What Is Ransomware? A Plain English Guide for Business

The Simple Explanation

Ransomware is malicious software (malware) that takes your data hostage. When ransomware executes on a computer or server, it rapidly encrypts files — documents, spreadsheets, databases, emails, images — using cryptographic keys that only the attacker holds. The encrypted files become unreadable. The attacker then demands payment (typically in cryptocurrency) in exchange for the decryption key needed to restore access.

The 'ransom' analogy is accurate. Like a kidnapping, the attacker controls something you need (access to your data) and will return it only if you pay their price — and even then, payment is no guarantee of recovery.

How Ransomware Reaches Your Business

Ransomware does not appear from nowhere. It follows a deliberate delivery process:

The Most Common Delivery Routes

• Phishing emails: A user receives an email with a malicious attachment (a Word document, Excel file or PDF with an embedded macro) or a link to a malicious webpage. When the attachment is opened or the link clicked, the ransomware payload is downloaded and executed.
• Compromised credentials: Attackers obtain usernames and passwords from phishing attacks, data breach databases or by brute-forcing weak passwords. They then use these credentials to log into internet-facing services — VPN, Remote Desktop (RDP), or cloud applications — and deploy ransomware from inside the network.
• Unpatched vulnerabilities: Some ransomware campaigns exploit known software vulnerabilities to gain access without any user interaction. The WannaCry attack in 2017 (which disrupted NHS services) exploited an unpatched Windows vulnerability to spread automatically across networks.

What Happens During a Ransomware Attack

A typical ransomware attack follows this sequence:

1. Initial access: The attacker gains a foothold — via phishing, compromised credentials or vulnerability exploitation
2. Reconnaissance: The attacker explores the network to understand what is valuable: file servers, databases, backup systems, domain controllers
3. Credential harvesting: The attacker steals additional credentials (often administrator accounts) to expand access and ensure persistence
4. Data exfiltration (in double extortion attacks): Sensitive data is copied to the attacker's servers before encryption, creating additional leverage
5. Detonation: The ransomware is deployed across the network, encrypting files on workstations, file servers and potentially cloud-synced storage
6. Ransom note: A message appears on infected systems (and often in encrypted folders as a text file) explaining what happened and providing instructions for payment

Steps 1–4 may take days or weeks. Step 5 and 6 happen rapidly — minutes to hours — and are the point at which most organisations discover the attack.

Real UK Examples

Ransomware is not an abstract threat. UK organisations affected by significant ransomware attacks include:

• NHS England (June 2024): A ransomware attack on NHS pathology services provider Synnovis caused widespread disruption to blood testing services across London hospitals, resulting in postponed operations and emergency blood shortages. The attack was attributed to the Qilin ransomware group.
• Royal Mail (January 2023): A ransomware attack disrupted international parcel and letter services for several weeks. Royal Mail refused to pay a reported £65.7 million ransom demand.
• Numerous UK SMEs: The NCSC's incident data records hundreds of ransomware incidents against UK small businesses each year that do not reach the headlines — but have equally severe consequences for the affected organisations.

Double Extortion: When Encryption Is Not Enough

Modern ransomware groups have refined their approach. Rather than simply encrypting files, they first exfiltrate (copy) the data before encrypting. They then threaten to publish sensitive data on a dedicated 'leak site' on the dark web if payment is not made.

This double extortion model creates pressure even for organisations with clean backups who could restore without paying for a decryption key. The threat of customer data, contracts, employee records or commercially sensitive information being published publicly adds a second lever.

What Ransomware Costs

The costs of a ransomware incident go well beyond any ransom payment:

• Ransom payment (if paid): UK businesses have paid ransoms ranging from thousands to millions of pounds. The average ransom demand has increased year-on-year.
• Downtime and business interruption: Average recovery time from a significant UK ransomware incident is approximately 21 days. During that period, business operations may be severely disrupted or halted.
• Incident response and forensics: Professional incident response costs typically range from £20,000 to £200,000+ depending on the scope of investigation required.
• Regulatory consequences: If personal data was exfiltrated, ICO notification and potential enforcement action adds cost and reputational risk.
• Reputational damage: Customer, partner and supplier confidence is affected, particularly if client data was involved.

Can You Recover Without Paying?

Yes — if you have clean, tested offline backups. This is why backup resilience is the most important control for minimising the impact of a ransomware attack that succeeds in penetrating your defences. Businesses with offline backups can restore their data without relying on the attacker's decryption key, removing the primary financial leverage.

Note: clean backups address the encryption element but do not address the double extortion threat of data publication. Preventing data exfiltration in the first place — through rapid detection during the dwell period — remains important alongside backup resilience.