the door
Most ransomware enters through email. A well-configured email security gateway (Mimecast, Microsoft Defender for Office 365, Kaspersky) catches the majority of phishing emails and malicious attachments before they reach inboxes.
But email security alone isn't enough. Attackers also use:
Your firewall should block known malicious IP addresses and domains. Disable RDP on internet-facing systems — if remote access is needed, use a VPN with multi-factor authentication.
Layer 2: Assume it gets through
Modern endpoint protection (EDR — Endpoint Detection and Response) doesn't just scan for known malware signatures. It monitors behaviour: a process that starts encrypting hundreds of files per second is suspicious regardless of whether it matches a known signature.
Fortinet, Kaspersky, and Microsoft Defender for Endpoint all offer EDR capabilities. For SMBs, the managed versions are worth the premium — someone else watches the alerts at 2 AM.
Layer 3: Your backup is your last line
If ransomware encrypts your files, your backup is the only way out without paying. But attackers know this and target backups too:
Offline backups:: At least one backup copy must be physically or logically disconnected from the network. Cloud backups with immutable storage (write-once-read-many) achieve this.
Test your restores:: The backup that hasn't been tested is a wish, not a plan. Restore a random set of files monthly.
Versioning:: Keep multiple versions. If ransomware encrypts files slowly over days before triggering, your most recent backup may already contain encrypted files.
Layer 4: Your staff
Phishing training works. Not the annual 30-minute video that everyone ignores — short, frequent, specific training. Send simulated phishing emails monthly. When someone clicks, they get a 2-minute lesson on what they missed, not a disciplinary hearing. Over six months, click rates typically drop from 30% to under 5%.
What to do if you're hit
Prevention costs less than recovery
The average ransomware recovery cost for an SA SMB in 2025 was R450,000 — including downtime, IT emergency response, and reputational damage. A proper layered defence with managed EDR, email security, tested backups, and staff training costs roughly R8,000–R15,000 per month for a 20-person business.
The maths is simple.



