Ransomware remains the single largest cyber risk to UK small and mid-sized businesses. It is not an “if” question anymore: the question is whether you can recover quickly enough that the attack does not put you out of business. This article covers what ransomware actually does, how it gets in, and the controls that work.
What ransomware does
A ransomware payload encrypts your files (often including network shares, USB drives plugged in at the time of infection, and any cloud storage syncing via a desktop client) then demands payment for the decryption key. Modern variants also steal a copy of the data first, threatening to publish it if you do not pay. The double extortion model means backups alone are no longer a complete defence, although they are still the most important one.
How it gets in
The three most common entry points in 2026 are:
- Phishing email. An attachment or link tricks a user into running a downloader. Often well-targeted, often through a leaked supply chain (your accountant, your IT supplier, your insurer).
- Compromised remote access. Exposed RDP, weak VPN credentials, or an MFA-less administrator account. The attacker logs in, deploys the payload manually.
- Unpatched software. A known vulnerability in a public-facing service (VPN appliance, mail server, firewall) gets exploited. Patch lag of a few weeks is enough.
The controls that actually work
Defence in depth, in this order of impact:
1. Offsite, immutable backup
The single most important control. If your backup is on a network share that the ransomware can reach, it will encrypt that too. You need a copy offsite, immutable (cannot be deleted or modified for a retention window), and tested. Our Managed Backup Services uses Veeam with immutable repositories on our Ceph cluster in our ISO 27001 Sheffield data centre.
2. Multi-factor authentication on everything
Email, VPN, remote access, cloud admin consoles. Authenticator app or hardware key. SMS is acceptable for low-risk accounts but not for privileged ones.
3. Patch within 30 days
Operating systems, browsers, public-facing services. Automated patching where possible. The vendor’s advisory is your patch deadline, not a suggestion.
4. Email filtering with sandboxing
Microsoft 365 or Google Workspace at the Business Premium tier or above, plus a third-party email gateway if you handle frequent invoice or supplier correspondence.
5. Endpoint detection and response (EDR)
Not legacy antivirus. EDR products (Microsoft Defender for Business, CrowdStrike, SentinelOne) detect ransomware behaviour patterns, not just known signatures.
6. Network segmentation
If your finance server, your file server and your factory PLCs are all on the same flat network, ransomware spreads to all of them at the same time. Even basic VLAN segmentation slows lateral movement.
7. Tested incident response plan
Three pages of plain text: who to call, who to tell, how to isolate, how to restore. Rehearse it once a year. The middle of an attack is not when you write this.
If you are hit
Disconnect affected systems from the network immediately (cable out, not shutdown). Call your IT supplier and your cyber insurance broker. Do not pay before talking to law enforcement (NCSC’s Action Fraud, or your local police cyber unit). Restoration from a clean offsite backup is the goal, not negotiation.
Where HA Hosting fits
The first control above (offsite immutable backup) is what we do. Our Managed Backup Services covers Veeam licensing, monitoring and restore on your behalf, with the backup data immutable in our UK Sheffield data centre. If you want to run the backup tooling yourself, UK Cloud Backup from £14 per TB per month gives you the storage.
Reader Interactions