Advisory ID: NCC-CSIRT-2026-014
Summary:
The Nigerian Communications Commission Computer Security Incident Response Team (NCC-CSIRT) alerts stakeholders to an ongoing ransomware campaign attributed to the XP95 Ransomware Group, which has recently targeted government institutions and critical sectors globally.
The attackers employ data exfiltration and extortion techniques, compromising sensitive information and threatening public disclosure unless ransom demands are met. Recent incidents indicate a rapid escalation in the group’s activities, with multiple high-impact breaches recorded within a short timeframe.
Given similarities in system vulnerabilities and cybersecurity posture across institutions, Nigerian organizations, particularly within government and critical infrastructure sectors, are at elevated risk of similar attacks.Damage: Critical
Probability: High
Product(s)
- Enterprise IT Systems
- Government Databases
- Healthcare Information Systems
- Web Applications and Network Infrastructure
Version(s):
- All unpatched or improperly configured systems
- Systems with weak authentication mechanisms
Platform(s):
- Windows
- Linux
- Cloud-based environments
- On-premise enterprise networks
Description:
The XP95 ransomware group is an emerging and highly active threat actor known for targeting data-rich organizations, including government agencies and healthcare providers.
Recent reported incidents include:
- A South African government agency breach involving over 453,000 files ( approximately 154GB) of sensitive data.
- A Spanish healthcare software provider was compromised, resulting in the exfiltration of approximately 165GB of patient data.
- Additional attacks on provincial government institutions targeting job seekers and student databases.
The group’s attack techniques involve:
- Exploiting unpatched software vulnerabilities
- Leveraging weak authentication and poor password practices
- Gaining unauthorized access to enterprise networks
- Exfiltrating large volumes of sensitive data
- Issuing ransom demands with threats of public data release
Impacts:
- Large-scale data breaches involving sensitive information
- Financial loss due to ransom payments and remediation costs
- Disruption of critical services and operations
- Reputational damage and loss of public trust
- Regulatory and legal implications
Threat Types:
- Ransomware (Double Extortion)
- Data Exfiltration
- Unauthorized Network Access
- Exploitation of System Vulnerabilities
Solutions/Mitigations:
NCC-CSIRT recommends the following mitigation steps:
- Apply timely security patches and updates across all systems
- Conduct regular vulnerability assessments and penetration testing
- Enforce Multi-Factor Authentication (MFA)
- Implement strong password policies
- Adopt least-privilege access principles
- Segment critical networks
- Deploy Intrusion Detection and Prevention Systems (IDS/IPS)
- Monitor for unusual network activity
- Maintain regular, secure, and offline backups
- Test backup restoration procedures periodically
- Implement Security Information and Event Management (SIEM) solutions
- Establish and regularly update incident response plans
- Conduct regular cybersecurity awareness training
- Educate users on phishing and social engineering risks
References:
-
https://redpiranha.net/news/threat-intelligence-report-march-3-march-9-2026
-
https://www.upguard.com/news/statistics-south-africa-data-breach-2026-03-31
-
https://databreaches.net/2026/03/30/south-african-government-agency-and-spanish-psychological-software-provider-victims-of-cyberattacks-by-xp95/
-
https://witness.co.za/news/2026/03/30/stats-sa-confirms-data-breach-hackers-demand-ransom/
-
https://helm.news/2026-03-30/stats-sa-confirms-ransomware-attack-hr-database-group-xp-demanding-ransom.html
-
https://app.megazone.fm/news/c/0/i/95713595/stats-sa-hit-ransomware-attack-over-450000-files-compromised