Most Kenyan businesses that get hit by ransomware never say a word about it. They pay quietly, or they rebuild quietly, and they hope nobody finds out. That silence is part of the problem, because it lets every other business assume it will not happen to them. The numbers say otherwise, and this article walks through how attacks actually happen here and what genuinely reduces your risk.
The scale, in real numbers
Kenya’s national cyber incident response team, the National KE-CIRT/CC, which sits inside the Communications Authority of Kenya, detected roughly 4.56 billion cyber threat events between October and December 2025. That was a 441 percent jump on the quarter before. The team put the rise down to three ordinary things: systems that were not patched, staff who could not spot a phishing message, and criminals starting to use AI to work faster.
Ransomware is a small slice of that volume but a large slice of the damage. The Kenya Threat Landscape Report 2024, produced by SOCRadar and Enovise, found that manufacturing was the most targeted sector for ransomware in the country, taking more than a quarter of recorded incidents, with the LockBit family of malware the most common strain. INTERPOL’s Africa Cyberthreat Assessment lists ransomware among the most serious threats facing businesses across the continent.
The honest figure for what this costs Kenya is unknown, precisely because of that silence. Industry estimates of annual cybercrime losses run into the tens of billions of shillings, and analysts who track it believe the real number is higher because so many incidents are handled internally and never reported.
How attackers actually get in
Ransomware sounds technical, so people imagine genius hackers breaking through firewalls. The reality is duller and more preventable. Almost every attack we have helped clean up started with one of four things.
- A phishing email someone clicked. A message that looks like it is from a supplier, a bank or a colleague, with a link or an attachment. One click is often all it takes to give an attacker a foothold.
- A weak or reused password. Staff who use the same password everywhere, or simple ones, hand attackers an easy way in, especially on email and remote access.
- A system nobody patched. Software has flaws, vendors release fixes, and those fixes sit uninstalled for months. Attackers scan the internet for exactly these gaps.
- Remote access left exposed. A remote desktop port open to the internet, or a VPN with no second factor, is a door with a weak lock that anyone can rattle.
None of these require sophistication to fix. They require someone whose job it is to stay on top of them.
What actually reduces your risk
You cannot make yourself impossible to attack. You can make yourself a harder target than the business next door, which is usually enough, and you can make sure that if something does get through, it does not end your week. The controls that matter:
- Two-factor authentication on email, remote access and anything that holds money or data. This single step blocks most password-based attacks.
- A patching schedule that actually runs, so known flaws get closed before someone uses them.
- Modern endpoint protection that watches for suspicious behaviour, not just the antivirus that came with the laptop.
- Email filtering that catches phishing before your staff have to judge it.
- Staff who have been shown what a phishing message looks like. Your people are either your weakest point or your first line of defence, and the difference is training.
- Backups that are tested, and kept somewhere the ransomware cannot reach. This is the one that turns a disaster into an inconvenience.
The question that decides everything
When ransomware locks every file in your business, one thing determines whether you pay the criminals or recover on your own terms: whether you have a clean, tested backup they could not touch. Attackers know this, which is why modern ransomware hunts for your backups first. If yours sit on the same network as everything else, or if nobody has ever tested that they restore, you do not really have a backup. You have a hope.
The worst time to find out your backup does not work is the morning a criminal is holding your business to ransom.
If you are not certain where your business stands on any of this, the fastest way to find out is to have someone independent look. Our free IT audit reviews your security, your patching and your backups, and gives you a written report and a plain list of what to fix first. It is confidential, and the report is yours to keep whether or not you work with us. If you would rather hand the whole problem to a team that watches it every day, that is what Ryantel Total Cover is for.
Sources: National KE-CIRT/CC quarterly cyber security reports (Communications Authority of Kenya); Kenya Threat Landscape Report 2024 (SOCRadar and Enovise); INTERPOL Africa Cyberthreat Assessment.