Ransomware remains a formidable threat to organisations worldwide. Despite the takedown of the LockBit ransomware group, attacks have surged, with cybercriminals employing new tactics to exploit vulnerabilities.

The rise of groups like Ghost and RansomHub demonstrates the increasing sophistication of these attacks, leaving businesses with difficult decisions regarding prevention, response, and ransom payments.

In South Africa, ransomware remains a pervasive issue, with anecdotal evidence suggesting that many organisations choose to pay ransoms to restore critical systems. However, without clear regulatory enforcement, the true extent of ransom payments remains unknown. This article explores key strategies for reducing ransomware risk, the ongoing debate over banning ransom payments, and the importance of an updated incident response plan.

1. What should companies do to reduce the risk of ransomware beyond training and expensive security systems?

Traditional cybersecurity measures such as employee training and expensive security tools are essential but not sufficient in mitigating ransomware threats. Companies need a proactive, multi-layered approach that cover the following:

Ransomware attacks often exploit known vulnerabilities, making regular software updates and patch management essential. Keeping systems, applications, and firmware up to date helps prevent cybercriminals from taking advantage of security gaps. Network segmentation is another crucial strategy, as it limits the spread of ransomware by isolating different parts of the network, thereby reducing the potential damage of an attack.

Stolen credentials remain a major entry point for cyber-threats, which is why implementing multi-factor authentication (MFA) and enforcing the principle of least privilege access is critical. MFA adds a layer of security while restricting user access to only what is necessary, minimising the risk of attackers exploiting unnecessary permissions. Secure data backups are also vital. Companies should maintain frequent, encrypted, and offline backups, as cybercriminals are increasingly targeting backup systems. Ensuring backups are stored securely and regularly tested for recovery can prevent data loss.

Adopting a Zero Trust architecture further enhances security by assuming that no user or device should be trusted by default. This approach enforces continuous authentication and strict access controls to prevent unauthorised access. Regular threat intelligence monitoring and security assessments, such as penetration testing and vulnerability scans, help organisations stay ahead of evolving ransomware tactics. Staying informed about emerging threats allows businesses to proactively address weaknesses before attackers can exploit them.

Finally, engaging cybersecurity experts for continuous monitoring and rapid response can significantly strengthen an organisation’s resilience against ransomware. External professionals provide valuable insights, conduct threat analysis, and offer quick incident response, ensuring businesses are well-prepared to defend against and recover from potential attacks.

2. Should paying the ransom be banned, and how can this be enforced?

When facing a ransomware attack, organisations may feel pressured to pay the ransom to quickly regain access to their data. However, this approach carries significant ethical, legal, and strategic risks that far outweigh any potential short-term relief. Paying a ransom directly funds criminal enterprises, incentivising further attacks and perpetuating the cycle of cyber-extortion. There is also no guarantee that cybercriminals will honour their promises – many victims never recover their data, even after payment, as decryption keys provided by attackers can be ineffective. Additionally, organisations that pay are more likely to be targeted again, as they are seen as willing to comply with ransom demands. In some regions, paying a ransom may also violate legal and regulatory frameworks, leading to further complications.

Instead of considering payment, organisations should adopt proactive preventative security measures to mitigate the risk of ransomware attacks. This includes investing in robust cybersecurity defences, maintaining regular backups of critical data to ensure business continuity, and developing incident response plans to quickly address and contain threats. While the decision to pay may seem like the fastest solution in a crisis, it ultimately fuels cybercrime and exposes organisations to greater risks. The best course of action is to focus on prevention, resilience, and expert guidance to navigate ransomware incidents effectively.

3. How do you go about preparing a comprehensive Incident Response Plan, and how do you keep it up to date?

A well-structured Incident Response Plan (IRP) is crucial for minimising the impact of a ransomware attack, but according to our Hybrid Security Trends Report, only 45% of organisations have one in place. 

Developing and maintaining an effective IRP involves several key steps, starting with preparation. Organisations should establish an Incident Response Team (IRT) with clearly defined roles, ensuring that everyone knows their responsibilities during an attack. A strong communication strategy is also essential for coordinating both internal and external messaging. Additionally, maintaining an inventory of critical assets helps prioritise protection efforts and allocate resources effectively.

The next step is detection and identification, which requires implementing advanced monitoring tools to spot suspicious activity early. Employees should be trained to recognise the warning signs of ransomware and report potential threats. Regular vulnerability scans further strengthen security by identifying weak points before attackers can exploit them.

Once a ransomware attack is detected, containment and eradication become the top priority. Infected systems must be quickly isolated to prevent the malware from spreading across the network. Disabling compromised user accounts and revoking access to affected systems can further limit damage. At this stage, identifying the root cause of the attack is critical to ensure complete removal of any lingering malware.

Recovery and restoration efforts focus on regaining access to data and systems. Secure backups should be used to restore encrypted files, but organisations must first verify the integrity of restored systems to confirm they are free from reinfection. A post-attack security audit helps to identify any remaining vulnerabilities and prevent future incidents.

Finally, post-incident review and continuous improvement ensure that organisations learn from the attack. Analysing the incident, documenting key lessons, and updating security policies based on new findings strengthen future defences. Regular tabletop exercises and simulated attack drills help test the IRP and improve response readiness.

Keeping the IRP up to date is just as important as having one in place. Organisations should review their plans at least twice a year or after significant security events, ensuring that contact lists and response procedures remain current. Incorporating new threat intelligence helps in adapting the plan to evolving attack techniques, ensuring it remains an effective defence against ransomware threats.

With 69% of South African businesses affected by ransomware in 2024, it’s clear that companies must move beyond reactive strategies. While banning ransom payments may seem like a logical step, enforcement remains a challenge. Instead, organisations should focus on proactive prevention, robust incident response planning, and greater transparency in reporting ransomware incidents.

Cybersecurity is no longer just an IT issue – it is a critical business imperative. By adopting a Zero Trust approach, investing in threat intelligence, and ensuring airtight incident response strategies, South African organisations can strengthen their defences against ransomware and minimise the devastating financial and reputational consequences of an attack.