Ransomware is no longer a theoretical risk for African banks. INTERPOL's Africa Cyberthreat Assessment Report 2025 records rising ransomware detections across the continent in 2024, with South Africa (17,849) and Egypt (12,281) recording the highest volumes, followed by Nigeria (3,459) and Kenya (3,030). The combination of growing digital infrastructure, increasing connectivity, and security programmes that have not yet caught up with the threat makes banks across the continent, East African institutions included, attractive targets for ransomware operators.
This guide covers the threat, the controls that prevent attacks, detection before encryption begins, recovery when prevention fails, and what BNR expects in reporting and preparedness.
The ransomware threat landscape in Africa
Ransomware groups operate as businesses. They target organisations that have valuable data, high pressure to restore services quickly, and the financial capacity to pay. African banks check all three boxes.
The pattern across the continent:
- Ransomware-as-a-Service (RaaS) groups like LockBit, BlackCat (ALPHV), and their successors have expanded their targeting to include African financial institutions
- Double extortion is standard: attackers encrypt systems and exfiltrate data, threatening to publish sensitive customer information if the ransom is not paid
- The pre-encryption window is short and shrinking: Mandiant's M-Trends 2025 report puts the global median dwell time at 11 days, and just 5 days in cases where the adversary announced itself, which is typical of ransomware. Attackers use that window to map the environment, disable backups, and maximise impact
- Third-party vectors: attackers compromise a technology vendor or managed service provider to gain access to multiple banking clients simultaneously
- Ransom demands are calibrated, not fixed: operators research the institution's revenue and insurance position and set the demand at what they believe it can pay
The real cost is not the ransom. Even if you never pay, a ransomware attack on a bank means days to weeks of disrupted services, regulatory scrutiny, incident response costs, breach notification obligations, and the cost of rebuilding compromised systems. For African banks, where digital trust is still being established, the reputational damage can be particularly severe.
How ransomware gets into banks
Understanding the attack chain is essential for building effective defences. Ransomware attacks against financial institutions typically follow a predictable pattern:
Initial access
Sophos's State of Ransomware 2024 survey found exploited vulnerabilities the most commonly identified root cause of an attack (32%), followed by compromised credentials (29%) and malicious email (23%). The entry points that matter in banking environments:
- Exploited internet-facing systems: unpatched VPN appliances, web application vulnerabilities, exposed RDP services, and vulnerable mail servers. These are exactly the kinds of vulnerabilities a penetration test is designed to find
- Compromised credentials: stolen or weak passwords used for remote access, VPN, email, or admin interfaces. Credential stuffing from breached databases is increasingly common
- Phishing emails: a staff member clicks a malicious link or opens a weaponised attachment. Sustained staff awareness training is the most reliable control here; see our security awareness training service
- Third-party compromise: attackers gain access through a vendor's VPN connection, remote support tool, or shared infrastructure. The recent bank fraud incident demonstrated how vendor access can become an attack vector
- Supply chain attacks: compromised software updates or tools from technology providers
Post-exploitation and lateral movement
After gaining initial access, ransomware operators do not immediately encrypt. They spend the dwell window, typically a few days, on:
- Escalating privileges to domain administrator
- Mapping the Active Directory environment
- Identifying backup systems and their locations
- Moving laterally to reach critical servers (core banking, databases, file servers)
- Exfiltrating sensitive data to use as a double-extortion threat
- Disabling or deleting backups to ensure the victim cannot recover without paying
- Deploying persistence mechanisms to maintain access even if some footholds are discovered
Deployment
Once positioned, the attackers deploy ransomware across the environment simultaneously, often during off-hours (Friday evening or holiday weekends) to maximise the window before detection and response.
Prevention controls
Prevention is your first line of defence. These controls directly reduce the probability of a successful ransomware attack:
Patch management
Keep all systems current, especially internet-facing infrastructure. VPN appliances, firewalls, email servers, and web applications must be patched promptly when security updates are released. Per the Sophos figures above, exploited vulnerabilities are the most commonly identified root cause of ransomware attacks; prompt patching of internet-facing systems closes that route.
Priority targets: VPN concentrators (Fortinet, Pulse Secure, Citrix), Microsoft Exchange, web application frameworks, and any internet-facing management interface.
Email security
Deploy multi-layered email defences:
- Email gateway filtering with attachment sandboxing
- DMARC, DKIM, and SPF to prevent email spoofing
- Link rewriting and URL scanning
- Block macro-enabled Office documents from external senders
- User reporting mechanism for suspicious emails
Network segmentation
Segment your network so that a compromise in one area cannot spread to the entire environment:
- Separate core banking systems from the corporate network
- Isolate backup infrastructure on a dedicated network segment
- Segment internet-facing systems (DMZ) from internal systems
- Implement micro-segmentation for critical workloads
- Control east-west traffic, not just north-south
Network segmentation is the single most impactful architectural control against ransomware. If your network is flat, a single compromised workstation gives the attacker access to everything.
Privileged access management
- Implement multi-factor authentication for all administrative access
- Use privileged access management (PAM) tooling for domain admin and service accounts
- Remove standing admin privileges from user workstations (no local admin rights for daily use)
- Implement just-in-time (JIT) access for privileged operations
- Monitor and alert on all privileged authentication events
Backup architecture
Your backup infrastructure is a primary target for ransomware operators. Protect it accordingly:
- Air-gapped or immutable backups: at least one backup copy must be offline or immutable (cannot be modified or deleted even by an administrator)
- 3-2-1 rule: three copies of data, on two different media types, with one offsite
- Backup integrity testing: regularly restore from backups to verify they actually work. Untested backups are not backups
- Separate credentials: backup systems should use different credentials from the production Active Directory
- Encrypted backups: protect backup data against exfiltration
Test your backups. We routinely encounter institutions that have backup systems running but have never tested a full restoration. The worst time to discover that your backups are corrupted, incomplete, or too slow to restore is during a ransomware incident. Schedule quarterly backup restoration tests for critical systems.
Application security
Reduce the web application attack surface through regular penetration testing and secure development practices. Web applications and APIs are common initial access vectors, especially in banking environments with customer-facing portals and mobile banking backends. See our API security guide for banking-specific considerations.
Detection capabilities
Prevention will not stop everything. Detection capabilities determine whether a ransomware attack is caught in the early stages (when damage can be limited) or after encryption has begun (when options are severely limited).
What to monitor
- Endpoint detection and response (EDR): deploy EDR on all endpoints and servers. EDR tools detect the behavioural patterns of ransomware (rapid file encryption, process injection, privilege escalation) even when the specific malware variant is unknown
- SIEM with relevant detection rules: collect logs from Active Directory, endpoint protection, network devices, email gateway, and VPN. Alert on: mass file rename events, unusual service account activity, new administrative account creation, large data transfers to external destinations, and lateral movement patterns
- Network detection: monitor for unusual SMB traffic patterns, Cobalt Strike or other C2 framework beacons, DNS tunnelling, and connections to known malicious infrastructure
- Active Directory monitoring: alert on changes to domain admin groups, Group Policy modifications, new service accounts, and DCSync or DCShadow activity
Detection timeline
The window between initial access and ransomware deployment is your opportunity, and it is measured in days, not weeks. Mandiant's M-Trends 2025 report puts the global median dwell time at 11 days across all intrusions, and 5 days where the adversary announced itself, the typical ransomware pattern. If you detect the intrusion during this window, you can contain the incident before encryption occurs.
Key metrics:
- Mean time to detect (MTTD): how quickly do you identify that something is wrong
- Mean time to respond (MTTR): how quickly can you contain the threat after detection
For banks without a dedicated SOC, managed detection and response (MDR) services can provide 24/7 monitoring and alerting at a fraction of the cost of building one in-house.
Recovery planning
When ransomware successfully encrypts systems, your recovery capability determines the outcome.
Immediate actions (first hour)
- Isolate: disconnect affected systems from the network immediately. Physically unplug network cables if necessary. Do not just disable Wi-Fi
- Contain: identify the scope of encryption and isolate unaffected systems before the ransomware spreads further
- Preserve evidence: capture memory images and disk images of affected systems before any remediation. You will need these for investigation and potentially for law enforcement
- Activate the incident response plan: invoke your incident response team and plan
- Assess backup status: determine whether backups are intact, accessible, and not encrypted
Recovery process
- Identify the ransomware variant: this determines whether free decryptors are available (some older variants have been cracked by security researchers)
- Assess the damage: which systems are encrypted, which are clean, what data was exfiltrated
- Rebuild from clean images: do not attempt to "clean" encrypted systems. Rebuild from known-good images or install fresh
- Restore data from backups: restore from the most recent clean backup, verifying integrity at each step
- Validate before reconnecting: ensure restored systems are clean before reconnecting them to the network
- Implement enhanced monitoring: increase monitoring intensity during the recovery period. Attackers sometimes maintain secondary access and return
The ransom question
We advise against paying ransoms. The reasons:
- Payment funds criminal operations and incentivises further attacks
- Payment does not guarantee decryption. Some groups provide decryptors that only partially work
- Payment marks your institution as willing to pay, increasing the likelihood of repeat targeting
- Even with decryption, you cannot trust that exfiltrated data will be deleted
- Regulatory and legal complications from paying criminal organisations
Investment in prevention, detection, and backups that removes the need to consider payment costs less than a ransom plus its fallout.
BNR reporting requirements
A ransomware attack on a BNR-supervised institution is a reportable cyber incident. BNR expects:
- Prompt notification to BNR upon discovery of the attack
- Initial report covering the nature of the attack, systems affected, customer data at risk, containment actions taken, and business continuity status
- Progress updates as the situation evolves
- Final incident report with root cause analysis, full impact assessment, remediation actions taken, and measures to prevent recurrence
Failure to report, or delayed reporting, can result in regulatory action on top of the operational damage from the attack itself.
Building ransomware resilience
A ransomware-resilient bank combines:
- Regular penetration testing to find and fix the vulnerabilities that enable initial access
- Network segmentation to limit the blast radius of any compromise
- EDR and monitoring to detect attackers during the pre-encryption dwell time
- Immutable backups to ensure recovery without ransom payment
- Tested incident response plans so the team knows what to do when the alert fires
- Security awareness training to cut the phishing and credential-theft routes into the bank. See our security awareness training
No single control is sufficient. Together they create a defence-in-depth posture that makes ransomware harder to execute and easier to recover from.
How we can help
IMIZI Cyber is an offensive security firm based in Kigali. We help banks and other regulated institutions across Africa strengthen their ransomware defences through penetration testing that finds the vulnerabilities ransomware operators exploit for initial access, security architecture review that evaluates segmentation and backup resilience, and incident response readiness assessments. Our team tests the environment and writes the report; the findings map directly to the prevention, detection, and recovery controls above, with evidence a board and a BNR examiner can both act on.
For full details on our methodology, see our penetration testing service page. For broader security programme assessments, see our security assessments service page. Book a Free Call to assess your institution's ransomware resilience.