On April 11, 2026, Krybit ransomware attacked Megasurf, South Africa's internet service provider, according to reporting aggregated across 16 sources. The incident remained active as of 21:26 UTC on the same day.
Why this matters: ISP compromise creates cascading risk. When an internet backbone operator is encrypted or disrupted, downstream customers—businesses, government offices, hospitals, and residential users—lose connectivity. Unlike a single-company breach, ISP ransomware can fragment regional internet access, degrade communications infrastructure, and prevent organizations from reaching external support or backup systems.
Megasurf's position as a major South African ISP means the potential footprint extends across the country's commercial and government connectivity. The attack's classification as "active" at the time of detection suggests either ongoing encryption, negotiation, or service disruption—not a resolved incident.
Krybit is a known ransomware family associated with double-extortion tactics (encrypt-and-leak), meaning threat actors likely harvested data before encryption, creating secondary exposure for any customer information stored on ISP infrastructure.
What to watch: Monitor for official statements from Megasurf or South African telecom regulators confirming scope of outage, restoration timeline, and whether ransom demands were published. Regional ISP compromises often trigger delayed public disclosure—expect updates over coming days. Track whether the attack impacts critical services dependent on Megasurf's backbone.
Practical steps: If you or your organization relies on Megasurf or its downstream services, verify backup connectivity options (alternate ISP, mobile hotspot, satellite). Review cached copies of essential online resources. Confirm your incident response plan includes ISP-level outage scenarios, not just single-provider failures. For South Africa–focused monitoring, follow ICASA (Independent Communications Authority of South Africa) and industry security channels for official updates.
