Ransomware and Small UK Businesses: What You Actually Need to Know

Ransomware attracts more cybersecurity coverage than almost any other threat — and most of that coverage is about large organisations. Hospital networks paralysed. Logistics companies brought to a standstill. Government departments locked out of their systems. The implication, sometimes explicit, is that ransomware is an enterprise problem.

It isn't. This guide explains what ransomware actually is, why small businesses are increasingly in the crosshairs, what the realistic cost of an attack looks like, and — most importantly — what genuinely reduces the risk.

What Ransomware Is

Ransomware is a category of malicious software that encrypts files on a victim's systems, making them inaccessible, and then demands payment — the ransom — in exchange for the decryption key. Modern ransomware typically also exfiltrates data before encrypting it, threatening to publish the stolen information on criminal leak sites if the ransom isn't paid. This is called double extortion, and it means that restoring from a backup no longer fully resolves the incident.

The encryption process itself can complete in under ten minutes on a file server. By the time most organisations notice something is wrong, the damage is done.

How Ransomware Gets In

Understanding the entry points is important because prevention is considerably cheaper than response. The three most common entry vectors for ransomware in small UK businesses are:

Phishing Emails

A staff member receives an email that appears to be from a trusted source — a supplier, a bank, a delivery company — and clicks a link or opens an attachment. The link delivers a downloader. The attachment executes a macro. Within minutes, malware has established a foothold on the endpoint.

Exposed Remote Desktop Protocol (RDP)

RDP is the technology that allows remote access to Windows computers. Thousands of UK businesses have RDP ports exposed to the internet — often because someone enabled remote access during the pandemic and never properly secured or disabled it. Criminal groups scan the entire internet for open RDP ports and use automated tools to test them with stolen credential lists. When they find a match, they're in.

Unpatched Software Vulnerabilities

Vendors release security patches to fix known vulnerabilities in their software. Ransomware gangs track vulnerability disclosures and develop automated exploits within days of a patch being published — targeting the organisations that haven't yet applied it. Small businesses, which often lack dedicated IT management, are disproportionately slow to patch.

What Ransomware Costs a Small Business

The ransom demand itself is often the smallest component of the total cost, and many organisations that pay find that it doesn't resolve the incident in any case. The full cost of a ransomware incident for a small UK business typically includes:

• Incident response and recovery costs: Engaging a specialist firm, rebuilding systems, and restoring data from backup — if backups exist and haven't been compromised — typically runs to tens of thousands of pounds even for small environments.
• Downtime: The average UK small business spends two to three weeks fully recovering from a ransomware incident. For a professional services firm, that's two to three weeks of near-zero productivity.
• Regulatory consequences: If personal data was exfiltrated, the ICO must be notified within 72 hours. Fines for inadequate security measures can range from £8,000 to £175,000 for small organisations, plus mandatory notification to affected individuals.
• Reputational damage: Clients and referrers discover that their supplier was breached. In professional services sectors — law, accountancy, financial advice — the reputational consequence can be severe and long-lasting.
• Cyber insurance implications: Claims push premiums up. Insurers increasingly require evidence of security controls — including continuous monitoring — before paying out.

The UK Government's Cyber Security Breaches Survey puts the average cost of a cyber incident at £15,300 for small businesses. In practice, ransomware incidents typically exceed this significantly.

What Backups Do and Don't Protect Against

The standard advice — keep good backups — is correct but incomplete. Backups protect against data loss. They do not protect against:

• Data exfiltration — the attacker already has a copy of your files, whether or not you can restore yours
• ICO notification requirements — triggered by the exfiltration, not by whether you recovered your data
• The downtime during investigation and recovery — even with good backups, rebuilding and verifying systems takes time
• Backup-aware ransomware — modern ransomware variants specifically target and encrypt backup systems, particularly network-attached storage and cloud sync folders

Backups are a recovery tool. Preventing the attack from succeeding in the first place requires detection capability — the ability to identify the attacker's presence and activity before the encryption payload executes.

What Actually Stops Ransomware

Effective ransomware prevention operates across two time horizons: preventing entry, and detecting presence before the payload executes.

Preventing entry means patching software promptly, securing or disabling exposed remote access, training staff to recognise phishing, and implementing multi-factor authentication on all external-facing services. These are foundational controls that every organisation should have in place — and Cyber Essentials certification provides a framework for implementing them systematically.

Detecting presence is the role of continuous monitoring. Ransomware attacks don't happen instantaneously — there is typically a period of days to weeks between initial compromise and the execution of the encryption payload, during which the attacker is mapping the network, escalating privileges, disabling security tools, and staging the ransomware. A Security Operations Centre with behavioural detection capability can identify this activity and disrupt the attack before the encryption payload ever runs.

This is the gap that most small businesses have: good perimeter defences, no internal monitoring. The attacker gets in through a phishing email, and from that point onwards, nobody is watching.