South Africa has emerged as one of Africa’s most targeted nations for cyberattacks in 2025, with ransomware driving nearly a third of reported incidents.
According to recent threat intelligence data from Cyfirma, Devman accounted for 28.6% of ransomware activity, making it the most aggressive group operating in the region.
Other prominent actors, including Warlock, Incransom, and Arkana, were each linked to 9.5% of attacks.
The hardest-hit sectors were retail, which recorded five cases, and technology with four. Manufacturing experienced two ransomware incidents, while critical industries such as healthcare, government, and aviation also reported breaches.
Widespread vulnerabilities
Investigations revealed that South African networks remain exposed due to hundreds of unpatched vulnerabilities.
WordPress topped the list with over 70 reported issues, while Apache followed with 35. Vendors including D-Link, Ivanti, Atlassian, and Citrix recorded between 14 and 20 vulnerabilities. Oracle, Cisco, VMware, and Fortinet trailed with smaller numbers.
Legacy flaws continue to haunt organizations, with CVE-2017-18368 still among the most exploited weaknesses. Several vulnerabilities disclosed in 2023 are also being actively targeted, underscoring the risks posed by both outdated and newly discovered exposures.
Devman as a threat group
Devman came into the spotlight in early April 2025. The group publicly announced itself with an attack on the French transport company Documen, where a $800,000 ransom was demanded.
The gang is said to operate as part of the fragmented ransomware ecosystem, with affiliations to Qilin, APOS, and DragonForce. Over time, the group gained expertise and began operating its own ransomware-as-a-service infrastructure.
Devman is motivated purely by financial gain. Its tactics include disruption, data exfiltration, encryption, and extortion using double-extortion methods—encrypting files and stealing sensitive data to pressure victims.
The malware encrypts files by appending the extension “.devman” or variants like “.devman1.” It supports three distinct encryption modes: full encryption of the entire file for maximum data denial, header-only encryption to quickly render files unusable, and custom encryption for specific operational flexibility.
Additionally, Devman employs anti-forensics techniques such as deleting Volume Shadow Copies (system backups) to prevent victims from recovering files without paying the ransom, complicating both incident response and forensic investigation efforts.
South African data leaks on the dark web
Alongside ransomware, cybercriminal markets are overflowing with South African data leaks and access credentials. Threat actors have leaked or sold everything from consumer databases to government records, including:
- April 20, 2025: 104,035 consumer records leaked, containing names, phone numbers, and emails.
- August 6, 2025: 140,000 records from an online shopping platform exposed, including IDs and company details.
- September 11, 2025: Election-related data advertised, containing candidate profiles and ministry information.
- May 28, 2025: Government dataset with 2,200 administrative records sold for $7.
- May 28, 2025: Additional government package of 150 tables offered for $10.
- April 10, 2025: CRM access and 36,000 records from a business services firm sold for $100.
- March 9, 2025: Network access to a transport company generating $1.5 billion in revenue offered for $1,500.
Also read: South Africa, Nigeria, and Algeria Are Top Targets on the Dark Web
Many of these leaks have also been shared on Telegram, extending their reach far beyond underground forums. Such access enables ransomware deployment, espionage, and fraud, giving adversaries multiple entry points into South African organizations.
About Author
