Small Business Guide to Stopping Ransomware Attacks

Ransomware is no longer just a problem for big corporations—it’s a very real, very present threat to UK small businesses. With more organisations digitising operations, relying on remote work, and storing sensitive data online, cybercriminals are shifting their attention toward smaller, less protected targets. If you think your small business is too small to be attacked, think again.

In fact, according to the Cyber Security Breaches Survey 2024, almost a third of UK businesses reported a cyberattack or breach in the past 12 months, with ransomware becoming increasingly common. And it’s not just the ransom itself—downtime, data loss, customer distrust, and potential legal consequences can cripple a business. This guide breaks down ransomware threats in plain language and outlines 15 actionable steps to help UK small business owners prevent, prepare for, respond to, and stop ransomware attacks.

What is Ransomware?

Ransomware is a form of malware designed to block access to a computer system or data, usually by encrypting it, until a sum of money is paid. This can affect everything from individual files to entire networks, locking employees out of crucial data and grinding business operations to a halt. The attackers typically demand payment in cryptocurrencies like Bitcoin, as these are difficult to trace.

Common Ransomware Variants

While ransomware can appear in many forms, here are some of the most widespread and dangerous variants targeting UK businesses:

• CryptoLocker: One of the earliest forms of widespread ransomware, CryptoLocker encrypts user files and demands payment for a decryption key. It often arrives via malicious email attachments and is notorious for spreading quickly via mapped network drives.
• WannaCry: This notorious variant made global headlines in 2017 when it took down NHS systems and affected over 200,000 computers across 150 countries. It exploited vulnerabilities in outdated versions of Microsoft Windows and spread without needing user interaction, highlighting the importance of timely software updates.
• LockBit: Known for targeting small to medium businesses, LockBit uses highly automated tools to identify vulnerabilities quickly. Once inside, it spreads laterally across a network, encrypting as much data as possible, and often disables security tools to avoid detection.
• Ryuk: Often deployed in targeted attacks, Ryuk is used in conjunction with other malware like TrickBot to first gain access and then escalate privileges. It’s designed to lock down entire networks and demand massive ransom payments, frequently going after businesses in healthcare, education, and public infrastructure.
• Conti: A ransomware-as-a-service (RaaS) group, Conti’s operators recruit affiliates to spread the malware. They’re known for their double extortion tactics—encrypting data and threatening to leak it if the ransom isn’t paid. Conti often targets critical services and delays detection by remaining dormant before launching encryption.

For up-to-date ransomware activity and active threats, consult Ransomware.Live.

15 Actionable Steps To Stop Ransomware Attacks

1. Create a Cybersecurity Policy

A written cybersecurity policy acts as the foundation for your digital safety practices. It defines acceptable behaviours, outlines employee responsibilities, and sets clear expectations. Key elements to include:

• Device usage rules (company vs personal devices)
• Internet browsing and software download guidelines
• Data classification and handling procedures
• Incident reporting protocol

This document should be tailored to your business size, industry, and threat level. Make this policy mandatory reading for all staff during onboarding and conduct annual reviews. Encourage feedback and adapt it based on new risks or operational changes. The Cyber Essentials Readiness Toolkit is a great starting point.

2. Keep All Software Up-To-Date

Unpatched software is a prime target for ransomware. Outdated operating systems, browsers, and plugins often contain known vulnerabilities that attackers can exploit. Regular updates fix these holes before they can be abused.

• Enable automatic updates wherever possible
• Schedule a monthly manual check for systems that can’t update automatically
• Use patch management software for network-wide visibility

Create a software inventory to track update status and assign responsibility for monitoring updates. Tools like Ninite Pro or PDQ Deploy simplify the process across multiple devices, ensuring consistency.

3. Use Strong, Unique Passwords with Multi-Factor Authentication (MFA)

Password-related breaches are one of the top attack vectors. To prevent them:

• Require complex passwords of at least 12 characters
• Prohibit password reuse across accounts
• Use password managers like 1Password or Bitwarden to store and generate secure credentials
• Enable MFA on all accounts, especially admin, email, and cloud storage

Implementing MFA significantly reduces the chance of unauthorised access. Consider using biometric authentication or hardware tokens (e.g., YubiKey) for high-security areas.

4. Backup Everything, Frequently

The best defense against ransomware is a reliable backup. Use the 3-2-1 strategy:

• 3 copies of your data
• Stored on 2 different media
• With 1 backup stored offsite or offline (air-gapped)

Set automated daily backups and test the restore process monthly. Include system images as well as file-level backups. Services to consider:

• Acronis Cyber Protect
• Backblaze for Business
• CrashPlan for Small Business

5. Segment Your Network

Network segmentation limits the spread of ransomware once it gets in. Divide your network by function:

• Separate networks for staff, guests, IoT devices, and servers
• Implement firewalls between segments
• Use VLANs and subnetting to control traffic flow

This approach allows for better control, visibility, and containment of malware. Regularly audit your network map and restrict access between segments unless absolutely necessary.

6. Train Your Staff to Spot Phishing

Phishing is the most common delivery method for ransomware. Regular training helps employees identify and report suspicious emails.

• Train quarterly with realistic phishing simulations
• Teach staff to verify email senders, look for spelling errors, and hover over links before clicking
• Encourage a “stop and check” culture—when in doubt, verify

Training should be interactive and engaging. Reward employees who report phishing attempts and create a safe environment to report mistakes without punishment.

7. Use Antivirus and Endpoint Protection

Free antivirus tools are not enough. Invest in enterprise-grade endpoint protection:

• Use behavioural detection to catch new threats
• Deploy across all endpoints, including mobile devices and remote users
• Centralise logging, quarantine, and alerting features

Consider tools with AI-based threat detection and rollback features. Top providers include:

• Sophos Intercept X
• Bitdefender GravityZone
• ESET PROTECT

8. Disable Macros and Script Execution by Default

Office macros and script files (.js, .vbs) are common ransomware vectors.

• Configure Microsoft Office to disable macros unless signed or approved
• Enable warnings before executing script files
• Block PowerShell, VBScript, and JavaScript from unauthorised use

Advanced protections:

• Use AppLocker or Windows Defender Application Control to allow only approved applications
• Disable Windows Script Host if unused in your environment

9. Secure Remote Access

With remote work, remote access tools like RDP or VPNs are essential—but they must be secured:

• Disable RDP if not in use
• Use business-grade VPNs with MFA (e.g., NordLayer, Perimeter 81)
• Whitelist IP addresses and monitor login attempts
• Apply strict session timeout and idle lock policies

Keep VPN clients and firewalls up-to-date, and avoid using outdated remote desktop tools.

10. Join the NCSC’s Early Warning Service

The NCSC Early Warning Service alerts you to:

• Malware infections
• Phishing attacks using your domain
• Breached credentials seen on the dark web

This free tool helps you act quickly if your business is targeted or already compromised. Integrate these alerts into your incident response procedures.

11. Get Certified with Cyber Essentials

Cyber Essentials certification shows customers and partners you take security seriously. It’s also a requirement for some public sector contracts.

• Cyber Essentials: Self-assessed with technical controls
• Cyber Essentials Plus: Independently audited verification

Benefits:

• Reduce risk of common attacks by up to 80%
• Potentially lower cyber insurance premiums
• Boost business reputation and customer trust

Apply via IASME Consortium or an authorised certification body.

12. Monitor Your Systems 24/7

Real-time monitoring helps detect unusual activity before it’s too late. Look for:

• Unusual login times, failed login attempts, or logins from new locations
• Unexpected software installations or configuration changes
• Spikes in data transfer, CPU usage, or network traffic

Invest in Security Information and Event Management (SIEM) tools. Monitoring platforms:

• CrowdStrike Falcon
• Datadog Security Monitoring
• AlienVault OSSIM

13. Limit User Privileges

Don’t give users more access than they need. Follow the principle of least privilege:

• Use standard user accounts for non-administrative tasks
• Limit admin rights to IT and essential personnel only
• Apply role-based access controls (RBAC)
• Schedule periodic audits of user privileges and access logs

Prevent users from installing software or changing system settings unless explicitly authorised.

14. Build an Incident Response Plan

Preparation is key. Your incident response (IR) plan should include:

• Designated roles and responsibilities
• Contact list for IT, legal, PR, and law enforcement
• Steps to isolate infected devices and disconnect from networks
• Communication plan (internal and external)
• Backup and recovery procedures

Rehearse the plan with simulations or tabletop exercises at least twice a year. Store both digital and hard copies in accessible locations.

15. Don’t Pay the Ransom

Paying ransom encourages attackers and doesn’t guarantee data recovery. In fact:

• You may still not receive a working decryption key
• You become a repeat target or placed on a “willing to pay” list
• You risk violating laws if the payment supports sanctioned groups

Instead, focus on reporting and recovery:

• Report to Action Fraud
• Notify the Information Commissioner’s Office (ICO) if personal data is affected
• Work with cybersecurity professionals to assess and mitigate damage

Conclusion

Ransomware is one of the most pressing cybersecurity threats for UK small businesses today—but it’s not unbeatable. With proper planning, employee training, and a few key investments in technology, you can protect your business from even the most sophisticated attacks.

Stay informed, stay vigilant, and most importantly—take action before it’s too late. The tools and resources are out there. Start using them today.

Key Resources

• Cyber Essentials Readiness Toolkit
• Action Fraud
• Ransomware.Live
• National Cyber Security Centre
• Cyber Aware UK
• Information Commissioner’s Office

Want help implementing any of the above? Consider speaking with a Cyber Essentials certified provider or managed IT services provider in your area