Ransomware Attacks on UK Organisations

Ransomware Attacks on UK Organisations
Cybersecurity Strategy Pillars graphic. Depicts 6-tiers in a pyramid. From the top, the tiers read: Vision, Mission, Objectives, Strategy, Approach, and Tactics.

Interested in our Cybersecurity Framework?

Visit our article on how to organise an effective cybersecurity strategy to download a copy of our framework.

Interested in a Free Phishing Security Test?

VirtueUK are partners with KnowBe4, the world's largest security awareness training and simulated phishing platform.

If you're interested in assessing the Phish-prone percentage of your users, contact us to arrange a free simulated phishing attack.

Take Control of Your SaaS Risk

Former employees shouldn't retain access to business-critical systems. Discover how a structured offboarding process can reduce security risks, improve compliance, and eliminate costly zombie accounts.

How Much Risk Comes with Local Admin Rights?

Local administrator access gives users more control - but it can also give attackers a faster path to your systems and data. Learn how removing unnecessary admin rights can strengthen security without impacting productivity.

Ransomware continues to be a high-volume threat targeting UK small and mid-sized organisations.

In the UK, up to two-thirds of organisations experienced a cyber attack in 2025, with phishing remaining the most common entry point into ransomware campaigns across organisations. Attackers prioritise organisations with valuable data, limited internal security capability, and predictable user behaviour.

This article outlines how a typical ransomware attack unfolds against a UK organisation with 30–400 users, and the practical controls-often already included in Microsoft 365 or standard security tooling that would prevent it.

Why UK Organisations Are a Primary Target

Ransomware is now one of the most significant cyber threats facing UK organisations. While high-profile incidents dominate the media, attackers increasingly focus on SMEs because:

  • They hold operationally critical data (finance systems, customer records, shared drives)
  • They often lack dedicated security oversight
  • They are more likely to prioritise recovery over investigation

From an attacker’s perspective, this is not high-risk activity, it is a repeatable business model.

How a Typical Ransomware Attack Unfolds

Stage 1: Target Selection and Open-Source Research

Attackers build targets using publicly available information:

  • Company websites and job adverts
  • LinkedIn profiles (roles, responsibilities)
  • Public sector or supplier contracts

This process can take under an hour and identifies:

  • Who handles finance or payroll
  • Who can approve payments
  • Which systems are likely in use

This aligns with broader UK threat intelligence that attackers exploit publicly available organisational data and weak governance controls.

Stage 2: Credential Access via Phishing or Data Reuse

The most common entry point remains phishing.

UK data shows phishing is involved in 85% of cyber incidents affecting businesses.

Attackers combine this with:

  • Reused passwords from historic breaches
  • Credentials harvested from infected personal devices
  • Automated credential testing against Microsoft 365 or cloud services

At this stage, attackers are looking for valid logins.

Stage 3: MFA Bypass and Account Takeover

Many organisations assume multi-factor authentication (MFA) is sufficient. It is necessary but not sufficient on its own.

Modern attacks use adversary-in-the-middle (AiTM) phishing, which:

  • Mimic legitimate login pages
  • Capture credentials and authentication responses
  • Steal session tokens once access is granted

These techniques can bypass traditional MFA controls in real time, allowing attackers to access systems as if they were a legitimate user.

Stage 4: Persistence and Internal Visibility

Once access is achieved, attackers do not act immediately. Instead, they:

  • Create inbox forwarding rules
  • Monitor finance, supplier, and project communications
  • Identify insurance limits and cash flow

This “dwell time” is critical. It allows attackers to:

  • Set a ransom that is likely to be paid
  • Time the attack for maximum operational disruption

Stage 5: Encryption and Business Disruption

Ransomware is typically deployed:

  • Out of hours or late in the working week
  • When key staff are unavailable
  • When response time will be delayed

The impact is immediate:

  • Files and systems become inaccessible
  • Operations halt
  • A ransom demand is issued

For UK organisations, the consequences extend far beyond the ransom itself. The average cost of a significant cyber attack is close to £195,000 when downtime, recovery, and legal obligations are included.

Five Controls That CWould Have Prevented the Attack

The most important takeaway for UK organisations is this:

The controls to help prevent these attacks are typically already available within existing platforms.

1. Enforced Password Hygiene and Breach Detection

  • Block known compromised passwords
  • Enforce unique credentials
  • Use password managers

This removes the value of purchased or reused credentials.

2. Phishing-Resistant Authentication

Standard MFA is not enough.

Organisations should adopt:

  • Passkeys or FIDO2 hardware keys
  • Windows Hello for Business
  • Conditional access based on device compliance

These measures significantly reduce the effectiveness of AiTM attacks.

3. Restriction of Email Forwarding Rules

Block automatic forwarding to external inboxes at tenant level.

This prevents attackers from silently observing communications and extracting intelligence.

4. Active Monitoring of Security Alerts

Most organisations already generate alerts but do not act on them.

For example:

  • New inbox rules
  • Suspicious sign-ins
  • Unusual access patterns

The issue is not tooling. It is visibility and ownership.

5. Controlled Exposure of Sensitive Roles

Public-facing team information should be reviewed.

Oversharing role responsibilities (e.g. “handles payroll and payments”) increases targeting risk.

This is a governance issue not a technical one.

Three Questions Every Board Should Ask

To reduce ransomware risk quickly, leadership teams should ask:

  1. Are we using phishing-resistant authentication for privileged and finance accounts?
  2. Is external email forwarding restricted across Microsoft 365?
  3. Are security alerts actively reviewed and acted upon?

These questions align directly with common failure points in UK breach investigations.