Cybersecurity · Incident Response

Ransomware Recovery Playbook for South African SMEs

If you are reading this during an active incident: skip to 'Hour 0–4' and call 087 821 3000 or tap the WhatsApp button. If you are reading this to prepare — even better. This is the playbook 1ICT runs when a South African client is hit.

12 min read Updated July 2026

Hour 0–4 — contain, do not investigate

The first four hours decide whether this is a bad week or a bad quarter. The goal is containment, not forensics. Forensics happens after the bleeding stops.

  1. Disconnect, do not power off. Pull network cables and disable Wi-Fi on affected machines. Powering off destroys volatile memory that forensics needs later.
  2. Isolate the domain. Disable inbound VPN, block outbound traffic at the firewall to all but known-good IPs, revoke recently created admin accounts.
  3. Kill the backup path. Air-gap or offline your backup targets immediately — modern ransomware hunts backups first.
  4. Rotate credentials for the top 20 accounts. All Global Admins, domain admins, service accounts, and anyone with M365 privileged roles. Force MFA re-enrolment.
  5. Preserve evidence. Do not delete the ransom note, do not touch the encrypted files, screenshot everything with timestamps.
  6. Call your MSP and your cyber-insurer. Insurers usually require notification within 24–72 hours or coverage lapses.

Day 1 — assess and report

  • Scope: which systems, which data, which users. A single spreadsheet of "what we know / what we don't".
  • Identify the strain. The ransom note usually names the group; ID Ransomware and the No More Ransom project sometimes have free decryptors for older families.
  • Data exfiltration check. Modern ransomware exfiltrates before encrypting. Assume data was stolen until proven otherwise — this changes your legal duty.
  • Notify. Information Regulator (POPIA), your bank if financial data is involved, your board, and — if you are JSE-listed — SENS.
  • Do NOT negotiate directly. If communication with the attacker is required (usually to verify data), a specialist negotiator does it. Never with your own email.

Days 2–7 — rebuild, don't restore

The instinct is to restore last week's backup and go home. Don't. Attackers frequently sit on the network for 30–90 days before triggering, meaning your recent backups may contain their persistence.

  1. Build a clean network. New VLAN, new domain if AD was compromised, fresh Windows images from Microsoft ISO — not from your gold image.
  2. Restore data only, not systems. Files back onto rebuilt servers. Never restore a whole VM image without deep forensic scanning first.
  3. Reset every credential. Every user, every service account, every API key, every MFA seed.
  4. Deploy EDR before reconnecting endpoints. Every machine gets a modern endpoint agent (Defender for Business, SentinelOne) before it joins the new network.
  5. 14-day hypercare. Elevated monitoring, daily standup, mailbox and admin log review. Re-infection in the first 30 days is common.
  • POPIA s.22: notify the Information Regulator and affected data subjects "as soon as reasonably possible" after a compromise of personal information.
  • Cybercrimes Act (2020): unauthorised access, interference and interception are criminal offences — you may have grounds to lay a charge with SAPS Cyber Crimes Unit.
  • Companies Act: directors have a fiduciary duty to disclose material events to shareholders.
  • Sector-specific: financial services (FSCA), healthcare (HPCSA), legal (LPC) all have additional notification duties.
  • JSE-listed: a material cyber incident is a SENS-reportable event.

The prevention baseline that stops 95%

  • MFA on every account. No exceptions. Conditional access blocking legacy protocols.
  • EDR with human response. Not just antivirus — a monitored endpoint tool with an SLA.
  • Immutable, offline-capable backups. 3-2-1 rule, with restore tested monthly.
  • Monthly patching, verified. Windows, browsers, VPN appliances, firewall firmware.
  • Least privilege & PAM. No one uses a domain admin account for daily work. Ever.
  • User awareness training. Quarterly phishing simulations with follow-up coaching.

Frequently asked questions

Should we pay the ransom?

No. Roughly 40% of paying victims never receive a working decryptor, average recovery still takes weeks, and paying marks you as a soft target for repeat attacks. Paying may also violate sanctions regimes if the group is a listed threat actor.

Do we have to report a ransomware attack in South Africa?

Yes. POPIA section 22 requires notification to the Information Regulator and affected data subjects 'as soon as reasonably possible' after discovery of a compromise of personal information. Listed entities also have JSE disclosure duties.

How long does recovery typically take?

For an SME with tested, immutable backups: 2–5 business days. Without tested backups: 3–8 weeks and often incomplete. The single biggest predictor of recovery time is whether backup restores were tested in the last 90 days.

Will our cyber-insurance cover it?

Only if you meet the policy's baseline controls — MFA on every account, EDR deployed, offline backups, patch cadence. Most SA denials trace back to a missing MFA on the compromised account.

Can we prevent this from happening again?

The same five controls stop 95% of ransomware: MFA everywhere, EDR with 24/7 response, offline immutable backups, monthly patching, and user awareness training. None are expensive individually — the failure is always in the gaps between them.

Active incident? Call now.

1ICT provides 24/7 incident response for South African businesses — call 087 821 3000, tap the WhatsApp button, or start a fix-price readiness engagement.