Ransomware is malicious software that blocks access to systems or encrypts files until a payment is made. It has become one of the most common cyber threats facing UK businesses. According to the UK Government Cyber Security Breaches Survey, ransomware attacks are increasingly reported by organisations of all sizes. https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2024 The National Cyber Security Centre (NCSC) warns that organisations should prioritise containment and recovery rather than panic or paying criminals. https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks Cyber security researcher Professor Alan Woodward (University of Surrey) has repeatedly emphasised: “Paying ransomware does not guarantee you will get your data back and it encourages further criminal activity.” Recognising a Ransomware Attack Typical ransomware signs include: files suddenly becoming inaccessible file extensions changing a message demanding payment in cryptocurrency a locked desktop screen warnings that data will be deleted or leaked If this appears on one machine, the infection may already be attempting to spread across the network. Time matters. Step 1: Do Not Blame the Employee Encourage Immediate Reporting The employee did the correct thing by reporting the issue. Punishing staff for reporting incidents discourages future reporting and increases the chance of larger breaches. Instead: thank them for reporting it reassure them they are not in trouble focus on solving the problem Security experts often stress that staff awareness and early reporting are essential defences against ransomware. Step 2: Immediately Isolate the Computer Disconnect the Device The infected computer must be isolated immediately. Actions to take: unplug the network cable disconnect Wi-Fi remove external drives stop the machine communicating with other devices Do not reconnect the device to the network until the incident is fully investigated. The NCSC advises isolating affected systems quickly to prevent malware spreading across networks. https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks Step 3: Do Not Pay the Ransom Paying Criminals Is Risky Many ransomware messages demand payment in cryptocurrency. However: payment does not guarantee data recovery attackers may demand more money you may still suffer data theft payments fund organised cyber crime The NCSC strongly discourages paying ransomware demands. https://www.ncsc.gov.uk/ransomware/home Step 4: Check Other Computers Immediately Look for Signs of Infection Quickly check whether other machines show signs of ransomware. Look for: strange file extensions locked files ransom messages extremely slow systems suspicious background processes If multiple machines are affected, disconnect them from the network immediately. Step 5: Preserve Evidence Do Not Immediately Reset the Machine It may be tempting to wipe the computer immediately, but evidence should be preserved. Useful evidence includes: screenshots of the ransom message file names or extensions changed by the malware timestamps of the incident suspicious emails or downloads This information helps identify the ransomware strain and determine recovery options. Step 6: Seek Professional Cyber Security Help External Expertise Is Essential Because your business has no IT support, professional assistance is important. Possible sources include: cyber security consultancies managed IT service providers cyber insurance incident response teams External specialists can determine: how the infection entered the system whether data was stolen whether other systems are compromised Step 7: Report the Incident UK Cyber Incident Reporting Serious cyber incidents can be reported through official UK channels. The National Cyber Security Centre provides guidance and reporting routes. https://www.ncsc.gov.uk/section/respond-recover/report If customer or employee data may be compromised, you may also need to report the incident to the Information Commissioner’s Office (ICO). https://ico.org.uk/for-organisations/report-a-breach Step 8: Recover Systems Carefully Restoring the Business Recovery steps may include: restoring files from backups reinstalling operating systems updating security software resetting passwords across all systems installing stronger protections Systems should only reconnect to the network once they are verified as clean. How Small Businesses Can Reduce Future Ransomware Risk Many ransomware attacks succeed because of basic weaknesses. Important protections include: regular offline backups software updates and patching antivirus or endpoint security tools multi-factor authentication phishing awareness training The NCSC Small Business Cyber Security Guide provides practical steps for improving security. https://www.ncsc.gov.uk/collection/small-business-guide Final Thoughts Discovering ransomware on a work computer can be frightening, especially for a small business without IT staff. However, the correct response is straightforward: isolate the infected device check other systems immediately preserve evidence seek expert assistance report the incident if necessary restore systems safely Perhaps the most important lesson is this: employees should never fear reporting cyber incidents. Early reporting often prevents a small ransomware infection from becoming a business-wide disaster. And that difference can determine whether the company experiences a brief disruption or a catastrophic shutdown. Post navigation When Your Business Network Is Under Attack: A Practical Survival Guide for UK Company Directors When an Employee May Be Sending Company Information Outside the Business: A Practical Guide for UK Directors