What Business Owners Need to Know This Week
The threat level remains at HIGH and is intensifying as South Africa enters Week 15 with simultaneous pressure on government, financial services, and edge infrastructure. XP95 has now claimed two additional government victims — Statistics South Africa (154 GB / 453,362 files) and the Gauteng City Region Academy (147 GB / 429,473 student records) — both carrying a 20 April 2026 publication deadline. At the same time, DragonForce has expanded into luxury tourism by claiming Singita, pushing the cumulative South African ransomware victim count to 103 organisations. Three critical edge-device CVEs in F5 BIG-IP APM, Citrix NetScaler, and Fortinet FortiClient EMS are being actively exploited, all technologies that dominate SA enterprise perimeters, while the Information Regulator has escalated its Liberty Group investigation to CEO level.
The Bottom Line: South Africa has added 7–8 ransomware victims in a single week, with 103 total victims recorded and three unresolved XP95 government extortion cases converging on a 20 April deadline. The combination of XP95’s pure data-extortion model, triple critical edge-device exploitation, and CEO-level regulatory scrutiny at Liberty creates the highest compound cyber and compliance risk week of 2026 so far. Boards should be briefed now on the XP95 deadline, second-order PII exposure via Stats SA and GCRA, and the urgent need to patch F5, Citrix, and Fortinet infrastructure.
The Week in Numbers
- 2,204 cyberattacks per week targeting South African organisations, a 36% year-on-year increase from the 1,619-per-week average in Week 14 of 2025.
- 103 cumulative SA ransomware victims recorded as of 5 April 2026, up from 95–96 at the end of Week 14, representing the largest single-week increase since Week 12.
- 3 new confirmed SA victims in Week 15 — Stats SA, GCRA, and Singita — plus several carry-over cases still under active extortion.
- 154 GB / 453,362 files stolen from Statistics South Africa and 147 GB / 429,473 files stolen from the Gauteng City Region Academy, both focused on HR and bursary applicant data.
- $100,000 (±R1.7 million) — XP95’s ransom demand for each of the Stats SA and GCRA datasets, despite the PFMA prohibition on government ransom payments.
- 2,898 POPIA breach notifications submitted in FY 2025/26 (to 5 March 2026), up from 202 notifications in 2021/22 — a 15x increase in four years.
- 5 critical CVEs now actively exploited in SA-relevant stacks, including F5 BIG-IP APM (CVE-2025-53521), Citrix NetScaler (CVE-2026-3055), and FortiClient EMS (CVE-2026-35616 / CVE-2026-21643).
- R24 million — the average ransomware recovery cost for South African organisations (excluding ransom) in 2025, up 26% from R19 million in 2024.
Major Incidents: Who Was Hit and How
Statistics South Africa — XP95 Data Extortion
Statistics South Africa (Stats SA), the national statistics authority, confirmed that XP95 exfiltrated 154 GB of data across 453,362 files from its HR job-seeker portal, including names, CVs, ID numbers, and contact details for hundreds of thousands of applicants. The attack, believed to have occurred in February 2026 and disclosed publicly on 29–30 March, carries a US$100,000 (±R1.7 million) ransom demand with a 20 April 2026 deadline. Under the PFMA, Stats SA cannot legally pay a ransom, making data publication on or after the deadline highly likely; XP95 has already posted samples on Telegram as proof, and a POPIA Section 22 notification has been filed with the Information Regulator.
Gauteng City Region Academy (GCRA) — XP95 Bursary Data
The Gauteng City Region Academy (GCRA), which runs bursary and scholarship programmes for the province, was also claimed by XP95 in Week 15, with the group reporting theft of 147 GB of data across 429,473 files. The exposed dataset contains scholarship and bursary application records, including student PII, academic histories, and financial details. XP95 is again demanding US$100,000 by 20 April 2026, aligning the GCRA and Stats SA deadlines in what appears to be a coordinated campaign against public-sector HR and application portals that cannot lawfully pay ransoms. As of 5 April, GCRA had issued no public statement, and the Information Regulator had not yet released formal guidance on the case.
Singita — DragonForce Targets Luxury Safari Sector
Singita (singita.com), a high-profile luxury safari and conservation lodge operator, was claimed by DragonForce on 2 April 2026, with data exfiltration confirmed but not yet published at the time of reporting. The incident marks DragonForce’s fifth South African victim and signals expansion into the luxury travel and conservation space, where high-net-worth guest data and conservation project records intersect. No ransom details have been disclosed, but DragonForce has threatened imminent publication, leveraging its RaaS cartel model (with 80% affiliate revenue share) to drive volume across diverse sectors.
Liberty Group SA & Standard Bank — CEO-Level Investigation
The Liberty Group breach from Week 14 escalated further in Week 15, with Standard Bank sending client notifications confirming that names, surnames, ID numbers, and email addresses were exposed. The Information Regulator has requested an urgent CEO-level meeting with Liberty and continues to investigate, while extortion attempts have reportedly been declined. Forensics remain ongoing and Liberty has not yet disclosed a final victim count or technical root cause, but the case is shaping up as a landmark test of POPIA Section 22, Joint Standard 2/2024 24-hour reporting obligations, and financial-sector accountability for repeat breaches.
Virgin Active SA & ETFSA — Carry-Over Risks
Two Week 14 incidents remain active: Virgin Active SA is still managing the fallout from an IDOR vulnerability that potentially exposed payment data and banking details for up to 631,000 members, with no confirmed exfiltration or patch status as of 5 April. ETFSA, listed by Incransom on 26 March, has seen no publicly confirmed developments this week, but faces an ongoing threat of full data leak publication. Both cases underscore that not all high-impact SA cyber incidents involve ransomware — web application flaws and data handling weaknesses continue to present business-critical risk.
SA Ransomware: 2026 Victim Tracker
South Africa’s cumulative ransomware victim count stands at 103 organisations as of 5 April 2026, representing the largest week-on-week jump since Week 12 and reflecting sustained pressure from DragonForce, XP95, Nightspire, and Incransom. DragonForce remains the most prolific actor by volume, but XP95 is now the most strategically dangerous group due to its exclusive focus on government entities that cannot legally pay ransoms, making data publication the default outcome. Against this backdrop, average ransomware recovery costs for South African organisations have climbed to R24 million (excluding ransom), up 26% year on year, while regulatory scrutiny of incident response has intensified.
| Date | Organisation | Sector | Group |
|---|---|---|---|
| 24 Dec 2025 | National Credit Regulator | Financial Regulation | DragonForce |
| 6 Jan | Hytec SA | Engineering | Vect |
| 12 Jan | Land Bank | Financial Services | Unknown RaaS |
| 20 Jan | Witzenberg Municipality | Government | TheGentlemen |
| 20 Jan | Rola Motor Group | Automotive | TheGentlemen |
| 15 Feb | Intsika Yethu Municipality | Government | TheGentlemen |
| 24 Feb | EnerTec | Manufacturing | Vect |
| 1 Mar | Diesel-Electric / Bosch SA | Automotive | LockBit 5 |
| 5 Mar | RE/MAX Southern Africa | Real Estate | Team Cyber Strike |
| 20 Mar | The Unlimited | Insurance | DragonForce |
| 21 Mar | Elundini Municipality (re-list) | Government | TheGentlemen |
| 22 Mar | Semenya Furumele Engineers | Engineering | Nightspire |
| 26 Mar | ETFSA | Financial Services | Incransom |
| 29 Mar | Statistics South Africa | Government | XP95 |
| Late Mar | Gauteng City Region Academy | Government / Education | XP95 |
| 2 Apr | Singita | Hospitality / Conservation | DragonForce |
Fraud Hitting Your Business & Your Customers
Digital Banking Fraud and BEC Surge
Digital banking fraud continues to rise sharply, with 97,975 incidents and R1.888 billion in losses recorded in 2025 — an 86% year-on-year increase. In Week 15, Absa, FNB, Nedbank, and Standard Bank issued a joint alert on a surge in vishing and SIM-swap attacks, while INTERPOL’s 2026 Global Financial Fraud Assessment emphasises that AI-assisted fraud is now 4.5 times more profitable than traditional techniques. SABRIC’s data shows that virtually all digital fraud cases involve compromised customer credentials obtained through social engineering, underscoring the need for layered controls, call-interrupt protections, and multi-channel verification of payment and profile changes.
Lapsus$ Re-emergence and SA Relevance
The Lapsus$ data-extortion group re-emerged in late March by claiming a breach of AstraZeneca, stealing 3 GB of source code and credentials between 24 and 26 March, with data published on 5 April 2026. Lapsus$ has historic links to South Africa via prior attacks on Vodacom and MTN in 2022, making its renewed activity relevant to local telecoms and pharmaceutical organisations. Their tactics, which blend credential theft, insider recruitment, and source code exfiltration, demand heightened monitoring of privileged access, developer environments, and third-party collaboration platforms.
POPIA and Regulatory: Government Under Pressure
The Information Regulator’s workload and enforcement posture continue to ramp up, with 2,898 POPIA Section 22 breach notifications received in FY 2025/26 to 5 March (a fifteenfold increase on the 2021/22 baseline of 202). Only around 14% of South African organisations that are required to register a POPIA Information Officer have done so, indicating systemic under-preparedness even as enforcement accelerates. The Liberty investigation has now been escalated to CEO level, while Stats SA has formally notified the Regulator about the XP95 breach; guidance on GCRA and broader public-sector XP95 protocol is still pending.
New and existing regulatory instruments converge in Week 15: the POPIA Health Data Regulations (in force since 6 March 2026) impose stricter safeguards on insurers, medical schemes, and employers processing health information; the SARB/FSCA Joint Standard 2 of 2024 is now in its first enforcement cycle, requiring board-approved cyber strategies, 24-hour material incident reporting, mandatory pen testing, MFA, and third-party risk oversight; and PAIA annual report submissions are due between 1 April and 30 June 2026. Combined with the upcoming October 2026 FATF/FSRB mutual evaluation, this creates a dense regulatory calendar that rewards proactive cyber governance and transparent breach handling.
Compliance Deadlines at a Glance:
• 20 April 2026 — XP95 publication deadline for Stats SA and GCRA datasets (prepare second-order breach notifications)
• 1 April–30 June 2026 — PAIA annual report submissions due for public and private bodies
• Immediate / Ongoing — POPIA health data safeguards and Joint Standard 2/2024 cyber requirements in active enforcement
• By June 2026 — RICA amendment proposals targeting SIM card abuse
• October 2026 — FATF/FSRB mutual evaluation of South Africa’s AML and cybercrime regime
Full Intelligence Report
The complete Week 15 technical report below includes detailed coverage of XP95’s attack chain against Stats SA and GCRA, DragonForce’s expansion into the luxury hospitality sector, an in-depth vulnerability matrix for F5, Citrix, Fortinet, Cisco, and Chrome, updated threat actor profiles, OSINT exposure analysis, and structured hunt missions (TH-2026-W15-01 to -04) with full IOC tables for SIEM/EDR ingestion.
What Your Business Should Do Right Now
Immediate actions (this week):
- Patch Citrix NetScaler and F5 BIG-IP now: Apply Citrix NetScaler fixes for CVE-2026-3055 (upgrade to 14.1-66.59 / 13.1-62.23 / 13.1-37.262) and F5 BIG-IP APM patches for CVE-2025-53521 per advisory K000156741. Both vulnerabilities are under active exploitation, have Metasploit support or confirmed nation-state use, and directly expose your VPN/SSO perimeter.
- Patch Fortinet FortiClient EMS and update Chrome: Upgrade FortiClient EMS to 7.4.7 and apply hotfixes for CVE-2026-35616 and CVE-2026-21643, then roll out Chrome version 146.0.7680.178 or later to remediate CVE-2026-5281 before the 15 April CISA KEV deadline.
- Run an XP95-focused threat hunt: Execute a targeted hunt (aligning with TH-2026-W15-01) for suspicious activity on internet-facing HR and application portals, including large outbound transfers (>10 GB), unusual access to HR or student tables outside business hours, and new scheduled tasks or admin accounts in public-sector or government-adjacent environments.
- Prepare for the 20 April XP95 deadline: If your organisation submits data to Stats SA or recruits from the GCRA bursary pool, assume second-order PII exposure and prepare breach notification templates, FAQs, and call-centre scripts in advance of potential data publication.
- Block MEGA.nz and Telegram infrastructure where possible: Implement DNS or
proxy blocking for
g.api.mega.co.nz,mega.nz, and known Telegram ranges where business use is not required, as these are primary exfiltration and C2 channels for DragonForce and XP95. - Reinforce BEC, vishing, and SIM-swap controls: In response to the joint bank alert, enforce call-back policies for high-risk changes (limits, SIM swaps, device registrations), monitor for anomalous SIM-swap or MFA-reset events, and refresh staff training on AI-enhanced voice and chat scams.
- Check POPIA and PAIA readiness: Confirm that you have a registered POPIA Information Officer, an up-to-date breach response plan that can meet Section 22 expectations, and that PAIA reporting data is being collected for submission by 30 June 2026.