Ransomware is malicious software that scrambles your files by encrypting them, then demands a payment to unscramble them. If you want the short version of how to protect your business from ransomware in the UK, it comes down to four things: tested off-site backups you can actually restore from, multi-factor authentication on every account, software updates applied promptly, and decent endpoint protection. Skip those and you are betting that a criminal will keep their word once you have paid. That is not a position any business wants to be in.
Here is what ransomware really does, why the police and the NCSC advise against paying, and the practical steps a smaller business can take without spending a fortune.
What ransomware actually does
An attacker gets into your systems, often through a stolen password, an unpatched server, or someone clicking a convincing email, and then moves quietly across your network. At a moment of their choosing they trigger the encryption. Staff arrive to find documents, accounts files and shared drives unreadable, usually alongside a note on screen demanding payment in cryptocurrency for the key to reverse it.
The damage is rarely just the ransom figure. You might be unable to invoice, take orders, reach customer records or run payroll for days. That downtime, plus the cost of rebuilding systems, the lost work and the staff hours spent recovering, almost always dwarfs the demand itself.
Double and triple extortion
Most gangs have moved on from simply locking files. They now copy your data before encrypting anything, then threaten to publish it unless you pay. That is double extortion. Some push further into triple extortion, contacting your customers or suppliers directly, or knocking your website offline to add pressure.
This matters for one obvious reason: even a perfect backup will not undo the fact that your data has already left the building. Prevention counts as much as recovery. It also means a ransomware incident can become a personal data breach you are legally obliged to handle under UK GDPR and the Data Protection Act 2018.
How common is this, really?
Common enough to take seriously, not so common you should lose sleep. The government's annual Cyber Security Breaches Survey consistently finds that a large share of UK businesses report some form of cyber breach or attack each year, with phishing by far the most reported type. Ransomware affects a smaller slice, but its share has been climbing, and small and medium businesses are hit disproportionately hard when it lands.
So ransomware is not the most likely thing to happen to you, but it is one of the most damaging. A phishing email might cost you an afternoon. A ransomware attack can stop a 20-person company trading for a fortnight.
Should you ever pay the ransom?
UK law enforcement and the NCSC are clear that they do not encourage, endorse or condone paying. The reasoning is sound.
There is no guarantee. You are dealing with criminals. Paying does not reliably get your files back, and the decryption tools they hand over are often slow or buggy.
It marks you as a payer. Businesses that pay tend to get attacked again, sometimes by the same group.
It funds the next attack. Every payment bankrolls someone else's bad day.
It does not erase a data breach. The Information Commissioner's Office has said it will not treat paying a ransom as a mitigating factor, and a criminal's promise to delete stolen data is worth nothing.
Paying is not illegal in most circumstances, but it should be an absolute last resort taken with professional advice, never a quick fix. The real goal is to never be in a position where it feels like your only option.
Backups are how you recover without paying
If you can restore everything from a clean copy, the demand loses most of its teeth. But not just any backup will do. Attackers deliberately hunt down your backups and delete or encrypt them first, because they know that is your way out.
A backup you can genuinely rely on has three qualities:
Off-site or offline, so it is not sitting on the same network the attacker has just taken over.
Immutable, meaning that once written it cannot be changed or deleted for a set period, even by someone holding admin rights or stolen credentials.
Tested, because a backup is only worth something once you have actually restored from it and know how long that takes.
Plenty of businesses find out too late that their backups had been quietly failing for months, or that a full restore would take a week they cannot afford to lose. A backup you have never tested is a hope, not a plan.
The defences that stop most attacks
Most ransomware is not clever. It exploits a few predictable gaps, and closing them blocks the large majority of attacks. None of this needs an enterprise budget.
Multi-factor authentication (MFA) on email, remote access and every cloud service. A stolen password is the single most common way in, and MFA makes that password far less useful on its own.
Prompt patching. Apply updates to Windows, your applications and especially anything facing the internet without delay. A lot of attacks rely on flaws that were fixed months earlier.
Endpoint protection, ideally modern EDR that watches for suspicious behaviour rather than only known viruses, so an attack can be caught mid-spread.
Least-privilege access. Staff should have only the access their role needs, and everyday accounts should not carry admin rights. That limits how far an intruder can travel.
Staff awareness. Your people are the ones who notice the odd email or the login that should not be there. A short, regular conversation about what to watch for beats an annual tick-box course.
Working towards Cyber Essentials certification is a sensible way to confirm these basics are actually in place rather than just assumed.
If it happens: report it and have a plan
Decide in advance who does what, because the morning of a ransomware attack is not the time to be improvising. A one-page incident plan that names who to call, where the backups live and who can authorise decisions will save you hours of confusion.
If you are hit:
Isolate the affected machines by disconnecting them from the network to stop the spread. Do not wipe or shut everything down before getting advice, as that can destroy evidence and recovery options.
Report it to Action Fraud on 0300 123 2040. If you are a business suffering a live attack, that line runs 24 hours a day; their general reporting line is Monday to Friday, 8am to 8pm.
Work out whether personal data was involved. If it was, you may need to notify the ICO within 72 hours under UK GDPR, and possibly the people affected.
Call your IT provider or a specialist to begin a clean recovery from backups.
Where we can help
Most of the ransomware damage we see at SMEs across Berkshire, Oxfordshire and London comes back to the same handful of missing basics: no MFA, patches left undone, or backups nobody had ever tested. If you would like a straightforward review of where you stand, and a clear plan for recovering if the worst happens, the team is happy to take a look and talk it through in plain English.