Ransomware is now the most financially damaging form of cyber attack targeting UK businesses. The model is straightforward and brutal: malicious software encrypts your files, renders your systems unusable, and demands payment — usually in cryptocurrency — in exchange for a decryption key that may or may not arrive.
The sums demanded have grown sharply. What once involved four-figure demands against individual users now routinely runs into tens or hundreds of thousands of pounds when businesses are targeted. Attackers have professionalised. Many ransomware gangs operate with dedicated support desks, negotiators, and published “leak sites” where they post stolen data if payment is refused.
How Ransomware Gets In
There is no single entry point. Attackers use whichever route offers the least resistance.
Phishing emails remain the most common delivery mechanism. A convincing message tricks a staff member into opening a malicious attachment or clicking a link that installs the ransomware payload. The email might impersonate a supplier, a courier, or HMRC. It takes one click from one person.
Remote Desktop Protocol (RDP) is a legitimate tool that allows remote access to Windows machines. When RDP is exposed to the internet with weak credentials or no multi-factor authentication, attackers can brute-force their way in and deploy ransomware manually — a method favoured because it gives them time to explore the network before encrypting anything.
Unpatched software provides a straightforward path. Vulnerabilities in operating systems, VPNs, and web-facing applications are discovered regularly. When patches are not applied promptly, attackers exploit known weaknesses, sometimes within hours of a vulnerability being made public.
Supply chain compromise is a growing vector. Attackers target a managed service provider or software vendor and use that trusted relationship to push ransomware to dozens or hundreds of downstream customers simultaneously.
What Happens During an Attack
Modern ransomware attacks rarely begin with immediate encryption. Attackers typically spend time inside a network first — mapping systems, stealing data, and disabling or deleting backup infrastructure before triggering the encryption. This “dwell time” can range from days to weeks.
When encryption begins, it spreads rapidly across connected drives and network shares. Users see their files become inaccessible, renamed with unfamiliar extensions. A ransom note appears — usually a text file or wallpaper change — with instructions for payment and a deadline, after which the price increases or data is published.
Should You Pay?
The FBI, the UK’s National Cyber Security Centre (NCSC), and virtually every credible security body advise against paying. The reasons are practical, not just moral. There is no guarantee the decryption key will work. There is no guarantee the attacker has not retained a copy of your data regardless. And payment funds the criminal infrastructure that enables the next attack.
Some businesses pay because the alternative — rebuilding from scratch — seems worse. The only way to make that choice unnecessary is preparation.
The Backup Strategy That Changes Everything
A robust backup removes an attacker’s primary leverage. The 3-2-1 rule is the standard: keep three copies of your data, on two different types of media, with one copy stored off-site or offline.
The critical word is offline. Backups connected to your network at the time of an attack will be encrypted alongside everything else. Air-gapped backups — stored on drives physically disconnected from the network, or in cloud environments with immutable storage — cannot be reached by ransomware.
Backups must be tested. An untested backup is an assumption, not a safety net. Schedule regular restoration tests so you know exactly how long recovery takes and that the process actually works.
Other Defences Worth Implementing
Network segmentation limits how far ransomware can travel once inside. If your accounts system cannot communicate directly with your customer database, encryption in one area does not automatically spread to the other.
Endpoint detection and response (EDR) goes beyond traditional antivirus. EDR tools monitor for behavioural patterns consistent with ransomware — mass file renaming, unusual encryption activity — and can halt processes before damage is complete.
Patch management should be systematic, not ad hoc. Establish a process for applying operating system and application updates within a defined window, prioritising internet-facing systems and known critical vulnerabilities.
Email filtering and attachment sandboxing catch many phishing attempts before they reach a user’s inbox. No filter is perfect, but a good one significantly reduces the volume of threats that require a human to make the right decision.
Least privilege access means users only have permission to access the files and systems they need for their role. An attacker who compromises a standard user account should not be able to reach your entire file server.
If You Are Hit
Disconnect affected machines from the network immediately — do not shut them down, as memory can sometimes contain useful forensic information. Notify your IT provider or security contact. Report to Action Fraud (0300 123 2040) and, if personal data is involved, to the ICO within 72 hours.
Do not attempt to interact with attackers without professional guidance. Preserve evidence. Begin recovery from clean backups if available.
The businesses that recover quickly are not the ones that paid. They are the ones that prepared.
| DreamThieves helps UK businesses build ransomware resilience through backup auditing, network hardening, and staff awareness training. Find out where your vulnerabilities lie at www.dreamthieves.uk. |
A specialist from the DreamThieves cyber security team.