Ransomware Protection for UK Businesses: A Practical Guide
Ransomware remains the most damaging cyber threat facing UK SMEs. This practical guide covers the controls that matter most — offline backups, endpoint protection, email filtering, access management — and the response steps that limit damage when ransomware does detonate.
Matt Cannon
Managing Director
The UK Ransomware Reality
Ransomware is not an abstract threat. In 2024, 39% of UK businesses identified a cyber attack, with ransomware accounting for a significant proportion of the most costly incidents. The average UK data breach cost reached £3.4 million in 2024 — and for ransomware incidents, recovery costs including forensics, remediation, downtime and potential regulatory penalties frequently exceed that figure.
UK SMEs are specifically targeted. Ransomware groups operating on a Ransomware-as-a-Service (RaaS) model use affiliates who target businesses of all sizes — not just large enterprises. The misconception that 'we are too small to be worth attacking' is demonstrably false. Small businesses represent attractive targets precisely because they typically have less defensive capability than large organisations.
How Ransomware Reaches Your Business
Ransomware infections follow predictable patterns. The three most common initial access vectors for UK SME ransomware incidents are:
- Phishing emails: Malicious attachments or links that deliver the initial malware payload or steal credentials used for subsequent access
- Exploitation of unpatched internet-facing systems: VPN appliances, Remote Desktop Protocol (RDP), Microsoft Exchange and network edge devices with unpatched critical vulnerabilities
- Compromised credentials: Credentials stolen from phishing or obtained from breach data used to authenticate to VPN, RDP or cloud services
Understanding this narrows the most important prevention investments: patch management for internet-facing systems, email security and MFA on all remote access methods.
The Five Controls That Reduce Ransomware Risk Most
1. Offline and Immutable Backups
If ransomware encrypts your data, the ability to restore from a clean backup determines whether you face ransom payment pressure or straightforward recovery. Backups must be:
- Offline or air-gapped: Ransomware specifically targets backup systems — it deletes shadow copies and attempts to encrypt connected backup drives. Backups stored offline (tape, object storage with object lock, air-gapped replication) cannot be encrypted.
- Tested: A backup that has never been successfully tested is a backup you cannot rely on. Test restoration at least quarterly.
- Separated credentials: Backup systems should use credentials independent of your Active Directory domain — a compromised domain admin account should not automatically provide access to delete backups.
- Covering Microsoft 365: Exchange, SharePoint and OneDrive data requires separate backup — Microsoft's infrastructure resilience does not protect against account-level data deletion or encryption.
2. Endpoint Detection and Response (EDR)
EDR detects ransomware behaviour — mass file encryption, shadow copy deletion, anomalous process activity — and can terminate processes and isolate devices automatically. Modern EDR responds in seconds, potentially containing a ransomware attack before encryption is complete. Consumer antivirus does not have this capability.
3. Email Security
Anti-phishing email filtering (Safe Attachments, Safe Links, AI-based impersonation detection) reduces the volume of malicious content reaching users. DMARC/DKIM/SPF prevents domain spoofing. Encrypted email reduces the risk of interception of sensitive attachments that could be weaponised.
4. MFA on All Accounts and Remote Access
MFA prevents compromised credentials from being used to authenticate to VPN, RDP or cloud services. It is the single highest-impact control against credential-based initial access, blocking over 99.9% of automated credential attacks according to Microsoft's telemetry.
5. Patch Management
Apply critical and high-severity patches within 14 days — the Cyber Essentials requirement and the NCSC's recommended baseline. Prioritise internet-facing systems: VPN appliances, Exchange, web-facing applications and any remote access infrastructure. Automated patch management reduces the operational burden and eliminates the risk of patches being delayed indefinitely.
Ransomware Response: The First 60 Minutes
If ransomware detonates in your environment, the first hour determines the scope of damage. The priority sequence:
- Isolate immediately: Disconnect affected machines from the network — unplug Ethernet, disable WiFi, kill VPN connections. Stop the spread before investigating.
- Do not reimage: Preserve forensic evidence — how the attackers got in needs to be understood before rebuilding so you do not restore the same vulnerability.
- Notify your IT partner or MDR provider: Engage specialist incident response support — AMVIA's MDR clients have a dedicated 24/7 emergency contact for exactly this scenario.
- Notify your cyber insurer: Most policies require prompt notification — delayed notification can affect coverage.
- Assess GDPR obligations: If personal data has been encrypted or exfiltrated (common with double extortion), begin the 72-hour ICO notification assessment.
- Do not pay immediately: Take time to understand the scope before making any payment decision — and involve law enforcement and legal counsel first.
Cyber Essentials as a Ransomware Baseline
The five Cyber Essentials controls — secure configuration, patch management, access control, malware protection and firewalls — address the most common ransomware delivery and propagation mechanisms. Cyber Essentials certification is an appropriate baseline for UK businesses and a condition of many cyber insurance policies and government supply chain requirements.
Could Your Business Recover From a Ransomware Attack Today?
AMVIA can assess your current ransomware defences and backup resilience — giving you a clear answer to that question, and a plan to address any gaps.
Frequently Asked Questions
Yes. Ransomware-as-a-Service has democratised ransomware deployment — affiliates use automated tools to scan for vulnerable systems and deploy ransomware at scale, targeting businesses of all sizes. Small businesses represent attractive targets because they typically have less defensive capability than large enterprises while still holding valuable data. NCSC data consistently shows SMEs accounting for a significant proportion of UK ransomware victims. <strong>70% of UK ransomware attacks resulted in data being encrypted</strong> in 2025 — up sharply from 46% in 2024 and above the global average of 50%. <em>(UK Government)</em>
Average UK data breach costs reached £3.4 million in 2024, but ransomware incident costs vary enormously based on the scope of encryption, recovery capability, downtime duration and whether personal data was exfiltrated. For SMEs, costs of £50,000–£500,000 are commonly reported for significant incidents, inclusive of forensics, IT recovery, business interruption and potential regulatory penalties. Businesses with tested offline backups typically incur significantly lower recovery costs. <strong>Average cost of recovery</strong> from a ransomware attack in the UK (excluding the ransom): $2.58 million, including downtime, lost opportunities, and device repairs. <em>(UK Government)</em>
Double extortion involves attackers both encrypting data (making it inaccessible) and exfiltrating it (copying it to their servers) before encrypting. They then threaten to publish the exfiltrated data on a dedicated leak site if the ransom is not paid. This creates pressure even for organisations with clean backups — refusing to pay the ransom still carries the risk of sensitive data being published. Preventing exfiltration requires EDR and network monitoring capable of detecting unusual large outbound data transfers. <strong>42% of UK respondents</strong> cited a lack of cybersecurity skills as a primary reason for falling victim to ransomware. <em>(UK Government)</em>
Cyber insurance is worth having, but not as a substitute for prevention. Insurance covers incident response costs, business interruption losses, ransom payment (in some policies, subject to conditions) and third-party liability. However, premiums have increased significantly and insurers are increasingly requiring evidence of baseline security controls — Cyber Essentials, MFA, tested backups — as conditions of cover. Having controls in place reduces premium costs as well as ransomware risk. <strong>NCSC managed 20 ransomware incidents in 2024</strong>, 13 of which were classified as nationally significant — up from 10 in 2023. <em>(UK Government)</em>
Cyber Essentials' five controls directly address common ransomware vectors: patch management removes known exploitation pathways; secure configuration reduces attack surface; malware protection detects ransomware payloads; access control limits the blast radius; firewalls restrict unnecessary inbound connections. CE certification demonstrates these controls are in place and is increasingly required by cyber insurance underwriters and government supply chain requirements. <strong>Malware and ransomware alone accounted for 51% of all UK cyber insurance claims in 2024</strong> — up from 32% of claims in 2023. <em>(Insurance Journal)</em>
Related Reading
What Is Ransomware? | Plain English Guide for Business
How ransomware works, how attacks unfold and what the consequences look like for affected businesses.
Preventing Malware & Ransomware Attacks | Business Guide
The attack pathways attackers use and the prevention controls that block each one.
Ransomware Protection | Safeguarding Business in 2025
The evolving ransomware threat landscape in 2025 and how managed security protects UK businesses.