Cyber attacks are becoming increasingly common for businesses. But it’s all too easy to ignore the risk and assume it will never happen to you – until it does.
In recent weeks, we’ve seen many retailers face the worst-case scenario, after being hit with well-publicised, disruptive cyber attacks. Marks & Spencer and Co-op are just two of them.
This came because of a specific ransomware attack known as DragonForce. And, more generally ransomware, is on the rise. Data from Sophos found that the majority of organisations (59%) were affected by ransomware in 2024.
Given the ramifications, every business should be keen to avoid similar instances. In this blog, we explore how to avoid ransomware attacks with practical tips.
Exploring a real-life example: DragonForce ransomware
In April 2025, M&S were hit by a cyber attack that caused issues with online orders and card payments.
This was later confirmed to be a ransomware attack, driven by DragonForce, a Ransomware-as-a-Service (RaaS) group. They develop the ransomware and provide infrastructure for affiliates to conduct attacks, taking a cut of the ransom. They are noted for their aggressive tactics.
Co-op and Harrods were hit by the same attack, though less publicised than M&S. The impact of these successful attacks is not yet fully known, but are thought to be extensive.
Both M&S and Co-op experienced multi-day outages of e-commerce platforms, payment systems and internal operations. Harrods took precautionary measures that impacted internet access. One expert predicted M&S were facing daily losses of millions of pounds due to the disruption and a 12% drop in profits.
Weeks after the initial attack, M&S confirmed that customer data had been stolen, causing concern for customers and potential long-term relationship damage. DragonForce themselves have claimed to have stolen significant amounts of customer and employee data from the targeted retailers.
More worryingly, the attack could have been avoided. Reports suggest, in the M&S attack, social engineering of service desks was used to gain initial access, with the attacker impersonating a member of the IT team. Social engineering and phishing are common tactics used for ransomware – and having aware, vigilant staff can be crucial to protection.
How does ransomware work?
Before we explore how to avoid ransomware, it’s worth knowing how it works.
Ransomware is a type of malicious software (malware) that, once it infects a computer or network, prevents users from accessing their systems or files. Here are the three steps of an attack:
• Infiltration: Ransomware gets into a system through methods like phishing emails, exploiting software flaws, or malicious websites
• Lockdown: Once inside, it encrypts files, making them unusable and may also target backups
• Extortion: The target organisation is notified with a ransom demand, usually requiring payment (often in cryptocurrency) for the decryption key
Cyber security experts generally advise not to pay ransoms as there is no guarantee the risk will end. While paying might lead to the recovery of your data, it does not eliminate potential future attacks or further ransoms. If your data has already been stolen, this can also be sold and used by attackers again.
What are the implications of a successful ransomware attack?
As evidenced in the recent retail attacks, there are many negative implications if your business falls victim to ransomware.
The most concerning will be the financial loss. Sophos estimate a 5 times increase in ransom bills over the last 12 months, showing attackers are asking for more. The predicted cost of an attack now sits at $2 million for the ransom alone, with a further $2.73 million in recovery costs. That’s a significant cost for any business – and one smaller organisations may be unable to afford.
Alongside the financial aspect, businesses can expect to face:
- Operational disruption: In the event of a ransomware attack, you may find yourself locked out of core systems, preventing tasks from being completed. In some cases, you may need to turn off functions to protect the risk spreading. This can lead to widespread disruption and declining productivity.
- Data theft: Once criminals have accessed to your systems, they can steal data including your IP (which can be passed to competitors) or customer information (which can be sold on). It is often impossible to recover this data.
- Non-compliance: If customer data is breached, you may find yourself non-compliant with GDPR and other core data regulations. As a result, you can be subject to fines, which can deepen the financial impact.
- Reputational damage: If a ransomware attack on your business becomes public knowledge, it could lead to security concerns from partners and customers. If data is leaked, like in the M&S example, people may be less likely to purchase from you in the future.
Due to these implications, it’s crucial to avoid ransomware before it infiltrates your business.
6 steps to avoid ransomware
If you want to avoid ransomware attacks in your business, here are the steps you need to follow:
1. Implement strong cyber security practices
Having a strong security posture is crucial for identifying and warding off ransomware attempts. One of the most important things you can do is regularly update your software and operating systems to patch vulnerabilities. Unpatched vulnerabilities are the entry point for 32% of ransomware attacks, so staying on top of patching is critical. Where possible, turn on automatic updates as this ensures systems are constantly kept up to date without manual intervention.
Next, you’ll want to install and maintain robust antivirus and anti-malware software. This provides real-time protection against known threats. Again, ensure you keep the software and its signature databases up to date. There should be a particular focus on email security, as phishing emails are a common tactic by cyber criminals. Implement software that can filter out malicious emails, including those used for phishing and malware distribution.
Another crucial practice to implement is the use of strong, unique passwords and multi-factor authentication (MFA). This makes it significantly harder for attackers to gain unauthorised access to accounts. Apply MFA to all critical services, including email, VPNs and administrative accounts to ensure there is no route in.
If you are looking to strengthen your cyber security baseline, consider packages like Secure Core. These will offer you the protocols you need, like MFA, antivirus and vulnerability patching, in one convenient package.
2. Empower staff through security awareness training
In the M&S example, disaster could have been avoided if staff recognised the social engineering tactics being used. Your employees will always be your first line of defence, so arming them with the correct knowledge is critical.
First, educate employees about phishing and social engineering tactics. This can be done through regular training sessions to help them identify suspicious emails, links, attachments and other manipulative techniques. In short, you want to prepare them for the warning signs of an attack.
To test readiness, it’s also advised to simulate phishing attacks. This will review employees’ awareness and reinforce training through simulated scenarios, so you can refine your approach before a real-life attempt happens.
In general, you must promote a security-conscious culture. Encourage employees to report anything suspicious, no matter how small, with the appropriate person (ideally someone internally who is responsible for cyber security). If they think they’ve fallen victim to an attack (like clicking a suspicious link), ensure they can report it without fear of reprimand.
3. Manage network access and segmentation
Carefully controlling permissions and access across your data can minimise the risk of it falling into the wrong hands. As a result, grant users only the necessary permissions to perform their jobs (known as the principle of least privilege). This will enable to be productive without making them a risk for leaking sensitive information.
You should also implement network segmentation. By dividing the network into isolated zones, you can limit the potential spread of ransomware if one segment is compromised. This can be done with firewalls or network segmentation tools.
4. Implement data backup and recovery plans
Data backup and recovery can be crucial to restoring your business if a ransomware or other attack does penetrate your systems. Try to follow the 3-2-1 rule: have at least three copies of your data, on two different storage media, with one copy stored offline. While this may seem excessive, you’ll be thankful if you ever need it.
Aim to test your backups regularly. Ensure that you can reliably restore data from your backups in a timely manner. Offline backups are crucial as ransomware often targets network-connected backups. This will enable you to recover faster in the event of an attack.
5. Enhance endpoint security
Endpoints like desktops, laptops and mobile devices are often entry points for ransomware. So, it’s crucial to protect them. Endpoint detection and response solutions (like Microsoft Defender) offer advanced threat monitoring and response, allowing you to proactively address incoming threats.
You should also consider application whitelisting. Allow only approved applications to run on systems, preventing the execution of unauthorised and potentially malicious software.
As part of this exercise, you should also consider limiting app approval to admins only. In the AI era, this prevents malicious AI bots sneaking into virtual meetings or other internal areas to peruse your data (often finding their way from free trials or hidden behind other apps).
6. Develop an incident response plan
A well-defined incident response plan for ransomware is crucial for minimising damage and ensuring a swift recovery.
Within this plan, have steps covering:
- Identification of the attack (such as alerts from your antivirus software or unusual network activity)
- Containment (prevent the ransomware from spreading further across your network by isolating systems or shutting down vulnerable services)
- Eradication (removing the ransomware from the affected systems, using anti-malware tools and reimaging compromised machines)
- Recovery (restoring your systems and data to a clean state in a controlled manner, using your backups)
- Thorough post-incident analysis to identify the root cause and improve security measures to prevent future attacks
By thinking about this in advance, you can speed up recovery even when panic mode hits.
Protect your business against the negative implications of ransomware
It’s clear that ransomware poses a significant threat for your business, especially if you don’t spot the warning signs before it’s too late.
In almost every ransomware scenario – and as shown in the DragonForce scenario – attackers are after your data. Unfortunately, the theft of data can bring significant financial gain to criminals – and significant losses to your business.
With the rise of AI and digitalisation, businesses have more data than ever, and the risk has never been higher. If you fail to adequately protect data, you face non-compliance, fines, loss of customer trust and reputational damage.
Protecting your data now is key. If you want to learn more about how to protect your valuable data, our experts share their insights, practical tips and recommended tools in the video below:
