Ransomware is still often discussed as if it is mainly a malware problem. That view is outdated. For modern organisations, ransomware is now a recovery problem, a continuity problem and, increasingly, a board-level technology decision. The real differentiator is no longer only whether an organisation gets hit. It is how well it can see the attack, contain the blast radius, preserve recovery options and restore operations without losing control of the business. The organisations that recover faster are usually the ones that made those decisions long before the ransom demand arrived.
The data shows why this matters. Sophos’ 2025 enterprise ransomware research found that under half of attacks resulted in data encryption, down from the previous year, while the proportion stopped before encryption more than doubled over two years. That suggests defenders are improving. But the same research also found that 48 percent of enterprise organisations still paid the ransom to recover data, while backup usage dropped sharply to 53 percent. Recovery cost remained material, with mean remediation costs at $1.84 million, excluding any ransom. So while prevention is improving, recovery remains uneven and expensive.
“Ransomware recovery is now a leadership issue because the technical choices that determine recovery are made well before the incident,” says Pieter Nel, Sales Director – SADC, Sophos. “Boards do not need to run security tools, but they do need to understand whether the business can isolate systems, restore clean data, keep operating and make decisions quickly under pressure.”
The attack timelines are also tightening. Sophos found in 2026 that ransomware payloads are overwhelmingly deployed outside business hours, with 88 percent of payload deployment and 79 percent of data exfiltration happening during nights or weekends. The same report found attackers can reach Active Directory in around 3.4 hours once inside, and median dwell time had fallen to three days. That means organisations do not just need backups. They need visibility, alerting, log retention and response capability that operates when their own teams may be offline.
South African organisations have seen how quickly cyber incidents spill into operational disruption. Land Bank confirmed in February 2026 that a ransomware attack exploited a vulnerability on an internet-facing server and encrypted part of its environment, disrupting services. The South African Weather Service’s 2025 cyberattack also had material operational consequences, affecting systems, email and service delivery, with later reporting linking the incident to a sharp drop in performance. These cases underline the point that ransomware is not just about encrypted files. It is about interrupted services, delayed recovery, weakened public confidence and high-pressure executive decisions.
“The board-level question is not ‘Could ransomware happen to us?’” Nel says. “The better question is ‘What would recovery actually look like in our environment, and how much of it have we tested?’ If leadership cannot answer that, then the organisation is relying on hope.”
So what separates faster recovery from prolonged disruption? First, visibility. If logs are missing or retained for too short a period, defenders lose the evidence they need to understand scope and make confident containment decisions. Sophos warned in 2026 that missing logs due to data retention issues had doubled year on year, in part because some firewall appliances retained logs for as little as 24 hours. Second, segmentation. If the environment is too flat, ransomware spreads further and recovery becomes more complex. Third, identity protection. If attackers can return using compromised accounts, restoration becomes a loop instead of an endpoint.
“Recovery is not a single action,” Nel says. “It is a chain of decisions: detect, isolate, investigate, restore, validate and communicate. If one of those links is weak, the recovery timeline stretches, costs rise and leadership is forced into more difficult calls.”
Backups remain central, but backups alone are not a strategy. They need to be protected, segmented, regularly tested and aligned to the business’s actual recovery priorities. If the backup estate is incomplete, slow to restore or potentially compromised, executives may find themselves with fewer real options than they assumed. That is one reason the fall in backup-based recovery is concerning, even as some broader attack outcomes improve. Good recovery architecture is not judged by whether a backup exists. It is judged by whether it works under real conditions, at the speed the business requires.
This is also why managed detection and response, tested incident response plans and clear executive governance matter so much. Ransomware recovery demands technical depth, but it also demands coordination. Legal, communications, operations, finance and technology all become part of the response. Since 1st April 2025, South African organisations have also had to report security compromises through the Information Regulator’s eServices portal, adding another layer of accountability to how incidents are handled.
“Boards should be asking very practical questions,” Nel says. “How long would it take us to detect ransomware activity after hours? Can we contain identity compromise quickly? Have we tested recovery on critical systems? Are we confident in our logs, our backups and our response process? Those questions define resilience far better than a policy document does.”
[Image – CC by Pete Linforth from Pixabay]
Get the tech news you want to read. Take our reader survey and tell us how we can help you better.
