Ransomware is the cyber threat that turns a quiet Tuesday into an existential crisis: you arrive to find every file scrambled, a ransom note on the screen, and a business that cannot operate. For UK SMEs it is not a rare, exotic risk reserved for big corporations; it is one of the most common and most damaging incidents going, and the way it actually unfolds is far less dramatic and far more preventable than the headlines suggest. This piece explains what ransomware is, how attacks really begin, why paying is the wrong plan, and how the businesses that survive are the ones that prepared.
What ransomware is, and how it has changed
Ransomware is malicious software that encrypts your files so you cannot use them, then demands payment for the key to unlock them. In its simplest form it is digital extortion: your data is held hostage on your own systems. For years that was the whole model, and a good backup was a near-complete answer, because you could simply restore and ignore the demand.
The threat has since evolved into something nastier called double extortion. Modern attackers steal a copy of your data before encrypting it, then threaten to publish it or sell it if you do not pay, even if you can restore from backup. That changes the calculation: it is no longer only an availability problem you can fix with a restore, it is also a data-breach problem with regulatory and reputational consequences. Understanding that shift is essential to defending against it properly.
How attacks really begin (it is rarely dramatic)
The Hollywood image of a hacker hammering a keyboard is misleading. Most ransomware enters through a handful of mundane doors. A phished email gets someone to click or hand over a password. An internet-facing service, a remote-access port or VPN, is exposed and either unpatched or protected only by a weak, reused password. Or a known software vulnerability that was never patched is simply walked through.
Once inside, attackers rarely strike immediately. They move quietly, escalate their access, find the backups and the most valuable data, and only then trigger the encryption, often out of hours to maximise damage before anyone notices. This dwell time is both the danger and the opportunity: it is days or weeks in which good monitoring can catch them, which is exactly the job of managed detection and response. The entry points are ordinary, which is precisely why ordinary controls stop most of them.
- •Phishing - a clicked link or a handed-over password
- •Exposed remote access - RDP or VPN with weak or reused credentials
- •Unpatched vulnerabilities in internet-facing software
- •Quiet dwell time inside the network before encryption is triggered, often out of hours
Why paying the ransom is the wrong plan
When the note appears, paying can feel like the fast way out. It rarely is. There is no guarantee the criminals hand over a working key, decryption tools are often slow and incomplete, and paying marks you as a business that pays, inviting repeat attacks. With double extortion, paying does not even guarantee the stolen copy is deleted, you are trusting the word of an extortionist that the data is gone.
There are legal and ethical dimensions too. Paying funds organised crime, and depending on who the attacker is, a payment can carry sanctions risk. UK guidance is consistently against paying. The realistic path through a ransomware incident is not the ransom; it is a tested ability to recover your systems and data yourself, plus the breach-response process to handle any stolen data. Which is to say: the plan that works is the one you build before the attack, not the cheque you write during it.
The defences that actually move the needle
Ransomware has well-understood countermeasures, and a small set of them blocks the overwhelming majority of attacks. Multi-factor authentication on email and remote access closes the most common entry points. Prompt patching removes the vulnerabilities attackers rely on. Least-privilege access limits how far an intruder can spread. And staff awareness reduces the clicks that start it all. None of this is exotic; it is the foundation that schemes like Cyber Essentials are built on.
Backups are the last line and the most important, but only if they are done right. The proven approach is the 3-2-1 rule, three copies, on two types of media, with one kept off-site, and crucially with at least one copy offline or immutable so the ransomware cannot encrypt your backups along with everything else. Backups you have never test-restored are a hope, not a plan; the difference between a bad week and a closed business is whether the restore actually works.
Recovery: the difference between bad week and closed
When prevention fails, recovery decides the outcome, and recovery is mostly about preparation. A written incident-response plan that says who to call, how to isolate affected systems and how to communicate turns chaos into a procedure. Knowing your recovery objectives, how much data you can afford to lose and how long you can be down, tells you whether your backups are actually adequate for the business or just for the IT diagram.
The pattern among businesses that come through ransomware well is consistent: they had clean, tested, isolated backups; they had practised the restore; and they had a plan they could follow under pressure. Those that fold are usually the ones who discovered, after the fact, that the backups were incomplete, online, or never tested. Treat ransomware as a question of when, not if, and invest in backup and disaster recovery before you need it, because afterwards is too late.