+44 345 1255400
Threats & Attacks

Ransomware

Also known as: Crypto-ransomware, Double extortion

Ransomware is malicious software that encrypts an organisation’s files and demands payment, usually in cryptocurrency, for the key to decrypt them. Modern ransomware operations also steal data before encryption and threaten to publish it if the ransom isn’t paid. This “double extortion” tactic means a ransomware attack is also a data breach.

How ransomware typically gets in

The entry points haven’t changed much in years:

  • Phishing, the user clicks a link, enters credentials, and the attacker uses those credentials to plant the ransomware. See phishing.
  • Unpatched software, especially internet-facing systems like VPNs, remote desktop servers, and email gateways.
  • Weak or reused passwords on accounts without Multi-Factor Authentication.
  • Compromised suppliers, the attacker breaches an IT supplier and pivots into its customers.
  • Infected removable media, less common now but still happens in industrial environments.

What double extortion means

Attackers now copy data out before encrypting it. Even if a business restores from backup and recovers without paying, the attacker still has the data and can publish it or sell it. This turns every ransomware incident into a mandatory ICO notification under UK GDPR.

What businesses should have in place

  • Immutable backups, backups that cannot be altered or deleted by an attacker who’s gained admin access. Offline copies or object-locked cloud storage.
  • Tested recovery, a backup you haven’t tested is a backup that might not work. Schedule actual restores quarterly.
  • Network segmentation, so ransomware in one part of the network can’t spread to everything.
  • MFA on every account, the single biggest defence against the credential theft that enables most ransomware.
  • Patching discipline, especially on internet-facing systems.
  • Incident response plan, who calls whom, who speaks to the press, who contacts the ICO, who pays the legal bills. Written, tested, and known by the people who’d use it.

Paying the ransom

The National Cyber Security Centre’s position is clear: paying the ransom doesn’t guarantee recovery, funds further criminal activity, and doesn’t protect you from a repeat attack (research shows paying organisations are more likely to be hit again). Paying ransoms linked to sanctioned groups may also be illegal under UK law. Decisions should involve legal counsel early.

How we help

Our cyber security and managed IT services include the controls above, immutable backups, patch management, MFA, network segmentation, and incident response planning. Sector-specific pages for law firms and accountants cover the extra regulatory steps those professions face.