Features

In March 2026, a hacker group called XP95 posted on Telegram claiming it had taken 154GB of data from Statistics South Africa and wanted $100 000 to keep it quiet. Stats SA confirmed the breach, said it would not pay, and reported it to the Information Regulator. This was the third South African government entity hit that month. The Gauteng provincial government had already lost 3.8TB of data, which was then listed for sale on a dark web marketplace for over R400 000. The Gauteng City Region Academy had 147GB of data taken, with XP95 demanding the same $100 000 ransom. XP95 is a new hacker group that operates with an interface designed to mimic Windows 95 and Windows XP. By the standards of the ransomware world, it is relatively small. Stats SA, which produces the local data on which government and business rely, was not taken down by a sophisticated, state-sponsored actor running a years-long operation, but by a group that had barely announced itself.

According to the ‘Interpol Africa Cyberthreat Assessment Report 2025’, South Africa recorded the highest number of ransomware detections in Africa. Sophos’ ‘State of Ransomware 2025’ report found that the median ransom demand in South Africa was at R17mn last year, with recovery costs averaging R24mn. “There’s been a false sense of security based on the fact that we’re far away from Europe or the US,” says Allan Juma, cybersecurity specialist at ESET Southern Africa. “But global ransomware actors are already here, in South Africa, Uganda, Kenya, and they’re expanding their operations.”