Cyber Security

South Africa’s 295 Daily Cyberattacks Expose a Targeted Threat

8,850 attacks in one month is not background noise. It works out to 2,065 attempts a week, or roughly 295 a day. This number stops being abstract the moment one of those hits a payroll system, a student portal, or a government mailbox.

The June 2026 Check Point Software data points to a wider surge, not just a single bad week. New ransomware crews are moving in, education still takes the hardest hits, and specific named operators show how precise the threat has become.

The volume is rising, not flattening out

Globally, organisations faced 2,270 cyberattacks a week in June. That was 10% higher than May and 17% above the same month in 2025. Ian van Rensburg, who leads security engineering in Africa for Check Point Software, described the pattern as a broad recovery in attack activity, not an isolated flare-up. He also noted that attackers are expanding across countries and industries while ransomware crews keep reorganising and growing.

This matters because the old habit of treating cyber risk as a generic IT problem no longer holds up. The numbers now point to a more deliberate map of targets. Some sectors are getting hammered for their money, others for their data. Education gets hit because it is messy, open, and chronically underprotected.

Africa recorded 3,008 attacks a week in June. That was down 9% year on year, but still high enough to sit among the most heavily targeted regions anywhere in the report. Within the region, South Africa was the fourth-most attacked country. Angola topped the list with 4,890 attacks a week, followed by Nigeria at 2,646.

The sector mix is just as revealing. In Africa, Government, Energy and Utilities, and Financial Services were the most attacked sectors in June. Globally, government institutions logged 2,836 attacks a week, up 5% year on year, while telecommunications came in close behind at 2,835 a week, up 13%.

This is not a random spread. It signals that attackers are chasing institutions where disruption is expensive and recovery is painful. Government systems stall public services. Utilities affect operations. Financial firms handle sensitive data and transactions. Telecoms sit in the middle of everything else.

Education keeps inviting the worst behaviour

The education sector remained the most targeted industry globally, averaging 4,816 attacks a week. That number is ugly on its own, but the reasons behind it are even less flattering. Check Point pointed to open campus networks, constant device churn, and thin security budgets as the mix that keeps schools and universities easy to reach.

Those conditions create the kind of environment attackers like. Devices move in and out constantly. Students and staff connect from everywhere. Access rules tend to be broad because teaching and collaboration need flexibility. Security teams are then asked to defend all of that with too little headcount and too much legacy software.

May’s Shinyhunters breach is the cleanest example. The group claimed responsibility for compromising Canvas, the learning platform used by more than 9,000 institutions worldwide. That list included the University of the Witwatersrand, Milpark Education, Invictus Education Group, and SPARK Schools.

A single breach in a shared education service can spread across institutions that never directly crossed paths. One compromise becomes hundreds of downstream headaches, from account resets to exposed records to weeks of uncertainty about who saw what.

For schools and universities, the practical lesson is blunt. If the network assumes everyone is trusted until proven otherwise, the attacker will happily use that trust. Shared platforms need strict access control. Old accounts need to go. Third-party integrations need review, not blind approval. A breach plan should exist before a leak site starts doing the talking.

Ransomware is changing hands

June also brought a shift at the top of the ransomware pile. The Gentlemen overtook Qilin and became the most prevalent group in the month, accounting for 17% of published attacks. Qilin was next at 11%.

This kind of turnover matters because it shows how fast the ransomware market churns. A fresh name can become the biggest nuisance on the board without the industry getting much warning. Van Rensburg’s point about new operators scaling quickly is on the money. These crews do not need years of reputation. They need access, pressure tactics, and enough stolen data to make a threat feel real.

Across the world, there were 646 ransomware attacks in June, up 33% from June 2025. Business Services was the hardest hit sector, making up 31% of victims. In local terms, that is not a throwaway detail. Business Services is a major contributor to GDP and still an important engine in the economy, which makes it a neat target for extortion. Hit the firms that support other firms, and the ripple spreads fast.

Consumer Goods and Services followed at 16%, with Industrial Manufacturing at 14%. Government’s share of ransomware victims also crept higher, rising from 4.0% in April to 5.4% in June.

This shift says something simple. Threat actors are not settling into one favourite vertical. They are testing where the payout is easiest, where the pressure is strongest, and where the response is slowest. If a sector becomes noisy, they move. If it resists, they look for a softer mark.

XP95 showed how quickly a new crew can cause trouble

Earlier in 2026, a previously unseen ransomware group called XP95 went after the public sector, including Statistics South Africa and the Gauteng Provincial Government. The group claimed to have stolen 453,362 files, amounting to 154GB of data from Stats SA.

It also tried the usual extortion theatre. On its leak site, XP95 set a deadline of 20 April 2026 and demanded R1.7 million. The threat was simple enough: pay up or the files go public.

Stats SA said it would not pay. XP95 never published the data it claimed to have taken, and after the deadline passed the leak site went dark. The group disappeared almost as quickly as it had appeared.

That does not make the incident harmless. A short-lived ransomware crew can still force incident response, legal review, communications work, and forensics. It can still raise questions about access, backups, and exposure. It can still create a trail of anxiety that outlasts the campaign itself.

XP95 proved that new actors do not need polished branding to be dangerous. A stolen dataset, a deadline, and a ransom note are enough to cause a mess. If the victim is a public institution, the mess becomes political as well as technical.

The useful response is specific, not ceremonial

A lot of security advice fails because it is too vague to execute. “Improve your posture” does not tell anyone what to do on Monday morning. The report points to a more useful approach: match the defence to the attack pattern.

Threat pattern Defensive move
Shared education platforms and open networks Enforce MFA, segment access, and audit every integration
Ransomware crews demanding payment through leak sites Keep immutable backups and test restores regularly
Public sector and service-provider targeting Lock down privileged accounts and log every admin action
Fast-moving new groups Refresh threat intel and hunt for recent indicators, not just old ones

For teams that actually need to move, the checklist is shorter than the vendor brochures pretend:

  • Review every internet-facing system, especially portals, learning platforms, finance tools, and remote admin services.
  • Turn on MFA everywhere it can be used, then remove stale accounts that still have access.
  • Keep backups offline or immutable, and test restores instead of assuming they work.
  • Segment internal networks so one compromised laptop does not become a full-domain event.
  • Watch for abnormal archive downloads, unusual API pulls, and sudden spikes in file access.
  • Make sure incident response covers extortion, legal escalation, and public communication, not just isolation and cleanup.
  • Track third-party services with the same suspicion you apply to your own stack.

None of that is exotic. It is boring, which is exactly why it works. The problem is that too many teams still behave as if attack volume is generic and the response can be generic too. The June data says otherwise. The targets are named. The sectors are clear. The ransom crews are changing. If the security plan still treats all of that as one undifferentiated blob, the next breach will not be a surprise, just an interval.