We deal with cyber security incidents regularly, and the past year has been no exception. We’ve assisted multiple organisations facing catastrophic cyber attacks, incidents that, without rapid intervention, could have led to business closures. While we always strive for full recovery, the impact of these attacks is profound, long-lasting, and often underestimated until it’s too late.
Ransomware is no longer a possible risk discussed in boardrooms or industry reports. It is a fact for many organisations, and one that can fundamentally alter the trajectory of a business overnight.
One recent conversation with Joseph Ross from the Cyber Resilience Centre for the Southwest reinforced just how difficult it can be to get organisations to truly understand the real dangers posed by cyber criminals, especially before something goes wrong. That’s why this article exists: to share lessons learned not just from responding to attacks, but from helping businesses strengthen their defences before disaster strikes.
The Growing Threat of Cyber Crime
Cyber attacks are no longer rare, nor are they only aimed at large corporations with deep pockets. We’ve seen a significant increase in incidents affecting organisations of all sizes, mirroring global trends where cyber criminals, from organised gangs to state-backed hackers, are ramping up their operations.
According to Verizon’s 2025 Data Breach Investigations Report, ransomware was present in 44% of all breaches, representing a 37% increase compared to 2024. Even more concerning is how disproportionately ransomware affects smaller organisations: for small and mid-sized businesses, ransomware was involved in 88% of breaches, compared to 39% in larger enterprises.
In the last 12 months alone, we’ve dealt with multiple major ransomware attacks that would have been business-ending events without our intervention.
The reality is simple: no organisation is immune.
Related Reading: Why Social Engineering Works and How to Stay Ahead of It
What Happens in a Ransomware Attack?
When ransomware hits, business stops.
- Your data is encrypted and inaccessible.
- Your IT infrastructure, servers, storage, laptops, desktops and firewalls become compromised.
- Even cloud data could be infected, waiting to trigger further damage.
- You may have been compromised for weeks or months before noticing, making it difficult to find a clean backup.
For business leaders, the stress of a cyber attack is overwhelming. One business owner we spoke with during an attack asked us, “Do I still have a business?”
At the start of the day, we feared the answer was no. By midday, we still didn’t know. That’s the brutal reality of a ransomware attack.
It was a devastating moment. This business employed over 50 people, and if it collapsed, the impact would have rippled through their employees, customers, and community. The stakes weren’t just financial; they were personal.
The emotional toll of an attack can be life-changing. Some business owners never fully recover from the stress, and for many, it fundamentally alters who they are. Cyber crime isn’t just about data; it’s about livelihoods.
Real-World Impact of Ransomware
The scale of ransomware impact in 2025 is best understood through real incidents:
PowerSchool
One of the most significant ransomware attacks of 2024 began in late December 2024, when the K-12 education software provider was breached. The attack exposed data relating to 62 million students and 9.5 million teachers across North America.
Yale New Haven Health
In March 2025, a ransomware attack compromised the personal data of 5.6 million patients. By October, the organisation agreed to an $18 million settlement following a class-action lawsuit.
NASCAR
In April 2025, the Medusa ransomware gang stole more than 1TB of sensitive data, issuing a $4 million ransom demand.
DaVita
One of the largest kidney care providers in the US was hit in April 2025, exposing the personal and health information of 2.7 million individuals.
Marks & Spencer
In May 2025, an attack by the Pay2Key ransomware group disrupted operations. The retailer later disclosed a 99% drop in pre-tax profit over six months.
These incidents demonstrate a crucial point: ransomware isn’t an IT problem; it’s a business crisis.
Industries Most Targeted by Ransomware
Ransomware doesn’t discriminate by sector, but certain industries are targeted more heavily due to operational pressure and data sensitivity. Most affected industries include:- Education
- Healthcare
- Central and local government
- Construction and property
- Manufacturing and production
- IT, technology and telecoms
- Financial and professional services
- Retail
- Energy and utilities
- Transport and distribution.
Attackers know which sectors can’t afford downtime, and they exploit that pressure.
What to Expect If You’re Hit
1. It’s Your Incident. You Make the Decisions
Nexus will guide, advise, and support you, but ultimately, you own the incident. Decisions around recovery, communication, and next steps sit with the business. This can be daunting, especially under extreme pressure.2. Insurance Matters — But It’s Not a Quick Fix
Contact your insurer immediately. Understand what’s covered, what isn’t, and what excess applies. Recovery costs go far beyond IT rebuilds. Lost revenue, reputational damage, legal fees, and downtime often far exceed the ransom itself.Related Reading: Cyber Insurance Basics: What Every UK Business Needs to Know
3. Backups Are Your Lifeline
Where are your backups stored? Are they viable? Without them, data recovery may be impossible. But even if you have backups, how far back do you need to go to find a ‘clean’ one?4. Recovery is More than Restoring Data
Rebuilding your infrastructure takes time. You may need to:- Wipe and rebuild every desktop, laptop, and server.
- Restore your line-of-business tools and deal with data loss since your last good backup.
- Analyse your environment to determine how the attackers got in.
- Close security gaps. Was it an open firewall port? A misconfigured VPN? A phishing email? If you don’t know, everything needs checking.
You may know how it occurred by forensic analysis of your environment and can then close the gap that allowed entry. However, if you don’t know how it happened, then you might need to review every device you have and its configuration. All the while, the world keeps turning, but your operations and revenue are likely on full hold. Your reputation and cash flow take an immediate hit.
5. Security Tools Alone Won’t Save You — Configuration Matters
If they were, the attack wouldn’t have succeeded. Having security solutions in place isn’t a silver bullet; how they are configured matters. Poor setup can leave critical gaps, making an attack inevitable. A firewall might be in place, but if it’s accessible from the internet with a default or commonly known username and password, it’s as good as open. Ask yourself these questions:- Do you have Extended Detection and Response (XDR)?
- Do you use Security Operations Centre (SOC) monitoring?
- Are your security tools deployed and configured correctly?
- When was the last time your cyber security solution was updated?
One company we helped had an expensive system in place, but hadn’t installed security patches for four years, some of which were critical and mandatory. Misconfigured security is no security at all. Are you confident yours is set up correctly?
6. If a Breach Happens, You Must Report It
If your organisation suffers a data breach, you may be legally required to report it to the Information Commissioner’s Office (ICO) within 72 hours. Failing to do so could result in significant fines and reputational damage. The clock starts ticking the moment you become aware of the breach. A breach should be reported if it could lead to:- Financial loss (e.g., identity theft, fraud).
- Discrimination or reputational damage.
- Loss of confidentiality (e.g. personal details exposed).
- Other significant harm to individuals.
If the breach does not pose a risk to individuals’ rights, you do not have to report it, but you must document it internally. Ask yourself:
- Can you quickly determine what data has been exposed?
- Do you have an incident response plan in place?
- Are you prepared to assess whether a breach meets reporting thresholds?
Even the best security can’t prevent every attack, but a well-prepared response can limit the damage and ensure compliance. Are you ready?
Key Lessons from the Frontlines
1. Structured Communication Is Crucial
We’ve refined how we communicate during incidents to ensure clear, structured updates for business leaders and stakeholders, reducing stress and preventing confusion.2. Insurance-Appointed IT Can Delay Recovery
When you contact your insurer, they will likely appoint their own IT firm. Be prepared for potential challenges:- Some firms recommend paying the ransom to stop data leaks.
- Some delay recovery as they insist on forensic investigations – this can add days to your business recovery.
- Some refuse to reconnect IT systems until they complete external security scans, sometimes adding days of potentially unjustified downtime.
It’s important that you involve your insurance company as soon as possible, but being aware of these potential conversations can ease the situation.
3. Document Everything
Take screenshots of ransom notes, log key actions, and maintain detailed records. This helps with insurance claims and legal processes.The Cost of Ransomware
Ransom demands vary widely:
- Median ransom payment: $267,500 (Palo Alto Networks, 2025)
- Average ransom payment: $1 million (Sophos, 2025), down from $1.26 million in 2024
But ransom is only part of the cost. Downtime, legal exposure, reputational damage, and lost trust often exceed the ransom itself.
How to Protect Your Business Before an Attack
Prevention is always better than cure. The following list is nowhere near comprehensive and assumes that you already have the basics, such as Multi Factor Authentication (MFA) in place and enforced. However, as a starting point, you and your IT team should:1. Review Your Security Solutions
- Traditional antivirus is no longer enough—invest in EDR/XDR solutions.
- Conduct regular phishing simulations to train staff.
At Nexus, we simulate phishing emails to our customers, not to try and catch them out, but to help them understand what they can and, importantly, CAN’T trust. Many attacks start from someone clicking a link they shouldn’t, and it cascades from there.
2. Lock Down Your IT Environment
- Configure Conditional Access to halt suspicious and out-of-area logins with Microsoft 365
- Restrict remote access – are there tight controls on your network from outside?
- Ensure firewalls are configured correctly—are legacy ports still open?
3. Eliminate Local Admin Access
A single click on a malicious link shouldn’t give attackers free rein over your system.4. Keep Everything Patched & Updated
It’s important that your environment is kept up to date and patched; this doesn’t just apply to making sure your machines receive Windows updates, but all your hardware does as well.- Ensure servers, firewalls, and security tools are up to date.
- Plan for Windows 10 end-of-life in October 2025—unsupported systems are a huge risk.
5. Test Your Backups — Don’t Just Assume They Work
If you experience a ransomware event, the first thing the attackers go after is the backups. So, ask yourself:- Are my backups air-gapped, encrypted and immutable?
- Have I tested a full disaster recovery (DR) scenario?
- Could an attacker delete my backups?
6. Check Your Insurance Coverage
Cyber insurance can be a safety net, but only if you meet the policy’s security requirements. Insurers are becoming stricter, and failing to comply with specific conditions could mean your claim is denied. One of our clients had a policy requiring every site to have a Next-Gen Firewall. They met this requirement—but many businesses wouldn’t. Common policy requirements include:- Multi-Factor Authentication (MFA) on all critical systems
- Regular patching and software updates
- Endpoint Detection & Response (EDR) solutions
- Security awareness training for employees
- Encrypted backups stored offsite.
Failing to comply, even unknowingly, could leave you without financial protection after an attack. Have you reviewed your policy’s fine print? Are you meeting your insurer’s security conditions?
Related Reading: Top 10 Cyber Security Training Tips to Protect Your Business from Attacks
The Future of Ransomware
Ransomware is evolving rapidly, and the next wave of attacks is likely to be faster, more automated, and significantly harder to stop once initiated.
Security researchers are already seeing cyber criminals use AI and automation to accelerate every stage of an attack, from reconnaissance and phishing to lateral movement and data exfiltration. This means organisations may have minutes, not days, to detect and respond before critical systems are encrypted.
At the same time, attackers are diversifying their entry points. Voice-based social engineering, or “vishing”, is expected to rise as criminals use convincing AI-generated voices to impersonate executives, IT teams, or suppliers and trick employees into granting access or bypassing controls.
Generative AI is also making phishing campaigns more convincing than ever, removing the spelling mistakes and awkward phrasing that once served as warning signs.
Combined, these trends point to a future where ransomware attacks are not only more frequent but also more targeted, persistent, and psychologically sophisticated.
For businesses, this shows that prevention can no longer rely solely on perimeter defences or reactive tools. Continuous monitoring, strong identity controls, regular staff training, and well-rehearsed incident response plans will be essential to keeping pace with an increasingly aggressive and intelligent threat landscape.
Final Thoughts
Cyber crime is indiscriminate. It doesn’t matter what industry you’re in or how big (or small) your company is; you are a target. Attackers don’t care about your business, only the money they can make from it.
The best defence? Preparation. Invest in security, train your staff, test your backups, and review your insurance. Hope for the best, but plan for the worst. Because when ransomware strikes, the businesses that survive are the ones that were ready.
Related Reading: The Case for Companies to Embrace Managed Cyber Security
How We Can Help
You don’t have to face ransomware alone. When an attack hits, the difference between disruption and recovery often comes down to preparation, experience, and the speed of response.
At Nexus Open Systems, we work with organisations across England and Wales to reduce ransomware risk before it becomes a crisis, and to support rapid, structured recovery when it does. From strengthening day-to-day security controls and improving visibility, to responding decisively during an incident, our focus is on protecting your business, your people, and your ability to operate.
If you’re unsure how resilient your organisation really is, or want expert guidance on strengthening your defences, now is the right time to act.
Contact us to speak with our cyber security specialists and take the first step toward stronger, more resilient protection.