Help Guide for Ransomware and What to Do If It Happens and How to Prevent It

7 min read

Ransomware is every small business owner's nightmare—your files encrypted, criminals demanding payment. This guide covers what to do if it happens, whether to pay, and most importantly, how to prevent it in the first place.

CTC
Written by CTC Editorial Editorial Team

What Is Ransomware?

The Simple Explanation

Ransomware is malicious software that encrypts your files—documents, photos, databases, everything—making them unreadable. The criminals then demand payment (usually in cryptocurrency) for the decryption key.

What you see:

  • Files won't open
  • Strange file extensions (.encrypted, .locked, random strings)
  • A ransom note (text file or wallpaper) demanding payment
  • Possibly a countdown timer

What's happened:

  • Malware has encrypted your data
  • Without the key, files are unrecoverable
  • Criminals control whether you get that key

How Bad Is It?

For small businesses, ransomware can be devastating:

  • Average ransom demand: £10,000-50,000 for small businesses
  • Average downtime: 21 days
  • Recovery cost: Often 5-10x the ransom (lost business, IT costs, reputation)
  • 60% of small businesses that suffer a major cyber attack close within 6 months

This isn't fear-mongering—it's reality. But it's also largely preventable.

If You're Hit Right Now

Step 1: Don't Panic (But Act Fast)

Take a breath. Panicked decisions make things worse.

Immediately:

1. Disconnect affected computers from the network (unplug ethernet, turn off WiFi)

2. Don't turn computers off (forensic evidence may be lost)

3. Don't pay immediately (more on this below)

4. Document everything (photos of ransom notes, affected systems)

Step 2: Assess the Damage

Determine:

  • Which computers/servers are affected?
  • What data is encrypted?
  • Are backups intact? (Check without connecting to infected network)
  • Is the ransomware still spreading?

Check backups carefully:

  • Are they accessible?
  • Were they connected during the attack? (May also be encrypted)
  • How recent are they?

Step 3: Report It

In the UK, report to:

Action Fraud: 0300 123 2040 or actionfraud.police.uk

  • UK's national fraud reporting centre
  • Creates official record
  • May help others

National Cyber Security Centre (NCSC): ncsc.gov.uk/report

  • Technical guidance available
  • May have information about specific ransomware

Your cyber insurance provider (if you have one):

  • They often have incident response teams
  • May cover costs
  • Call immediately

ICO (Information Commissioner's Office):

  • Required within 72 hours if personal data is affected
  • ico.org.uk
  • Failure to report can result in fines

Step 4: Decide on Recovery Approach

Option A: Restore from Backups

If you have good backups:

1. Ensure backups are clean (not infected)

2. Completely wipe affected systems

3. Reinstall operating systems fresh

4. Restore data from backups

5. Change all passwords

6. Implement better security

This is the preferred option if backups exist.

Option B: Check for Free Decryption Tools

Some ransomware has been cracked:

  • No More Ransom: nomoreransom.org
  • Free decryption tools for known ransomware variants
  • Check before paying—your ransomware may be decryptable

Option C: Professional Help

Cybersecurity firms specialise in incident response:

  • May find ways to recover data
  • Can safely contain and remove threat
  • Document for insurance/legal purposes
  • Expensive but often worth it

Option D: Pay the Ransom

Last resort. See section below.

Should You Pay the Ransom?

The Official Advice

UK government and NCSC advise against paying:

  • No guarantee you'll get files back
  • Funds criminal organisations
  • Makes you a target for future attacks
  • May be illegal (sanctions on some criminal groups)

The Reality

Some businesses pay because:

  • No backups exist
  • Data is business-critical
  • Downtime cost exceeds ransom
  • Insurance covers it

Statistics on paying:

  • ~65% who pay get some data back
  • ~25% get all data back
  • ~35% don't get usable decryption
  • ~80% who pay are attacked again

If You're Considering Paying

1. Try everything else first (backups, No More Ransom, professional help)

2. Get professional advice (incident response firm, cyber insurance)

3. Negotiate (ransoms are often negotiable—don't pay first demand)

4. Understand the risks (may not work, legal implications)

5. Document everything (for insurance, legal, tax purposes)

Never pay without exhausting alternatives.

Recovery Process

Short-Term (First 48 Hours)

1. Contain the threat

  • Isolate infected systems
  • Identify how it got in
  • Close that entry point

2. Assess business impact

  • What can't you do?
  • What's urgent?
  • Who needs to know?

3. Communicate

  • Staff: What's happening, what to do
  • Customers: If their data is affected
  • Partners: If they might be at risk

4. Begin recovery

  • Start with most critical systems
  • Restore from clean backups
  • Or begin rebuild from scratch

Medium-Term (First 2 Weeks)

1. Restore operations

  • Prioritise business-critical systems
  • Work through in order of importance
  • Test everything before relying on it

2. Investigate root cause

  • How did they get in?
  • Phishing email?
  • Vulnerable software?
  • Weak password?

3. Implement immediate fixes

  • Patch what let them in
  • Reset all passwords
  • Review access controls

4. Document everything

  • For insurance claims
  • For compliance requirements
  • For internal learning

Long-Term (Months After)

1. Full security review

  • What went wrong?
  • What needs to change?
  • Investment required?

2. Implement proper protection

  • See prevention section below
  • Don't let this happen again

3. Staff training

  • How to spot threats
  • What to do if suspicious
  • Regular refreshers

4. Test your defences

  • Simulated phishing
  • Backup restoration tests
  • Incident response drills

Prevention: Stop It Happening

The Big Three

Most ransomware is preventable with three things:

1. Good Backups

If you have clean, recent backups, ransomware is an inconvenience, not a catastrophe.

Backup rules:

  • 3-2-1 rule: 3 copies, 2 different media, 1 offsite
  • Offline backup: At least one backup that's not connected
  • Regular testing: Verify you can actually restore
  • Automated: Don't rely on humans remembering

Good backup solutions:

  • Cloud backup (Backblaze, Carbonite, cloud provider backup)
  • Local backup (external drive, rotated offsite)
  • Both (belt and braces)

2. Updated Software

Most attacks exploit known vulnerabilities in unpatched software.

Keep updated:

  • Windows/macOS (automatic updates on)
  • All applications (especially browsers, Office, PDF readers)
  • Firmware (routers, network devices)
  • Third-party software

Retire old software:

  • Windows 7 and 8 are security risks
  • Unsupported software doesn't get patches
  • Upgrade or replace

3. Human Awareness

Most ransomware arrives via phishing emails.

Train staff to:

  • Recognise suspicious emails
  • Not click unknown links
  • Verify unexpected requests
  • Report anything suspicious
  • Think before acting

Additional Protection

Email security:

  • Enable spam filtering
  • Block dangerous attachments (.exe, .js, macros)
  • Consider advanced email protection (Microsoft Defender, Proofpoint)

Endpoint protection:

  • Use business-grade antivirus (not just Windows Defender)
  • Consider EDR (Endpoint Detection and Response) for better protection
  • Keep definitions updated

Access control:

  • Principle of least privilege (people only access what they need)
  • Remove admin rights from everyday accounts
  • Strong, unique passwords everywhere
  • Multi-factor authentication (MFA) everywhere possible

Network security:

  • Firewall properly configured
  • Segment networks if possible
  • Disable unused services
  • Secure remote access (VPN, not exposed RDP)

Microsoft 365/Google Workspace:

  • Enable built-in security features
  • Configure data loss prevention
  • Use audit logging

What It Costs to Protect vs Recover

Prevention Costs (Annual)

ItemApproximate Cost
Cloud backup (per computer)£50-100
Business antivirus (per user)£30-60
Staff security training£20-50/user
Security audit (small business)£500-2,000
Cyber insurance£300-1,000
Total (10-person business)£2,000-5,000/year

Recovery Costs (Per Incident)

ItemApproximate Cost
Ransom (if paid)£10,000-50,000+
IT recovery/rebuild£5,000-20,000
Downtime (per day)£1,000-10,000+
Legal/compliance£2,000-10,000
Reputation damageIncalculable
Total£20,000-100,000+

Prevention is dramatically cheaper than recovery.

Cyber Insurance

What It Covers

Cyber insurance can cover:

  • Incident response costs
  • Data recovery expenses
  • Business interruption
  • Legal fees
  • Regulatory fines (sometimes)
  • Ransom payments (sometimes, controversial)
  • PR/reputation management

Should You Get It?

Consider cyber insurance if:

  • You handle customer data
  • Downtime would be costly
  • You can't afford major recovery costs
  • Your industry has compliance requirements

Cost: £300-1,000/year for small businesses (varies significantly).

Important: Insurance doesn't replace security. Many policies require you to have basic protections in place.

The Bottom Line

Ransomware is a real threat, but it's not inevitable:

To prevent it:

1. Maintain good, tested, offline backups

2. Keep all software updated

3. Train staff to recognise phishing

4. Use proper security tools

5. Consider cyber insurance

If it happens:

1. Disconnect but don't power off

2. Check backups

3. Report to authorities

4. Get professional help if needed

5. Only pay as absolute last resort

Remember:

  • With backups, ransomware is a setback, not a disaster
  • Prevention costs a fraction of recovery
  • Most attacks succeed because of basics not being done

Don't wait until you're a victim. Check your backups today.

Frequently Asked Questions

Frequently Asked Questions

How does ransomware get in?

Most commonly: phishing emails (fake invoices, delivery notifications, urgent requests with malicious attachments or links). Also: vulnerable software (unpatched systems), compromised websites, exposed remote desktop (RDP), infected USB drives, supply chain attacks. Phishing is responsible for 80%+ of ransomware infections—human error is the biggest weakness.

Can antivirus stop ransomware?

Traditional antivirus catches known ransomware but often misses new variants. Modern endpoint protection (EDR—Endpoint Detection and Response) is better at detecting suspicious behaviour even from unknown malware. No solution is 100% effective. Antivirus is one layer; backups, updates, and user awareness are equally important.

What if my backups were also encrypted?

This happens when backups were connected during the attack. That's why offline/offsite backups matter—a backup on an external drive that's disconnected, or cloud backup the attackers didn't have credentials for. If all backups are encrypted, options narrow to professional recovery attempts, free decryption tools (if available), or paying the ransom.

Is it illegal to pay ransomware demands?

Generally not illegal in the UK, but it's complicated. Payments to sanctioned criminal groups could violate sanctions law. OFSI (Office of Financial Sanctions Implementation) guidance suggests checking sanctions lists. Insurance companies may or may not cover ransom payments. Government strongly advises against paying. Get legal and professional advice before paying.

How long does recovery take?

With good backups: days to a week for most small businesses. Without backups: weeks to months, if full recovery is even possible. Average downtime across all ransomware incidents is 21 days. Critical systems might be restored faster; full recovery (all data, all systems, all normal operations) takes longer. Plan for extended disruption.

Should I negotiate with the attackers?

If you're considering paying (as a last resort), negotiation often reduces the demand—sometimes by 50-70%. Attackers expect negotiation. Use professional negotiators if possible (incident response firms offer this). Never pay the initial demand. But remember: negotiation doesn't guarantee you'll get your data back.

About the Author

CTC
CTC Editorial

Editorial Team

The Compare the Cloud editorial team brings you expert analysis and insights on cloud computing, digital transformation, and emerging technologies.

More Articles

Do You Need a Server? A Plain English Guide for Small Teams

CTC Editorial
AI technology transforming UK SME business operations

The AI Reality Check - State of UK SME Adoption in 2025

CTC Editorial
remote-backup guide hero image

Help Guide for Remote Backup for Small Businesses in the UK

CTC Editorial
cloud-storage-gdpr guide hero image

Help Guide for Cloud File Storage Rules for UK GDPR Compliance

CTC Editorial
Back to All Articles