Ransomware is a form of malicious software that encrypts an organisation's files and demands payment in exchange for the decryption key. Once ransomware executes on a device, it typically spreads across the network, targeting shared drives, cloud-synchronised folders, and backup systems - anywhere it can reach from the infected machine. Within hours, an entire organisation can find itself locked out of its data, with a ransom note on every screen demanding cryptocurrency payment.
The ransomware ecosystem has matured significantly. Criminal groups now operate Ransomware-as-a-Service (RaaS) platforms, where developers provide the malware and infrastructure in exchange for a percentage of every ransom paid. This has lowered the barrier to entry for cyber criminals, dramatically increasing the volume and variety of attacks targeting UK businesses. The NCSC identified ransomware as the most significant cyber threat to UK organisations, a position it has maintained across multiple annual reviews.
Softomate Solutions works with London and UK-based businesses to implement the layered defences that make ransomware attacks survivable - and ideally, preventable.
Several factors have converged to make UK businesses attractive ransomware targets. Remote and hybrid working expanded the attack surface significantly - employees working from home use personal routers, personal devices, and home Wi-Fi networks that lack enterprise-grade security. Many organisations rushed to enable remote access during the pandemic without properly securing it. Remote Desktop Protocol (RDP) exposed directly to the internet, with weak credentials and no MFA, remains one of the most commonly exploited entry points in UK ransomware incidents.
The ransomware business model has also become more ruthless. Modern ransomware gangs employ "double extortion" - they do not just encrypt your data, they exfiltrate it first and threaten to publish it unless you pay. This means that even if you restore from a clean backup and refuse to pay the encryption ransom, you may still face extortion over sensitive client data, employee information, or commercially sensitive documents. Some groups practice "triple extortion," also notifying your clients and partners that their data has been compromised, creating additional pressure.
The DSIT Cyber Security Breaches Survey consistently finds that smaller businesses are less likely to have tested business continuity plans, less likely to have offline backups, and less likely to have endpoint detection tools that can identify ransomware behaviour before encryption begins.
Understanding the attack pathways helps you close them. The three most common ransomware entry points affecting UK businesses are phishing emails, exploitation of unpatched software, and compromised remote access systems.
Most ransomware infections begin with a phishing email. An employee receives a convincing email containing a malicious attachment or link. Opening the attachment or clicking the link downloads and executes the ransomware payload. Modern phishing emails are highly convincing - they may appear to come from a colleague, a supplier, or a trusted brand, and may reference specific details about your business to appear legitimate (a technique called spear phishing). Staff training is the most important countermeasure here, alongside email filtering that blocks known malicious domains and scans attachments before delivery.
When a software vulnerability is publicly disclosed, the clock starts. Ransomware groups scan the internet for organisations running the vulnerable version and exploit it before patches are applied. Notable examples include the exploitation of vulnerabilities in Microsoft Exchange Server, Citrix, and VPN appliances. Applying critical patches within 72 hours of release - and high-severity patches within 14 days, as the NCSC recommends - dramatically reduces your exposure to this attack vector.
Remote Desktop Protocol (RDP) and VPN systems exposed to the internet are prime ransomware targets. Attackers use credential stuffing, brute-force attacks, or purchased credentials from dark web forums to gain initial access. Once inside, they move laterally across the network, escalating privileges and identifying critical systems before deploying ransomware. Requiring MFA on all remote access, restricting RDP access to specific IP ranges, and using a VPN gateway with monitoring significantly reduces this risk.
Ransomware prevention requires a layered approach. No single control is sufficient, but combining these measures makes a successful attack significantly less likely and limits the damage if one does occur.
Traditional antivirus identifies malware by matching files against a database of known malicious signatures. EDR tools go further - they monitor device behaviour, flagging and blocking actions that look like ransomware behaviour (such as rapidly encrypting large numbers of files) even for previously unknown malware variants. For UK businesses, deploying EDR on every endpoint - including devices used by remote workers - is now considered essential rather than optional. Our endpoint protection services in London implement EDR solutions scaled to small and mid-market businesses.
MFA is the single most effective control against credential-based ransomware attacks. Require MFA on email, cloud services, remote access (VPN and RDP), and any administrative accounts. Even if a criminal obtains valid credentials through phishing or credential stuffing, MFA prevents them from using those credentials to gain access. The NCSC made MFA for internet-accessible accounts a requirement under the updated Cyber Essentials standard, reflecting how fundamental it now is.
If ransomware reaches your network, segmentation limits how far it can spread. Dividing your network into separate zones - so that a compromised workstation cannot directly access your finance server or backup systems - contains the blast radius of an infection. Segmentation can range from relatively simple VLAN configuration to sophisticated zero-trust architectures. The right approach depends on your organisation's size and risk profile.
Ransomware typically targets all storage it can reach, including cloud-synchronised folders and network-attached backup drives. Offline backups - copies of your data stored on media that is physically disconnected from your network - cannot be encrypted by ransomware. Immutable backups, where the storage medium does not allow files to be modified or deleted for a defined period, provide similar protection in cloud environments. Follow the 3-2-1 backup rule: three copies, two media types, one offsite.
Ransomware runs with the permissions of the account that executed it. If every user account has broad access to the entire network, ransomware can encrypt everything. Implementing least-privilege access - giving users only the permissions they genuinely need - limits what ransomware can reach. Administrative accounts, which have the broadest permissions, should only be used for administrative tasks, not day-to-day work.
Speed and methodical action are essential. The decisions you make in the first hour significantly affect how much data you lose and how quickly you can recover.
Disconnect infected devices from the network - unplug network cables, disable Wi-Fi - to prevent the ransomware from spreading further. Do not switch devices off if you can avoid it; forensic evidence may be lost and some ransomware variants destroy data on shutdown. If you have a network switch, disabling the relevant ports is faster and less disruptive than physically disconnecting every cable.
The NCSC, the NCA, and the Cyber Security and Infrastructure Security Agency (CISA) consistently advise against paying ransoms. Payment funds criminal groups, does not guarantee data recovery (approximately 20% of organisations that pay do not receive a working decryption key), and marks you as a paying target for future attacks. If you hold cyber insurance, check your policy before making any decisions - some insurers require you to contact them before paying.
Report the incident to the National Crime Agency's Action Fraud service. If personal data has been compromised, you may be required to notify the ICO within 72 hours under UK GDPR. Notify your cyber insurer immediately. Consider whether your customers or partners need to be informed - particularly if their data may have been exfiltrated under a double-extortion attack. Transparent, prompt communication, while painful, preserves more trust than delayed disclosure.
Ransomware incident response requires specialist skills - forensic investigation to understand how the attackers gained access and what they may have exfiltrated, safe system restoration from clean backups, and verification that the attackers no longer have access before systems are brought back online. Attempting to restore systems without understanding the initial compromise often results in re-infection. Our cyber security consultancy can provide or coordinate incident response support for London and UK businesses.
Resilience means being able to recover quickly even if a ransomware attack succeeds. It requires planning before the crisis, not during it.
Document your recovery procedure before you need it. Know which systems are most critical to your business operations, what the recovery time objective (RTO) is for each, and what order systems should be restored in. Test your backup restoration process at least quarterly. Confirm that your backups are actually complete, usable, and contain the data you think they contain - many businesses discover their backups were incomplete only when they need to use them.
Run tabletop exercises with your senior team at least annually. Simulate a ransomware scenario: what would you do in the first hour, who would make decisions, how would you communicate with staff and customers, at what point would you involve external specialists? These exercises identify gaps in your response plan without requiring an actual incident to expose them.
Review your cyber insurance policy carefully. Understand what is and is not covered - some policies exclude incidents attributable to failure to maintain basic security controls. Check whether your policy includes access to an incident response retainer, which provides pre-vetted professional support without the delay of sourcing specialists during a crisis.
UK law does not currently prohibit ransomware payments outright, but there are circumstances where paying could expose your business to legal liability. The Office of Financial Sanctions Implementation (OFSI), which operates within HM Treasury, maintains a list of designated individuals and entities against whom financial sanctions apply. If the ransomware group demanding payment is a sanctioned entity - and several prominent ransomware groups are on international sanctions lists - making a payment could constitute a breach of UK financial sanctions law, regardless of whether you knew you were paying a sanctioned group.
Before making any ransomware payment, you should seek legal advice, check the OFSI consolidated list, and consult your cyber insurer. The NCA strongly advises reporting ransomware incidents to Action Fraud and engaging with law enforcement before deciding whether to pay. While law enforcement cannot always help you recover your data, reporting provides them with intelligence that helps disrupt ransomware operations and protects other UK businesses.
The Cyber Security and Infrastructure Security Agency (CISA) in the United States, working with UK partners including the NCSC and NCA, publishes "StopRansomware" advisories that name specific groups and their tactics, techniques, and procedures (TTPs). These advisories are publicly available and provide useful intelligence on the groups most active in targeting UK organisations.
Cyber insurance is an increasingly important element of ransomware resilience for UK businesses. A good cyber insurance policy can cover incident response costs, data recovery, business interruption losses, regulatory notification costs (including ICO notification requirements), legal fees, and in some cases ransom payments - though coverage of ransom payments is becoming more restricted.
The insurance market has hardened significantly following the surge in ransomware claims from 2020 onwards. Insurers now ask detailed questions about security controls and may decline cover or exclude ransomware claims for organisations that cannot demonstrate basic hygiene. Specific requirements now commonly appearing in cyber insurance applications include: evidence that MFA is enabled on all cloud services and remote access systems, confirmation that critical patches are applied within 14 days of release, evidence of tested offline backups, documented incident response procedures, and in some cases Cyber Essentials or ISO 27001 certification.
Review your policy before an incident, not during one. Understand what triggers the obligation to notify your insurer, whether paying a ransom requires insurer approval, what incident response services are included (many policies include access to a 24/7 incident response hotline with pre-vetted specialists), and what the sub-limits are for ransomware-specific costs versus total policy limits.
Yes. Ransomware can encrypt locally synchronised cloud storage files, and those encrypted versions will then sync to the cloud, overwriting your originals. Most major cloud storage providers retain version history - Microsoft 365 keeps 30-180 days of version history depending on the subscription tier - which can allow recovery without paying a ransom. However, you should not rely on cloud version history as your sole backup strategy, as some ransomware variants are designed to exhaust version history limits.
Ransomware is one type of attack that can cause a data breach. A data breach is any incident where personal or sensitive data is accessed, disclosed, or lost without authorisation. Ransomware typically causes a data breach when the attackers exfiltrate data before encrypting it (double extortion). However, data breaches also occur through phishing, insider threats, misconfigured cloud storage, and lost devices - not all of which involve ransomware.
Many cyber insurance policies do cover ransomware-related costs, including incident response fees, data recovery costs, business interruption losses, and sometimes ransom payments (though insurers are becoming more cautious about covering ransom payments). Coverage varies significantly between policies. Before a ransomware incident occurs, read your policy carefully, understand what is excluded, and confirm that your security controls meet the insurer's minimum requirements - many policies now exclude claims where basic controls like MFA and patching were not in place.
Recovery time varies enormously depending on the scope of the attack, the quality of backups, and whether clean backups are available. Organisations with well-maintained, tested, offline backups and documented recovery procedures can restore critical systems in 24-72 hours. Organisations without adequate backups may take weeks or months to restore operations, if they recover at all. In the UK, average reported downtime following a ransomware incident is 16-21 days, according to incident response data from 2023.
Small businesses are targeted regularly, and in some respects are preferred targets because their defences are typically weaker. Ransomware groups use automated tools to identify vulnerable targets at scale - they are not selecting victims based on company size. That said, ransom demands are often calibrated to perceived ability to pay, which means smaller businesses may receive lower initial demands. However, even a "small" ransom of ยฃ10,000-ยฃ50,000 is devastating for most SMEs, and the indirect costs of downtime and recovery typically far exceed the ransom itself.
More from the blog
Let us help
Talk to our London-based team about how we can build the AI software, automation, or bespoke development tailored to your needs.
Softomate Solutions Limited
Deen Dayal Yadav
Online
