Interested in our Cybersecurity Framework?
Interested in a Free Phishing Security Test?
If you're interested in assessing the Phish-prone percentage of your users, contact us to arrange a free simulated phishing attack.
Take Control of Your SaaS Risk
How Much Risk Comes with Local Admin Rights?
Ransomware continues to be a high-volume threat targeting UK small and mid-sized organisations.
In the UK, up to two-thirds of organisations experienced a cyber attack in 2025, with phishing remaining the most common entry point into ransomware campaigns across organisations. Attackers prioritise organisations with valuable data, limited internal security capability, and predictable user behaviour.
This article outlines how a typical ransomware attack unfolds against a UK organisation with 30–400 users, and the practical controls-often already included in Microsoft 365 or standard security tooling that would prevent it.
Why UK Organisations Are a Primary Target
Ransomware is now one of the most significant cyber threats facing UK organisations. While high-profile incidents dominate the media, attackers increasingly focus on SMEs because:
- They hold operationally critical data (finance systems, customer records, shared drives)
- They often lack dedicated security oversight
- They are more likely to prioritise recovery over investigation
From an attacker’s perspective, this is not high-risk activity, it is a repeatable business model.
How a Typical Ransomware Attack Unfolds
Stage 1: Target Selection and Open-Source Research
Attackers build targets using publicly available information:
- Company websites and job adverts
- LinkedIn profiles (roles, responsibilities)
- Public sector or supplier contracts
This process can take under an hour and identifies:
- Who handles finance or payroll
- Who can approve payments
- Which systems are likely in use
This aligns with broader UK threat intelligence that attackers exploit publicly available organisational data and weak governance controls.
Stage 2: Credential Access via Phishing or Data Reuse
The most common entry point remains phishing.
UK data shows phishing is involved in 85% of cyber incidents affecting businesses.
Attackers combine this with:
- Reused passwords from historic breaches
- Credentials harvested from infected personal devices
- Automated credential testing against Microsoft 365 or cloud services
At this stage, attackers are looking for valid logins.
Stage 3: MFA Bypass and Account Takeover
Many organisations assume multi-factor authentication (MFA) is sufficient. It is necessary but not sufficient on its own.
Modern attacks use adversary-in-the-middle (AiTM) phishing, which:
- Mimic legitimate login pages
- Capture credentials and authentication responses
- Steal session tokens once access is granted
These techniques can bypass traditional MFA controls in real time, allowing attackers to access systems as if they were a legitimate user.
Stage 4: Persistence and Internal Visibility
Once access is achieved, attackers do not act immediately. Instead, they:
- Create inbox forwarding rules
- Monitor finance, supplier, and project communications
- Identify insurance limits and cash flow
This “dwell time” is critical. It allows attackers to:
- Set a ransom that is likely to be paid
- Time the attack for maximum operational disruption
Stage 5: Encryption and Business Disruption
Ransomware is typically deployed:
- Out of hours or late in the working week
- When key staff are unavailable
- When response time will be delayed
The impact is immediate:
- Files and systems become inaccessible
- Operations halt
- A ransom demand is issued
For UK organisations, the consequences extend far beyond the ransom itself. The average cost of a significant cyber attack is close to £195,000 when downtime, recovery, and legal obligations are included.
Five Controls That CWould Have Prevented the Attack
The most important takeaway for UK organisations is this:
The controls to help prevent these attacks are typically already available within existing platforms.
1. Enforced Password Hygiene and Breach Detection
- Block known compromised passwords
- Enforce unique credentials
- Use password managers
This removes the value of purchased or reused credentials.
2. Phishing-Resistant Authentication
Standard MFA is not enough.
Organisations should adopt:
- Passkeys or FIDO2 hardware keys
- Windows Hello for Business
- Conditional access based on device compliance
These measures significantly reduce the effectiveness of AiTM attacks.
3. Restriction of Email Forwarding Rules
Block automatic forwarding to external inboxes at tenant level.
This prevents attackers from silently observing communications and extracting intelligence.
4. Active Monitoring of Security Alerts
Most organisations already generate alerts but do not act on them.
For example:
- New inbox rules
- Suspicious sign-ins
- Unusual access patterns
The issue is not tooling. It is visibility and ownership.
5. Controlled Exposure of Sensitive Roles
Public-facing team information should be reviewed.
Oversharing role responsibilities (e.g. “handles payroll and payments”) increases targeting risk.
This is a governance issue not a technical one.
Three Questions Every Board Should Ask
To reduce ransomware risk quickly, leadership teams should ask:
- Are we using phishing-resistant authentication for privileged and finance accounts?
- Is external email forwarding restricted across Microsoft 365?
- Are security alerts actively reviewed and acted upon?
These questions align directly with common failure points in UK breach investigations.