Cyber Awareness Training Data Breaches and their consequences Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Working Practices

Ransomware 101:  What Every SME Needs to Know

Ransomware is something that we tend to only hear about when it hits the news, usually referring to an attack on a major corporate organisation or a government body.  But it’s happening to a much wider range of businesses, and it tends to be a very much under-reported issue, particularly when it affects SMEs, which it does more often than you’d think. In a post last week, I referred to the attack on Knights of Old, a mid-sized transport company which was taken down in a very short space of time by a ransomware attack, from which they never recovered.  I wrote a piece a couple of months ago which highlighted the issue of under-reporting.  I won’t regurgitate it here, but if you want to read up on it, the link is Under-reported security incidents.

Overall, SMEs are particularly vulnerable because they often lack robust cybersecurity resources and recovery capabilities. A ransomware attack can have severe and often disproportionate impacts on small or medium-sized businesses:

  • Operational disruption: Critical systems and data become inaccessible, halting day-to-day business activities.
  • Financial loss: Costs may include ransom payments, recovery expenses, lost revenue, and potential regulatory fines.
  • Data loss or exposure: Sensitive customer or business data may be encrypted, stolen, or leaked.
  • Reputational damage: Loss of customer trust can lead to reduced sales and long-term brand harm.
  • Legal and compliance risks: Breaches of data protection laws (i.e. GDPR) can trigger investigations and penalties.
  • Business continuity risk: In severe cases, prolonged downtime can threaten the survival of the business.

Let’s now use a scenario to illustrate the problem.  The scenario is fictitious but has been constructed from real events.

It started like an ordinary Tuesday morning for BrightLane Logistics, a 45-person SME based just outside Manchester. They specialised in same-day delivery for local retailers, and their entire operation depended on a cloud-based booking system, a small internal server, and a handful of laptops used by dispatchers and drivers.

The Entry Point

At 9:12 AM, Sarah, a finance assistant, received what appeared to be a routine email from a known supplier. The message referenced an overdue invoice and urged her to review an attached document. The email address looked legitimate at a glance, just one letter off from the real domain.

Busy and under pressure, Sarah downloaded the attachment: “Invoice_April2026.xlsm.”

When she opened it, nothing obvious happened, just a blank spreadsheet and a prompt to “Enable Content.” She clicked.

That single action executed a hidden macro. Within seconds, a small piece of malicious code connected to a remote server and quietly installed ransomware on her machine.

Attackers do their homework.  They will have spent time profiling this company and its staff.  They will have researched them on Companies House, seen their last financial postings, and will have carried out various innocuous social engineering exercises to discover who does what within the company, and who their suppliers and customers are.  They maximise the chance of an employee clicking the link in the email.

The Spread

Because BrightLane had weak internal network segmentation and shared admin credentials across several systems, the malware didn’t stay contained. It harvested saved passwords from Sarah’s machine and moved laterally across the network.

By lunchtime:

  • The shared file server was infected
  • The dispatch system was compromised
  • Backup drives connected to the network were also encrypted

No alarms were triggered.  BrightLane had basic antivirus, but no advanced detection or monitoring tools.

The Detonation

At 2:03 PM, screens across the office flickered.

Files began changing names. Systems slowed to a crawl. Then everything locked.

A message appeared:

“Your files have been encrypted.

To regain access, pay X Bitcoin within 72 hours.

After that, your data will be permanently deleted.”

Phones started ringing immediately. Drivers couldn’t access delivery routes. Customers couldn’t place orders. The warehouse team had no visibility of scheduled shipments.  Operations ground to a halt.

The Immediate Consequences

Within hours:

  • All deliveries stopped
  • Customer service was overwhelmed
  • Financial systems were inaccessible
  • Staff were sent home early

The managing director, Tom, faced a brutal reality: the company could not operate.

They contacted their IT support provider, but it quickly became clear:

  • Backups were unusable (they had been encrypted too)
  • No incident response plan existed
  • Recovery could take weeks, if at all possible

The Decision Point

The ransom demand equated to roughly £120,000.

Paying it came with no guarantee of recovery as well as potential legal and ethical implications. Not paying meant:

  • Permanent data loss
  • Severe operational disruption
  • Potential business closure

Meanwhile, the attackers escalated pressure by threatening to leak sensitive customer data.

The Longer-Term Impact

Over the following weeks:

Financial Damage

  • Lost revenue from halted operations
  • Cost of external cybersecurity experts
  • Legal and regulatory compliance expenses

Reputational Harm

  • Customers lost trust
    • Key clients moved to competitors

Regulatory Consequences

  • A data breach investigation was triggered
    • Potential fines for failing to protect customer data

Internal Fallout

  • Staff morale dropped sharply
    • Leadership faced scrutiny over the lack of preparedness

The Aftermath

BrightLane eventually chose not to pay the ransom. They rebuilt their systems from scratch, but it took nearly a month to resume partial operations.

By then:

  • 30% of their customer base was gone
    • Cash reserves were severely depleted
    • The company had to downsize

The Lesson

The attack didn’t rely on sophisticated zero-day exploits.  This wasn’t one failure; it was a chain of small, common weaknesses, which, taken together, created a complete business shutdown:

  • One phishing email
  • One click
  • One flat network
  • One set of shared credentials
  • One poorly designed backup system

For BrightLane, the ransomware attack wasn’t just an IT issue; it became an existential business crisis.

SMEs can’t do everything, and if I were to prioritise measures that could produce the biggest risk reduction, taking into account limited budgets, I would recommend the following:

  • MFA everywhere (especially email & admin accounts)
  • Offline/immutable backups
  • Cyber Awareness training for staff and managers
  • EDR instead of basic antivirus
  • Remove shared admin credentials
  • Network segmentation (even simple VLANs)
  • Some form of managed detection and response

Don’t think it won’t happen to you.  It can and does happen to SMEs in the UK, many of whom pay up and don’t report it.  I understand why they do this, but it doesn’t help the overall problem, as it disguises the frequency and the damage done.  It’s much cheaper in the long run to take preventative action than it is to try to recover once it’s happened.

H2 provides affordable and flexible one-off and ongoing data protection and cyber risk protection services.

To learn more about the services we provide, please click here https://www.hah2.co.uk/

Alternatively, please feel free to give us a call or drop us an email:

M: 07702 019060

E: kevin_hawkins@hah2.co.uk

Trust H2 – Making sure your information is secure

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top