Kenya’s Hidden Cybercrime Battles and the Cost of Keeping Them Private
The numbers look settled on paper, but the reality of cyber attacks in Kenya rarely makes it into public view
Kenya’s cybercrime losses are usually reduced to a single number. Last year, the estimate crossed Sh30 billion, a figure that tends to settle the conversation as soon as it appears. Cybersecurity analysts, however, say the total likely tells only part of the story. The issue is less about accuracy than visibility, since many incidents never reach public reporting in the first place.
Ransomware sits at the centre of that gap. Globally, reported incidents rose by about 40 percent year on year in the second half of 2025, according to industry research. Kenya’s reporting patterns move in the opposite direction. Public disclosures remain limited even as attacks grow more sophisticated and more frequent elsewhere. The contradiction has forced analysts to reconsider how risk is measured in an environment where disclosure carries its own costs.
For many organisations, a ransomware attack is handled internally, resolved through technical recovery or negotiation, and never discussed again. Reputation concerns remain powerful. So does fear of regulatory scrutiny. In sectors where service continuity is critical, executives often see silence as damage control rather than concealment. The result is a national threat picture built on partial visibility.
That absence of data carries consequences. Without reliable reporting, patterns emerge slowly. Defensive investment follows perception rather than exposure. Companies assume they are less attractive targets than they actually are.
Silence as strategy, risk as byproduct
Under-reporting ransomware in Kenya has become less a technical issue than an institutional one. The incentives surrounding disclosure are misaligned. Firms absorb losses privately while the wider ecosystem loses situational awareness.
Cybersecurity specialists describe a cycle that reinforces itself. The fewer incidents that enter the public domain, the easier it becomes for others to assume ransomware remains a marginal threat locally. Boards then prioritise more visible risks, often fraud or payment scams, because those produce immediate customer complaints and media attention.
Yet ransomware operates differently. It targets internal systems, backups, supply chains. The damage is operational before it is public. An organisation can recover systems and still choose not to disclose the breach, particularly if customer data exposure remains uncertain. From a corporate perspective, the calculation appears rational. From a national security perspective, it leaves blind spots.
Kenya’s regulatory framework has not fully resolved this tension. Reporting obligations exist in some sectors, though enforcement varies and definitions remain contested. The threshold between an operational disruption and a reportable breach is often interpreted conservatively. That ambiguity benefits companies seeking discretion, but it weakens collective defence.
AI accelerates deception faster than defence adapts
While ransomware visibility remains limited, other forms of cybercrime are easier to observe. Fraud campaigns tied to AI-generated content have expanded rapidly across East Africa. Deepfake videos, synthetic voices, and automated phishing pages now appear with a level of realism that would have been technically demanding only a few years ago.
The rise of HTML-based investment scams illustrates how quickly tactics evolve. Researchers recorded a 62 percent increase in such campaigns globally. Many combine fake endorsements, short-lived advertisements, and cloned websites designed to disappear before enforcement catches up. Social media distribution amplifies reach faster than traditional fraud models ever allowed.
A recent Kenyan case involving a fabricated video of a political figure promoting an investment scheme showed how persuasive these tools have become. The technology itself is not new. What has changed is accessibility. Tools once confined to specialist actors now circulate widely enough to lower the barrier to entry for criminal groups.
In practice, this creates a layered threat environment. Ransomware attacks target institutions. AI-driven scams target individuals. Both draw from the same technological momentum.
The mobile frontier and overlooked vulnerabilities
Another development receiving less attention involves near-field communication attacks. Global tracking shows an 87 percent increase in NFC-related malicious activity, including malware capable of relaying contactless payment data or enabling remote access to compromised devices.
Kenya’s mobile-first digital economy makes this category particularly relevant. Payments, identification, and authentication increasingly rely on smartphones. Convenience has expanded faster than user awareness. Many people still treat mobile threats as less serious than desktop malware, despite evidence suggesting the opposite.
Security researchers warn that hybrid malware strains, combining remote access capabilities with payment interception, are becoming more common. These attacks blur traditional boundaries between fraud and system compromise. A compromised phone can serve as both entry point and payment channel.
Ransomware’s changing economics
Globally, ransomware has evolved into an organised service model. Operators develop malware and lease it to affiliates who execute attacks. Groups such as Akira and Qilin dominate current activity, while newer entrants experiment with evasion techniques designed to bypass common endpoint protections.
The emergence of AI-assisted ransomware adds another layer of uncertainty. One example identified in recent research demonstrated the ability to generate malicious scripts in real time. Such tools remain rare, though the direction is clear. Automation reduces technical barriers while increasing attack speed.
For Kenyan organisations, the risk lies less in headline innovation and more in cumulative pressure. Attack tools become cheaper. Target selection becomes broader. Mid-sized firms that once sat below the radar now fall within reach of automated campaigns.
A visibility problem disguised as a technical one
The deeper issue is not simply technological escalation. It is institutional adaptation. Cyber risk still sits awkwardly between IT departments, legal teams, and executive leadership. Responsibility fragments easily. Accountability less so.
Under-reporting of ransomware in Kenya reflects this fragmentation. Companies measure success by recovery rather than disclosure. Regulators emphasise compliance without always producing incentives for transparency. Public awareness focuses on scams that affect individuals directly.
The danger is gradual normalisation. If ransomware incidents remain largely hidden, defensive investment follows outdated assumptions. Attackers benefit from uncertainty. Victims repeat the same recovery patterns in isolation.
There are signs that this may change. Insurance requirements, supply chain audits, and international compliance pressures are already pushing larger firms toward more structured reporting. Whether that extends to smaller organisations remains uncertain. Many lack both resources and internal expertise.
The coming years will likely define whether ransomware becomes treated as routine operational risk or as a collective security issue requiring shared visibility. The outcome depends less on new technology than on whether institutions accept that silence carries its own cost.
[Secure Your Seat at Africa Tech Summit Nairobi 2026 | February 11–12 here] Use code TTRENDS10 at checkout to save 10% on your pass and join the leaders building Africa’s $1 trillion cross-border payment future.
Go to TECHTRENDSKE.co.ke for more tech and business news from the African continent.
Follow us on WhatsApp, Telegram, Twitter, and Facebook, or subscribe to our weekly newsletter to ensure you don’t miss out on any future updates. Send tips to editorial@techtrendsmedia.co.ke
