Subscribe
Sectors
Companies
About

ITWeb TV: Data exfiltration overtakes ransomware attacks in SA

Adrian Hinchcliffe
By Adrian Hinchcliffe
Johannesburg, 11 Apr 2025
Expert digital forensics auditor professor Danny Myburgh, MD of Cyanre, provides an overview of the latest cyber crime trends he’s seeing being committed in South Africa. He also details some of the cases he’s worked on and the entry paths and skills needed to get into the field of digital forensics.

Ransomware attacks are on the decline, and are being replaced by data exfiltration, says an expert local digital forensics auditor.

Professor Danny Myburgh, MD of Cyanre, speaking to ITWeb TV, said his company is called to handle 40 to 60 major breaches of large South African companies every year and has noted a decrease in ransomware in recent months.

This, he surmised, is due to companies adopting better backup and recovery strategies, including air-gapping.

“Data exfiltration attacks have more or less doubled, as opposed to ransomware attacks. Last year, we saw double extortion, where they encrypt your data and steal it; we're still seeing that but it’s as if [most of] the hackers aren’t even going to that extent anymore, in terms of encrypting the information, so the exfiltration attacks are really picking up.”

Myburgh added that data exfiltration attacks are about 10 times more costly to investigate and remediate, as they involve lawyers, notifying the data subjects, and are harder to pinpoint when the attackers gained access to the environment.

Professor Danny Myburgh, MD of Cyanre.
Professor Danny Myburgh, MD of Cyanre.

He also revealed that attackers are using artificial intelligence (AI), which is helping them to reduce the time they are in a hacked environment.

See also
Nclose to unveil more about deepfakes, synthetic deception
AI to feature strongly at 20th annual ITWeb Security Summit 2025

“While the victims and clients are using AI to increase or improve their security, hackers are also [using] it. IBM found last year that the average time a hacker is in an environment is 209 days. We found on all the breaches we handled that it came down to about 170 days and it's because they are automating their attacks.”

The sophistication of the attacks is also increasing, he noted, whereby they are learning how to work around multifactor authentication.

“We have seen a number [of cases] where the hackers would attack the cookie structure; for example, the tokens that are issued and they keep those tokens alive, therefore they have access up to 30 days into that environment without having to do a second two-factor authentication.”

Crime scene

For companies that have been breached, Myburgh’s advice is for those with an internal IT team to not be too hasty in terms of fixing the problem, as a hacked server is a crime scene.

“The whole objective of an IT team is to make the problem go away, fix the problem, get the networks to work; that's why management is screaming at them. If you don't conduct an investigation of exactly what happened, you might be living under a situation where you won't know what the hackers did, what they took out, what backdoors they have in the environment.

ITWeb Security Summit 2025 Johannesburg – 3 and 4 June

This episode of ITWeb TV is produced in association with ITWeb Security Summit. Professor Danny Myburgh is one of the many speakers who will be presenting at this year’s ITWeb Security Summit, the annual gathering of cyber security professionals, experts and thought leaders. The summit will unpack the latest developments, the methods that attackers are using and the best strategies to protect digital assets.

For more information and to register, click here.

“We conducted two investigations in the past year where we saw that the hackers, before encrypting the environment, went into the financial system, and we couldn't figure out why. After we decrypted the information for the client, we advised them that we saw this access. The client did an analysis and we found in both instances that they were making quite large yearly licensing fee payments to America, for a couple of million rand, and that the hackers had changed the banking details on the system.”

Myburgh advised companies that don't have an internal IT capacity to not 100% trust their external IT service provider.

“In more than 9% of our matters, the IT service provider is responsible for the breach. Either it's one of their personnel using that environment for cryptojacking, for example, or where the hack came through them. We had one case, for example, where the IT consultant’s laptop was compromised, and he used the same password for all clients.”

He also recounted two cases where the external service provider claimed the firewall was up to date, but when the investigation took place, it was found that the firewall update happened after the breach, and the firewall was the cause of the breach.

Digital forensics skills gap

Myburgh also outlined that the digital forensic audit space in South Africa is heavily lacking skills.

“The field actually is very understaffed in South Africa. It’s one of the areas where we've got critical scarcities in these skills. The president, in his State of the Nation Address, mentioned that the NPA [National Prosecuting Authority] is actively busy with a project to build a digital forensic lab, and some of those efforts are to look at local resources, as well as international resources, to staff it.”

He added that, by his estimates, there are less than 100 digital forensic practitioners in South Africa, and less than 20 are of high enough standing to be considered expert witnesses capable of testifying in courts.

International companies can also offer remote employment opportunities with better pay, which is a challenge for the local sector.

The field is unusual in that it requires a mixture of IT skills and the ability to conduct investigations. “We recruit quite a lot of candidates that have a BSc computer science degree. They can also specialise in cyber security.”

Share