What Is Ransomware? A Plain-English Guide for Business

It's 7:14 on a Tuesday morning in Sandton. A logistics company's operations manager sits down at her desk, opens her laptop, and sees a message she's never seen before: "Your files have been encrypted. Pay 3 BTC within 72 hours or your data will be permanently destroyed."

Every driver schedule, every client delivery record, every invoice from the past four years — gone. Not deleted. Locked. Accessible only to criminals who hold the decryption key.

By 9am the company has called their IT support. By noon they've confirmed the backup is three weeks old and stored on a network drive that was also encrypted. By Friday they're deciding whether to pay.

This is ransomware. And it is happening to South African businesses every week.

What Is Ransomware?

Ransomware is a type of malicious software — malware — that infiltrates a computer or network, encrypts the files it finds, and then demands a ransom payment in exchange for the decryption key needed to restore access.

The word "encrypts" is important. The attacker doesn't steal your files and take them away. They lock them — in place, on your own systems — using the same strong encryption technology that protects online banking. Without the key, the files are unreadable. With the key, they're restored instantly.

This is what makes ransomware so effective as a criminal business model: the attacker doesn't need to do anything complex after the initial infection. They simply wait for you to need your data badly enough to pay.

What Gets Encrypted?

Ransomware is not selective. It will encrypt:

• Word documents, spreadsheets, PDFs
• Accounting and ERP databases
• Email archives
• Photos, videos, design files
• Server files and shared network drives
• Cloud-synced folders (including OneDrive and Google Drive)
• Backup files stored on connected drives

Modern ransomware specifically hunts for backup files because attackers know that a working backup eliminates the leverage. If your backup is connected to the same network, it is at risk.

How Does a Ransomware Attack Actually Work?

Most ransomware attacks follow the same basic sequence, even if the specific tools vary.

Step 1 — Entry. The attacker gets malware onto one machine inside your organisation. The most common methods are phishing emails (a staff member clicks a malicious link or opens a booby-trapped attachment), exposed remote desktop connections, or compromised credentials bought from other criminal groups.

Step 2 — Reconnaissance. The malware sits quietly — sometimes for weeks or months — mapping your network. It identifies file servers, backup systems, domain controllers, and administrator accounts. This waiting period is called "dwell time," and it is one of the most dangerous aspects of modern ransomware: by the time the attack triggers, the malware may have already poisoned your backups.

Step 3 — Privilege escalation. The malware attempts to gain administrator-level access so it can reach as many systems as possible. In smaller organisations without strict access controls, this step is often trivial.

Step 4 — Encryption. The attack triggers. Files across every accessible system are encrypted simultaneously — a process that can complete across an entire network in under an hour.

Step 5 — Ransom demand. A message appears on infected machines explaining the situation, stating the ransom amount, and providing payment instructions. Most ransoms are demanded in cryptocurrency — Bitcoin or Monero — because these transactions are difficult to trace.

Step 6 — Negotiation or payment. The attacker provides a communication channel where the victim can negotiate. Some groups operate professional "customer service" desks. Others disappear after payment.

Who Gets Hit?

A common misconception is that ransomware targets large corporations or government departments. In reality, smaller organisations are disproportionately targeted — precisely because they are less likely to have robust security controls, dedicated IT security staff, or tested backup systems.

South Africa is consistently ranked among the most-targeted countries in Africa for ransomware. The sectors most frequently affected locally include:

• Professional services (accounting, legal, consulting) — high-value data, often small IT teams
• Logistics and freight — operational disruption creates immediate payment pressure
• Healthcare — patient data is valuable; downtime is a clinical risk
• Retail and distribution — large transaction volumes, often legacy systems
• Financial services — obvious data value, strict regulatory obligations

But the honest answer is: any business with data it cannot afford to lose is a target.

What Happens If You Don't Pay?

If you have no working backup, your options are:

1. Pay the ransom — with no guarantee the attacker will provide the decryption key, or that they haven't already exfiltrated your data separately.
2. Attempt technical recovery — specialised forensic firms can sometimes recover files from partially encrypted drives, but success rates are low and costs are high.
3. Accept the data loss — rebuild from whatever paper records, emails, or unaffected systems remain.

None of these are good outcomes. The average recovery time for a South African business without proper backup is measured in weeks, not hours — and that assumes the business survives the operational disruption at all.

There is also a POPIA dimension. If your organisation processes personal information — and almost every business does — a ransomware attack that results in data loss or unauthorised access triggers notification obligations under Section 22 of POPIA. Failure to notify the Information Regulator and affected data subjects carries fines of up to R10 million and potential criminal liability.

How Do You Protect Against Ransomware?

Effective ransomware protection works at two levels: prevention and recovery. Prevention reduces the probability of a successful attack. Recovery guarantees you can restore operations even if prevention fails.

Prevention measures include:

• Staff training on phishing email recognition
• Multi-factor authentication on all remote access and email accounts
• Regular patching of operating systems and applications
• Restricting Remote Desktop Protocol (RDP) access
• Endpoint detection and response tools that identify malicious behaviour

Recovery measures require:

• Immutable backup copies that cannot be encrypted or deleted by ransomware, even with administrator credentials. Immutability means the backup is written once and cannot be modified — the attacker has no path to corrupt it.
• Air-gapped or off-network backup storage so that backup systems are outside the blast radius of an attack on your primary network.
• Tested restore procedures so you know, before the attack, exactly how long recovery takes and what will be lost.
• Anomaly detection that identifies abnormal encryption or deletion behaviour early — ideally before the attack completes.

At Montana Data Company we deploy Druva's cloud backup platform, which stores backup data in immutable off-network cloud storage, combined with AI-driven anomaly detection that can identify ransomware activity within minutes of an attack beginning. Even if prevention fails entirely, recovery is measured in hours, not weeks.

Frequently Asked Questions

Can ransomware encrypt cloud storage like OneDrive or Google Drive?

Yes. OneDrive and Google Drive sync changes from your local device in near real-time. When ransomware encrypts files locally, the encrypted versions sync upward, overwriting the originals. Version history offers some protection but has limits — sophisticated ransomware is designed to exhaust version history before triggering the visible encryption.

Should I pay the ransom?

Generally no. Payment funds criminal operations, there is no guarantee of receiving a working decryption key, and paying does not address the underlying vulnerability. A clean, tested backup that pre-dates the attack is the only reliable path to full recovery.

How long does ransomware recovery take?

Without a proper backup: weeks to months, sometimes never. With a tested immutable backup: hours to a day, depending on data volume. The difference is entirely determined by the quality of your backup strategy before the attack.

What are my POPIA obligations after a ransomware attack?

Under POPIA Section 22, if a security compromise results in unauthorised access to or loss of personal information, the responsible party must notify the Information Regulator and affected data subjects as soon as reasonably possible. Failure to notify carries fines of up to R10 million and potential criminal liability for the Information Officer personally.