Tel: 03333 200 222
Email: [email protected]

What is Ransomware and How Can UK Businesses Protect Against It?

05/05/2026
7 minute read
In this guide, we’ll cover exactly what ransomware is, how it gets into a business, what happens during an attack, and — most importantly — the practical steps you can take to protect against it.
By, Becky Mack
Share

In this guide we explain what ransomware is, why it poses a growing risk to UK businesses of all sizes, and what you can do to protect against it.

Ransomware attacks on UK businesses doubled in 2025 — and that figure comes not from a security vendor, but from the UK government’s own Cyber Security Breaches Survey. For a growing number of businesses across the country, ransomware is no longer something that happens to other people.

One of the most common things IT teams hear from business owners, however, is: “We’re probably too small to be a target.” The reality is the opposite. Attackers increasingly look for businesses with weaker defences, limited IT resource, and valuable data — a description that fits many UK SMEs in sectors like legal, finance, healthcare and professional services.

What is Ransomware?

Ransomware is a type of malicious software — or malware — that encrypts the files and systems on your devices, making them completely inaccessible. Once encryption is complete, the attacker displays a ransom demand, typically requesting payment in cryptocurrency in exchange for the decryption key needed to restore access.

imagine arriving at work one morning to find every file on every computer in your business has been locked. Your emails, client records, financial data, project files — all of it unreachable. That is what a ransomware attack looks like in practice.

It’s worth noting one critical point: paying the ransom does not guarantee your data will be returned. The National Cyber Security Centre (NCSC) and UK law enforcement do not encourage or endorse ransom payments.

Double extortion: the added pressure attackers now use

A significant evolution in ransomware tactics over recent years is what’s known as double extortion. Rather than simply encrypting your files, attackers first steal a copy of your sensitive data — and then threaten to publish it publicly if the ransom isn’t paid.

This means that even if a business can restore its systems from backups and avoid paying, the threat of a data leak remains. For businesses handling client data, financial records or confidential contracts, this represents a serious reputational and regulatory risk.

Ransomware-as-a-Service: why attacks are increasing

Ransomware attacks have grown in part because of a disturbing development: Ransomware-as-a-Service (RaaS). Off-the-shelf ransomware kits are now available for purchase on the dark web, some reportedly for as little as £30 a month. This has dramatically lowered the barrier to entry for cybercriminals, increasing both the number of active attackers and the volume of attacks on businesses of all sizes.

How does ransomware get into a business?

Understanding how ransomware enters a business is the first step in knowing how to stop it. Attackers don’t typically break in through brute force — they find the path of least resistance. The most common entry points are:

  • Phishing emails: The most frequent cause. A staff member receives a convincing email with a malicious attachment or link, clicks it, and malware is installed. Read our guide to spotting a phishing email for practical advice.
  • Compromised remote access: Remote Desktop Protocol (RDP) — commonly used for remote working — is a frequent target. Attackers use stolen or weak credentials to gain access, often via automated tools that try thousands of password combinations.
  • Unpatched software: Outdated software with known security vulnerabilities provides attackers with a documented way in. Keeping systems and applications updated is one of the most straightforward ways to close these gaps.
  • Malicious downloads: Files downloaded from untrusted sources, or infected USB drives, can introduce malware directly onto a device.
  • Supply chain attacks: Attackers increasingly target third-party software vendors or managed service providers as a route into multiple businesses simultaneously. Vetting the security practices of your suppliers matters.

Why are UK SMEs a target?

There is a persistent misconception that ransomware is a problem for large corporations and public sector organisations. While high-profile attacks on hospitals and critical infrastructure make headlines, the majority of ransomware incidents target smaller businesses — and for a straightforward reason: they’re often easier to compromise.

Attackers look for accessible targets with valuable data. UK SMEs often present a combination of factors that make them attractive:

  • Limited or no dedicated in-house IT security resource
  • Inconsistent patch management and software update practices
  • Staff who haven’t received regular cyber awareness training
  • Valuable data — client records, financial information, confidential contracts — that creates leverage
  • No formal incident response plan, meaning recovery is slower and more costly

Certain sectors face heightened risk due to the nature of their data. Legal firms, accountants, healthcare providers and financial services businesses all handle time-sensitive or confidential information that attackers can use as leverage, or that carries significant regulatory implications if leaked.

What Happens During a Ransomware Attack?

Ransomware attacks rarely happen instantly. Understanding the typical attack lifecycle reveals something important: there is often a window in which the attack can be detected and stopped before serious damage is done.

  1. Initial access: The attacker gains entry to your network, typically through one of the entry points described above.
  2. Reconnaissance: Once inside, the attacker often moves quietly through the network for days or even weeks — identifying valuable systems, locating backup files, and mapping the environment. This silent phase is where proactive monitoring can detect and halt an attack before it escalates.
  3. Credential harvesting: The attacker seeks out admin accounts and higher-privilege access, giving them greater reach when the ransomware deploys.
  4. Deployment: The ransomware is activated. Files across the network are encrypted rapidly — often within minutes. The attacker may also exfiltrate data at this stage for double extortion.
  5. Ransom demand: A message is displayed with payment instructions and a deadline. Demands are almost always in cryptocurrency to hinder tracing.

Did you know?

Many businesses discover they have been compromised not when the ransomware deploys, but during the earlier reconnaissance phase — if they have the right monitoring in place. This is one of the strongest arguments for proactive, around-the-clock security monitoring rather than a reactive approach to IT.

How to Protect Your Business Against Ransomware

No single tool provides complete protection. The most resilient businesses take a layered approach — combining technical controls, staff awareness and good processes. Here is what that looks like in practice:

  1. Maintain regular, tested backups - Backups are your most important safety net. If your systems are encrypted, clean backups allow you to restore without paying a ransom. But backups only work if they’re done correctly. Backups must be stored separately from your main network — offline or in isolated cloud storage — so ransomware cannot encrypt them too. They should be taken regularly and, critically, tested. Many businesses discover during an incident that their backups are incomplete or haven’t been verified in months. Find out more about our Backup and Disaster Recovery services.
  2. Enable Multi-Factor Authentication (MFA) - MFA adds a second layer of verification beyond a password. Even if an attacker obtains or guesses a password, they cannot access the account without the second factor. This is particularly important for email, remote access tools, and admin accounts. Read more about how MFA works and why it matters.
  3. Keep software and systems patched - Unpatched software is one of the most exploited attack vectors. When vendors release security updates, they are frequently patching known vulnerabilities that attackers will begin targeting immediately. A regular patching schedule — prioritising critical updates — closes a significant proportion of known attack routes.
  4. Invest in staff awareness training - The majority of ransomware attacks begin with a human action. Regular, practical training helps staff recognise and respond to suspicious activity. This is most effective when it’s ongoing and includes simulated phishing exercises that test awareness in a safe environment.
  5. Deploy endpoint protection and email filtering - Up-to-date endpoint security on all devices provides a layer of detection and containment if a threat gets through. Email security tools — including spam filtering, anti-malware scanning, and authentication protocols that prevent spoofing — reduce the volume of malicious emails reaching your team. Find out more about our Threat Protection services.
  6. Apply the principle of least privilege - By ensuring every user has only the access they need to do their job, you limit the damage any single compromised account can cause. Admin privileges in particular should be tightly controlled and reviewed regularly.
  7. Consider Cyber Essentials certification - Cyber Essentials is a UK government-backed certification covering five key technical controls: firewalls, secure configuration, user access control, malware protection, and patch management. For many SMEs, it is a practical and proportionate starting point for building a defensible security posture — and provides assurance to clients and partners. Find out more about Cyber Essentials certification.

What To Do If Your Business Is Hit By Ransomware

Acting quickly and calmly in the first hours can significantly limit the damage. Here are the immediate steps to take:

  • Isolate affected devices immediately: Disconnect infected machines from your network — wired and Wi-Fi — to prevent the ransomware spreading.
  • Do not pay the ransom: Payment does not guarantee recovery, may invite repeat targeting, and can have legal implications. Treat it as a last resort only, and only after taking legal and forensic advice.
  • Contact your IT provider immediately: Escalate straight away. Your IT team can begin containing the incident and assessing the scope of the compromise.
  • Report to the NCSC and Action Fraud: UK businesses should report ransomware incidents to the NCSC and Action Fraud. This helps authorities track and respond to attack campaigns.
  • Notify the ICO if personal data is involved: Under UK GDPR, if personal data has been compromised you have a legal obligation to notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach. Failure to notify can result in regulatory penalties on top of the incident itself.
  • Begin recovery from clean backups: Once the incident is contained and affected systems cleaned, restore from your most recent clean backup.
  • Communicate carefully: Both internal and external communication needs careful management. Consider what needs to be disclosed, to whom, and when.

Ransomware readiness: a quick self-assessment

Use this checklist to sense-check your current defences. If you’re answering no or unsure to any of these, it’s worth reviewing that area as a priority.

  • Do you have regular, tested backups stored separately from your main network?
  • Is MFA enabled across email, remote access and admin accounts?
  • Is your software and operating system patching up to date?
  • Have staff received cyber awareness training in the last 12 months?
  • Do you have endpoint protection deployed on all devices?
  • Do you have an incident response plan that key staff members know about?
  • Are you Cyber Essentials certified, or working towards it?

Ransomware is a real and growing threat for UK businesses of all sizes — and the statistics confirm that smaller businesses are not exempt. The good news is that the right combination of technical controls, staff awareness and good processes significantly reduces both the likelihood of an attack succeeding and the cost of recovery if one does.

The businesses that recover fastest from ransomware incidents are almost always those that had clean backups, a tested incident response plan, and the right support in place before the attack happened.

Concerned about your ransomware readiness? Our team can review your current defences and identify any gaps - no obligation. Book your free cyber security review today.

More from Swiftcomm

How Can You Spot a Phishing Email?
Could you identify a phishing email before it causes damage? From spoofed email addresses to convincing payment requests, it’s important to know what to look out for. In this guide, discover the key warning signs and what to do in the event of an attack.
Full Article
right-chevron
How to Choose a Business Phone System That Scales With Your Growth (UK Guide)
Many UK businesses choose a phone system based on today’s needs — not where they want to be in three to five years. But with hybrid working, potential expansion, mergers, and changes like the UK’s ISDN switch-off, how do you choose a business phone system that scales?
Full Article
right-chevron
grey-tick-icon
Trusted by 100s of businesses already
grey-tick-icon
Uniquely tailored approach
grey-tick-icon
Outstanding customer service
swift-tag

Talk with us

We pride ourselves on being an honest trustworthy business communications provider
phone-icon
Telephone
Call 03333 200 222 or if you would prefer us to call you.
Schedule a call
email-icon
Email
We love emails, to send us one use [email protected] or fill in our
Contact Form
chat-icon
Live Chat
Got a question? Our live chat is open and ready to assist
Chat Now
Services & Solutions
© 2026 Swiftcomm 
square-facebooktwitter (1)linkedin
Contact a specialist
crosschevron-down