Ransomware is no longer a theoretical risk for African banks. In 2024 and 2025, multiple financial institutions across the continent were hit by ransomware attacks that encrypted critical systems, disrupted services, and in some cases led to data exfiltration and ransom payments. East African banks are not exempt. The combination of growing digital infrastructure, increasing connectivity, and security programmes that have not yet caught up with the threat landscape makes the region an attractive target for ransomware operators.
This guide covers the current ransomware threat to African banks, the controls that actually prevent attacks, how to detect ransomware before it encrypts your environment, how to recover when prevention fails, and what BNR expects in terms of reporting and preparedness.
The ransomware threat landscape in Africa
Ransomware groups operate as businesses. They target organisations that have valuable data, high pressure to restore services quickly, and the financial capacity to pay. African banks check all three boxes.
What we are seeing in the region:
- Ransomware-as-a-Service (RaaS) groups like LockBit, BlackCat (ALPHV), and their successors have expanded their targeting to include African financial institutions
- Double extortion is standard: attackers encrypt systems and exfiltrate data, threatening to publish sensitive customer information if the ransom is not paid
- Dwell times are long: in many African incidents, attackers were inside the network for weeks before deploying ransomware, giving them time to map the environment, disable backups, and maximise impact
- Third-party vectors: attackers compromise a technology vendor or managed service provider to gain access to multiple banking clients simultaneously
- Ransom demands for African financial institutions typically range from $100,000 to several million dollars, calibrated to what the attackers believe the institution can pay
The real cost is not the ransom. Even if you never pay, a ransomware attack on a bank means days to weeks of disrupted services, regulatory scrutiny, customer trust damage, incident response costs, potential data breach notification obligations, and the cost of rebuilding compromised systems. For African banks, where digital trust is still being established, the reputational damage can be particularly severe.
How ransomware gets into banks
Understanding the attack chain is essential for building effective defences. Ransomware attacks against financial institutions typically follow a predictable pattern:
Initial access
The most common entry points we see in East African banking environments:
- Phishing emails: a staff member clicks a malicious link or opens a weaponised attachment. Despite security awareness training, this remains the primary initial access vector. See our guide on social engineering threats to East African banks
- Exploited internet-facing systems: unpatched VPN appliances, web application vulnerabilities, exposed RDP services, and vulnerable mail servers. These are exactly the kinds of vulnerabilities a penetration test is designed to find
- Compromised credentials: stolen or weak passwords used for remote access, VPN, email, or admin interfaces. Credential stuffing from breached databases is increasingly common
- Third-party compromise: attackers gain access through a vendor’s VPN connection, remote support tool, or shared infrastructure. The recent bank fraud incident demonstrated how vendor access can become an attack vector
- Supply chain attacks: compromised software updates or tools from technology providers
Post-exploitation and lateral movement
After gaining initial access, ransomware operators do not immediately encrypt. They spend days or weeks:
- Escalating privileges to domain administrator
- Mapping the Active Directory environment
- Identifying backup systems and their locations
- Moving laterally to reach critical servers (core banking, databases, file servers)
- Exfiltrating sensitive data for double extortion leverage
- Disabling or deleting backups to ensure the victim cannot recover without paying
- Deploying persistence mechanisms to maintain access even if some footholds are discovered
Deployment
Once positioned, the attackers deploy ransomware across the environment simultaneously, often during off-hours (Friday evening or holiday weekends) to maximise the window before detection and response.
Prevention controls
Prevention is your first line of defence. These controls directly reduce the probability of a successful ransomware attack:
Patch management
Keep all systems current, especially internet-facing infrastructure. VPN appliances, firewalls, email servers, and web applications must be patched promptly when security updates are released. The majority of ransomware incidents exploit known vulnerabilities for which patches already exist.
Priority targets: VPN concentrators (Fortinet, Pulse Secure, Citrix), Microsoft Exchange, web application frameworks, and any internet-facing management interface.
Email security
Deploy multi-layered email defences:
- Email gateway filtering with attachment sandboxing
- DMARC, DKIM, and SPF to prevent email spoofing
- Link rewriting and URL scanning
- Block macro-enabled Office documents from external senders
- User reporting mechanism for suspicious emails
Network segmentation
Segment your network so that a compromise in one area cannot spread to the entire environment:
- Separate core banking systems from the corporate network
- Isolate backup infrastructure on a dedicated network segment
- Segment internet-facing systems (DMZ) from internal systems
- Implement micro-segmentation for critical workloads
- Control east-west traffic, not just north-south
Network segmentation is the single most impactful architectural control against ransomware. If your network is flat, a single compromised workstation gives the attacker access to everything.
Privileged access management
- Implement multi-factor authentication for all administrative access
- Use privileged access management (PAM) solutions for domain admin and service accounts
- Remove standing admin privileges from user workstations (no local admin rights for daily use)
- Implement just-in-time (JIT) access for privileged operations
- Monitor and alert on all privileged authentication events
Backup architecture
Your backup infrastructure is a primary target for ransomware operators. Protect it accordingly:
- Air-gapped or immutable backups: at least one backup copy must be offline or immutable (cannot be modified or deleted even by an administrator)
- 3-2-1 rule: three copies of data, on two different media types, with one offsite
- Backup integrity testing: regularly restore from backups to verify they actually work. Untested backups are not backups
- Separate credentials: backup systems should use different credentials from the production Active Directory
- Encrypted backups: protect backup data against exfiltration
Test your backups. We routinely encounter institutions that have backup systems running but have never tested a full restoration. The worst time to discover that your backups are corrupted, incomplete, or too slow to restore is during a ransomware incident. Schedule quarterly backup restoration tests for critical systems.
Application security
Reduce the web application attack surface through regular penetration testing and secure development practices. Web applications and APIs are common initial access vectors, especially in banking environments with customer-facing portals and mobile banking backends. See our API security guide for banking-specific considerations.
Detection capabilities
Prevention will not stop everything. Detection capabilities determine whether a ransomware attack is caught in the early stages (when damage can be limited) or after encryption has begun (when options are severely limited).
What to monitor
- Endpoint detection and response (EDR): deploy EDR on all endpoints and servers. EDR tools detect the behavioural patterns of ransomware (rapid file encryption, process injection, privilege escalation) even when the specific malware variant is unknown
- SIEM with relevant detection rules: collect logs from Active Directory, endpoint protection, network devices, email gateway, and VPN. Alert on: mass file rename events, unusual service account activity, new administrative account creation, large data transfers to external destinations, and lateral movement patterns
- Network detection: monitor for unusual SMB traffic patterns, Cobalt Strike or other C2 framework beacons, DNS tunnelling, and connections to known malicious infrastructure
- Active Directory monitoring: alert on changes to domain admin groups, Group Policy modifications, new service accounts, and DCSync or DCShadow activity
Detection timeline
The window between initial access and ransomware deployment is your opportunity. Most ransomware operators spend 3 to 14 days inside the network before deploying. If you detect the intrusion during this window, you can contain the incident before encryption occurs.
Key metrics:
- Mean time to detect (MTTD): how quickly do you identify that something is wrong
- Mean time to respond (MTTR): how quickly can you contain the threat after detection
For East African banks without dedicated SOC capabilities, managed detection and response (MDR) services can provide 24/7 monitoring and alerting at a fraction of the cost of building an in-house SOC.
Recovery planning
When ransomware successfully encrypts systems, your recovery capability determines the outcome.
Immediate actions (first hour)
- Isolate: disconnect affected systems from the network immediately. Physically unplug network cables if necessary. Do not just disable Wi-Fi
- Contain: identify the scope of encryption and isolate unaffected systems before the ransomware spreads further
- Preserve evidence: capture memory images and disk images of affected systems before any remediation. You will need these for investigation and potentially for law enforcement
- Activate the incident response plan: invoke your incident response team and plan
- Assess backup status: determine whether backups are intact, accessible, and not encrypted
Recovery process
- Identify the ransomware variant: this determines whether free decryptors are available (some older variants have been cracked by security researchers)
- Assess the damage: which systems are encrypted, which are clean, what data was exfiltrated
- Rebuild from clean images: do not attempt to “clean” encrypted systems. Rebuild from known-good images or install fresh
- Restore data from backups: restore from the most recent clean backup, verifying integrity at each step
- Validate before reconnecting: ensure restored systems are clean before reconnecting them to the network
- Implement enhanced monitoring: increase monitoring intensity during the recovery period. Attackers sometimes maintain secondary access and return
The ransom question
We advise against paying ransoms. The reasons:
- Payment funds criminal operations and incentivises further attacks
- Payment does not guarantee decryption. Some groups provide decryptors that only partially work
- Payment marks your institution as willing to pay, increasing the likelihood of repeat targeting
- Even with decryption, you cannot trust that exfiltrated data will be deleted
- Regulatory and legal complications from paying criminal organisations
The investment in prevention, detection, and backup infrastructure that eliminates the need to consider payment is always more cost-effective than a ransom payment plus the associated costs.
BNR reporting requirements
A ransomware attack on a BNR-supervised institution is a reportable cyber incident. BNR expects:
- Prompt notification to BNR upon discovery of the attack
- Initial report covering the nature of the attack, systems affected, customer data at risk, containment actions taken, and business continuity status
- Progress updates as the situation evolves
- Final incident report with root cause analysis, full impact assessment, remediation actions taken, and measures to prevent recurrence
Failure to report, or delayed reporting, can result in regulatory action on top of the operational damage from the attack itself.
Building ransomware resilience
A ransomware-resilient bank combines:
- Regular penetration testing to find and fix the vulnerabilities that enable initial access
- Network segmentation to limit the blast radius of any compromise
- EDR and monitoring to detect attackers during the pre-encryption dwell time
- Immutable backups to ensure recovery without ransom payment
- Tested incident response plans so the team knows what to do when the alert fires
- Security awareness training to reduce the phishing risk that enables most attacks. See our security awareness training
None of these controls alone is sufficient. Together, they create a defence-in-depth posture that makes ransomware attacks significantly harder to execute and significantly easier to recover from.
How we can help
We are an OSCP-certified penetration testing firm based in Kigali. We help banks across East Africa strengthen their ransomware defences through penetration testing that identifies the vulnerabilities ransomware operators exploit, security architecture review that evaluates segmentation and backup resilience, and incident response readiness assessments.
For full details on our testing methodology, see our penetration testing service page. For broader security programme assessments, see our security assessments service page. Contact us to assess your institution’s ransomware resilience.