The old approach was straightforward: Encrypt a company's files, demand payment and count on the victim not having a clean backup. Most businesses eventually figured out that good backups were the answer. So attackers changed tactics.
The new standard practice among ransomware groups globally is to steal the data first, then encrypt. According to the Verizon 2025 Data Breach Investigations Report, ransomware now features in 44% of all confirmed breaches, up from 32% the year before, with dual extortion tactics combining encryption and data theft now considered routine.
Even a company with perfect recovery procedures faces a choice: pay, or watch customer records, financial data and IP get published.
Why POPIA changes the ransomware data extortion calculation
For SA businesses, the exposure goes beyond operational disruption. Under POPIA, organisations must notify the Information Regulator and affected individuals when personal information is compromised. A ransomware group leaking stolen customer data triggers that obligation, whether or not the company's systems are back online and fully restored.
The SABRIC 2024 Annual Crime Statistics recorded an 86% rise in digital banking fraud and R1.9 billion in related losses, reflecting an environment where attackers are already operating at scale against SA targets.
As Refilwe Kgosiemang of Cloud on Demand notes, when an attacker exfiltrates data before encrypting, legacy rules-based defences often see nothing wrong because the activity looks legitimate. The attack has already succeeded before the alarm sounds.
What SA founders should be asking about ransomware data extortion
Backups are necessary, but no longer sufficient. SA companies handling customer data need to think about whether they can detect data leaving their environment, not just whether they can recover once the damage is done.
Check Point Research's 2026 Cyber Security Report found that organisations faced close to 2,000 cyberattack attempts per week on average in 2025, a 70% increase since 2023, driven largely by AI-enabled automation that lets attackers move faster and at greater scale.
The question for founders isn't whether the threat is real. It's whether their security posture has kept up with how ransomware actually works now.
For a deeper technical breakdown of the shift to data extortion, read Refilwe Kgosiemang's full analysis at Cloud on Demand.
You might also like: Our full breakdown of consumer fraud in South Africa covers the broader fraud environment SA businesses are operating in. See how Orca approached fraud prevention from its seed round, and how Discovery Bank built AI fraud detection into its core infrastructure.
