By Tinotenda Bhunu & Josephine Dhliwayo
HARARE – WHEN a hospital cannot pull up patient records, when a bank’s systems go dark mid-transaction, when a government ministry finds its files locked behind a cryptocurrency demand, most people reach for the word “hack” and move on. They probably should not. What they are looking at is not a technical glitch or the work of some hoodie-wearing loner in a basement. It is a slice of a global criminal economy that now generates more revenue than the drug trade, counterfeiting, and human trafficking put together. Ransomware has quietly become one of the most consequential economic threats of our time, and Southern Africa is not watching from the sidelines.
The World Economic Forum puts the global cost of cybercrime at $10.5 trillion for 2025. Ransomware alone is expected to account for $57 billion of that, around $156 million every single day. What makes this particularly uncomfortable for this region is that over 40% of the world’s major ransomware attacks are now directed at African organisations, a continent that holds a fraction of global digital infrastructure. African organisations absorb nearly 3,153 cyberattacks per week on average, almost double what organisations elsewhere in the world face. Anyone still treating this as someone else’s problem needs to reconsider.
Hacking as a Business
The reason this keeps getting worse is not mysterious. Ransomware stopped being a niche criminal activity a long time ago. It is now an industry, complete with developers, affiliates, customer support desks, and revenue sharing agreements. The model is called Ransomware-as-a-Service, and it works roughly the way a franchise does. A developer builds and maintains the attack software. An affiliate, who may have zero technical background, rents it, finds a target, deploys it, and collects. The affiliate typically walks away with 60 to 80 percent of whatever ransom gets paid. Some of these platforms come with negotiation services, automated targeting tools, and live dashboards. They look less like a crime operation and more like a startup.
What this means in practice is that the barrier to entry for ransomware has essentially disappeared. You do not need to know how to write malicious code. You need to know how to buy stolen login credentials on a dark web marketplace, which can cost as little as $1,500, and follow instructions. Between January and September 2025, more than 6,330 ransomware cases surfaced on the dark web, up 47% from the same stretch in 2024.
The financial logic is hard to argue with from the attacker’s side. Average ransom demands hit $2.2 million in 2024. The total cost to a victim, once you add up downtime, recovery work, legal exposure, and reputational fallout, averaged $5.13 million. Downtime alone tends to cost more than the ransom itself, with organisations typically spending 24 days getting back to full operations. Every organisation that pays reinforces the whole ecosystem.
This is also not a problem that better technology alone can solve. ISACA’s State of Cybersecurity 2025 report found that 55% of cybersecurity teams are currently understaffed, with 63% of professionals citing the complex threat landscape as their leading stressor. Globally, the cybersecurity workforce gap reached a record four million unfilled positions, with ISACA research finding that 62% of cybersecurity teams were understaffed. In a region like Southern Africa, where skilled professionals are already scarce and compensation cannot compete with international markets, these figures land harder than they do in Europe or North America.
The Governance Gap: What NIST and ISO 27001 Are Telling Us
The international community has not been quiet about what good ransomware defence looks like. The US National Institute of Standards and Technology has published a dedicated Ransomware Risk Management Profile under its Cybersecurity Framework, updated in 2025 to align with CSF 2.0. NIST’s updated incident response guidance, released in April 2025, recommends expanding cybersecurity response teams beyond IT departments to include company leadership, legal teams, public relations, and human resources, and endorses a shared responsibility model where cybersecurity operations are partially outsourced to dedicated third parties with clearly defined responsibilities. The core message: cybersecurity is no longer an IT function. It is an enterprise governance function. CSF 2.0’s introduction of a new “Govern” function explicitly elevates cybersecurity to strategic, enterprise-level oversight, with boards and executives taking active responsibility for risk tolerance, security policy, and accountability across departments.
ISO/IEC 27001, the internationally recognised standard for Information Security Management Systems, makes a similar argument from a different angle. Conformity with ISO/IEC 27001 means that an organisation has put in place a system to manage risks related to the security of data it owns or handles, and that the system respects internationally established best practices and principles. It is not a silver bullet. But it creates a formal, auditable framework for identifying vulnerabilities before attackers do. The number of valid ISO/IEC 27001 certificates nearly doubled globally, jumping from 48,671 in 2023 to 96,709 in 2024, reflecting a sharp worldwide push toward formalising information security governance. The top countries driving that growth are in Asia and Europe. Africa, including South Africa and Zimbabwe, is barely represented in those numbers, which is itself a statement about where the governance gap sits.
South Africa: A Target It Cannot Afford to Ignore
South Africa is, by a wide margin, the most ransomware targeted country on the African continent. More than 40% of all ransomware attacks in Africa hit South African organisations in the second half of 2024, with 17,849 detections recorded that year alone, more than Egypt, Nigeria, and Kenya combined. The country’s relatively advanced digital economy, large corporate sector, and high internet penetration make it exactly the kind of high value, high probability of payment target that RaaS operators optimise for.
The attacks are not abstract. In June 2024, the National Health Laboratory Service was hit by a ransomware attack that deleted backups, stole 1.2 terabytes of data, and disrupted systems while the country was managing an mpox outbreak. In January 2025, the South African Weather Service disclosed a separate attack by the RansomHub group. Dark web monitoring has since revealed a steady stream of South African corporate data listed for sale. In one documented case, access to the internal network of a transportation company generating over $1.5 billion in annual revenue was on offer for just $1,500. The asymmetry between what attackers invest and what victims lose is almost absurd.
The legal framework exists. The Cybercrimes Act of 2020 is on the books. But, enforcement against transnational threat actors remains limited, and South Africa has signed but not ratified the Budapest Convention, the primary global instrument for cross-border cybercrime cooperation. That is not a procedural footnote. It is a structural gap that constrains the country’s ability to pursue criminal actors operating from Russia, China, Iran, and elsewhere.
There is also a trade dimension emerging that South African business can not afford to ignore. The EU’s NIS2 directive is tightening cybersecurity requirements across supply chains, and ISO 27001 compliance is increasingly the baseline expectation for any supplier that touches European value chains. The global ISO 27001 certification market was valued at $18.59 billion in 2025 and is expected to reach $74.56 billion by 2035, with growth driven by digitisation and regulatory pressure. South African firms that have not formalised their information security posture are going to find that conversation happening sooner than they expect, not from regulators, but from the procurement departments of their European clients.
The Money Trail: What FATF Is Saying About Ransomware Finance
One dimension that rarely gets adequate attention in African policy discussions is the financial architecture that makes ransomware profitable. Ransom payments are made in cryptocurrency, run through mixing services, converted into stablecoins, and dispersed across multiple wallets before anyone can trace them. This is not an accident. It is a deliberate financial engineering strategy.
The Financial Action Task Force’s sixth targeted update on virtual assets, published in June 2025, highlighted a significant uptick in the use of virtual assets in fraud and scams, with one industry participant estimating approximately $51 billion in illicit on-chain activity in 2024 alone. The digital environment has enabled criminal groups to scale operations, with ransomware generating unprecedented proceeds, while the ability to freeze and seize digital assets before they are dispersed remains limited, particularly when funds are quickly transferred through anonymous wallets across multiple jurisdictions.
The regulatory picture is troubling. Based on 130 FATF mutual evaluations since the revised Recommendation 15 was adopted in 2019, 75% of jurisdictions remain only partially or non-compliant with FATF’s requirements for regulating virtual asset service providers. For Zimbabwe and South Africa, this matters directly. Weak regulation of cryptocurrency platforms domestically means that ransom payments originating from or flowing through these economies are difficult to trace, freeze, or recover. Every gap in virtual asset regulation is a gap in the financial defences against ransomware. FATF’s 2025 Asset Recovery Guidance specifically recommends that authorities integrate blockchain analytics into virtual asset investigations, noting that public blockchains provide real-time ledgers that can support rapid tracing and that virtual assets may in some cases be easier to seize and track than traditional high-value goods but only if the regulatory and institutional capacity exists to do so.
Zimbabwe: Invisible Exposure, Real Risk
Zimbabwe barely appears in the global ransomware datasets. That has nothing to do with low incidence. It reflects the reality that most incidents go unreported, either because firms are not required to disclose them, lack the capacity to detect them properly, or simply choose to stay quiet. The ITU’s Global Cyberthreat Index places Zimbabwe among the most frequently targeted nations globally for malware. In October 2024, the country’s own Minister of ICT confirmed that local banks and other entities had been recently hacked. That statement did not get the attention it deserved.
The sharpest vulnerability in Zimbabwe sits in mobile money. This is not a peripheral concern. For millions of Zimbabweans with no meaningful access to formal banking, EcoCash and mobile payment platforms are the financial system, full stop. ZimSwitch and the RBZ’s RTGS infrastructure sit behind a large share of the country’s daily economic activity. A serious ransomware event targeting any of these systems would not be a corporate problem. It would be an economic emergency, one that freezes household transactions, disrupts trade, and chips further away at whatever trust people still have in the country’s digital financial architecture.
What makes Zimbabwe attractive to attackers is not complicated. Rapid digital adoption has outpaced security investment by a wide margin. There is a severe shortage of cybersecurity professionals, consistent with what ISACA has identified as a structural global deficit that falls hardest on emerging markets with thinner talent pipelines. Institutional capacity to detect or respond to incidents is limited. And there is essentially no meaningful probability of prosecution for attackers operating from abroad. Becker’s rational crime model is almost uncomfortably applicable here: when the expected punishment is low and the potential return is high, criminal activity increases. Zimbabwe currently offers that equation on a platter.
The government’s August 2024 cybersecurity training initiative, conducted with Huawei, is a step in the right direction. But training is not an incident response capability. It is not a functional Computer Security Incident Response Team. And it is not a NIST CSF-aligned governance structure or an ISO 27001 certified information security management system of the kind that serious institutional partners and foreign investors increasingly expect to see. On any honest assessment, Zimbabwe remains significantly underprepared for a serious ransomware incident against its critical systems.
What Is Actually at Stake
Beyond the immediate cost of any individual attack, ransomware imposes a persistent drag across the economy. For businesses, it functions as a hidden tax, one paid in insurance premiums, compliance costs, security investment, and lost working hours regardless of whether an attack ever arrives. For SMEs, which dominate both economies, the stakes are higher still. They face the same threat environment as large corporates but carry none of the same capacity to absorb a hit. A well-executed ransomware attack on a small business is not a setback. It tends to be the end.
For governments, the fiscal pressure runs in two directions. Cybercrime erodes the tax base as businesses shrink or disappear. At the same time, the state faces mounting pressure to fund cybersecurity for its own infrastructure, retrain law enforcement, and build a credible regulatory posture, including the virtual asset oversight frameworks that FATF has been pushing for years without achieving full compliance from most jurisdictions.
The investment deterrence effect tends to be underestimated in these discussions. When investors look at a country, they look at institutional risk. A market with documented ransomware attacks on banks and government systems, and no visible remediation framework, no NIST-aligned incident response structures, no ISO 27001 adoption across critical sectors, and incomplete FATF compliance on virtual assets, is signalling something. For Zimbabwe, actively courting foreign capital through ZIDA and the Special Economic Zones programme, the cumulative reputational cost of inaction is real even if it never shows up neatly on a spreadsheet.
And then there is financial inclusion. Both countries have made significant commitments to bringing unbanked populations into the formal economy, and mobile money is central to that agenda. Ransomware attacks that undermine confidence in those platforms do not just cause short-term disruption. They erode the trust that financial inclusion depends on, and rebuilding that trust takes far longer than recovering a server.
A Final Word
There is a tendency in policy circles to treat ransomware as a technical issue, something to be delegated to an IT team and occasionally mentioned in a risk register. That framing is costly. Ransomware is an economic problem. It is the product of rational actors who have looked at institutional weaknesses, enforcement gaps, poor adoption of international security standards, and chronic underinvestment in digital resilience across this region and concluded that the risk-adjusted returns are attractive. They are not wrong.
NIST has the framework. ISO 27001 has the certification standard. FATF has the financial crime guidelines. ISACA has the workforce development tools. The architecture for a credible response exists. What has been missing, in both Harare and Pretoria, is the political will to treat cybersecurity as the economic priority it actually is, rather than the IT budget line it has been treated as so far.
The criminals have already done the analysis on Zimbabwe and South Africa. The question worth asking now is whether the people responsible for these economies have done the same.
Tinotenda Bhunu is an economist and emerging thought leader specializing in economic policy, entrepreneurship, and development in fragile economies. With a sharp focus on market reforms, private property rights, and sustainable growth, he transforms complex economic challenges into actionable solutions that empower communities and shape the future of Zimbabwe and Africa.
Josephine Dhliwayo is a Data Science Lecturer at Midlands State University and a leading AI Consultant in Zimbabwe. With a Master’s in Information Technology and experience spanning both academia and the corporate sector, she is a prominent voice on technology and social development. A sought-after speaker, she attended the recent Tech Fusion conference, where she continues to champion innovation within Zimbabwe’s Education 5.0 framework.
Discover more from Etimes
Subscribe to get the latest posts sent to your email.