We use cookies to improve your experience. Please read our cookies policy here.


Ransomware: SME guide to protection, prevention and response

6 minute read

Monique Holtman
Monique Holtman

While the digital world has transformed the way many businesses operate, it has also brought about a new set of risks.

Cyber attacks are becoming increasingly common and while all potential threats should be taken seriously, ransomware is a growing concern. These attacks are costing UK businesses a staggering £346 million a year. Every 14 seconds a business falls victim to a ransomware attack and this is expected to increase to one every 11 seconds by 2021.

It’s easy for SMEs to be complacent about cyber attacks. After all, who’s going to target your company when bigger businesses have a lot more money to hand over? Sadly, this isn’t the case. 71% of ransomware attacks are aimed at SMEs because hackers are well aware that smaller organisations often aren’t as prepared or protected.

What is ransomware?

Ransomware is a form of malware which encrypts a victim’s files. If you suffer an attack, you won’t be able to access your data until you pay a ransom. As well as denying you access to your information, attackers may also threaten to publish the stolen data.

Costs can range from hundreds to thousands of pounds and while you’re supposed to get a decryption key once you’ve paid, more than half of companies targeted still can’t retrieve their files and data after paying the ransom.

A ransomware attack can present itself in a number of ways. You may get a pop-up telling you that your files have been encrypted or locked and that you need to pay a fee to get them back such as in the example below.

Ramsonware example

How do ransomware attacks occur?

Ransomware can infect your device in a number of ways. Some common methods include:

  • Malicious email attachments with double-file extensions. These then encrypt files on fixed, removable and network drives
  • Infected files which when downloaded, silently launch a macro which encrypts files on the victim’s computer
  • One of the most destructive types of ransomware is known as Jigsaw. This encrypts and deletes files until a ransom is paid. Files are typically deleted on an hourly basis until 72 hours when all remaining files are deleted
  • Fake Adobe Flash updates on compromised websites
  • Drive-by downloading. This occurs when a user unknowingly visits an infected website where malware is downloaded and installed without the user’s knowledge
  • Un-patched vulnerabilities in software. A famous example of this is the attack which brought the NHS to a standstill for several days back in 2017. Most of the NHS devices infected were found to be running the supported, but unpatched, Microsoft Windows 7 operating system. While no ransom was paid, it’s thought that the disruption cost the NHS an eye-watering £92 million
  • Emails containing fake invoices. When a user opens the attachment, the invoice gets deleted automatically and the victim is told to enable macros to read the document. When you enable macros, the attack starts encrypting your files

Signs of a ransomware attack

Encryption of files is the last thing that happens in a ransomware attack. Prior to this, cyber criminals will spend weeks, sometimes longer, investigating networks to discover their vulnerabilities. This means there can be signs that an attack is underway.

Not being able to unlock or access your web browser or desktop is the most obvious sign that your system has been infected with ransomware. This will be accompanied with a message telling you how you must pay to unlock your computer or files. If the attack has got to this stage, it is unfortunately too late to stop it.

Some other signs include:

  • Your files have a new file extension appended to their name. There are many examples of this including ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .micro, .encrypted, .locked, .crypto, _crypt, .crinf, .r5a, .XRNT, .XTBL, .crypt, .R16M01D05, .pzdc, .good, .LOL!, .OMG!, .RDM, .RRK, .encryptedRSA, .crjoker, .EnCiPhErEd, .LeChiffre, [email protected]_com, .0x0, .bleep, .1999, .vault, .HA3, .toxcrypt, .magic, .SUPERCRYPT, .CTBL, .CTB2, .locky or any other 6-7 length extension consisting of random characters
  • Unexpected software tools have started appearing on your network
  • Detection of MimiKatz. This is one of the tools often used by hackers along with Microsoft Process Explorer
  • Unexplained administrator accounts have been created. To stop this, look for accounts which have been created outside of your ticketing or account management system. Once an attacker has gained administrator powers, they can spread the virus further
  • Active Directory and domain controllers have been disabled
  • Backups you’ve run have been corrupted
  • Look out for test attacks. Hackers will often run these on a few computers to see if the deployment method and ransomware executes successfully. Even if your security tools pick this up, you may not be in the clear yet because hackers can change their tactic and try again

How small businesses can protect against and prevent ransomware attacks

Cyber attacks can be incredibly damaging to an organisation. As well as experiencing downtime and affecting productivity, they can cost you valuable profits and damage your reputation.

Fortunately, there are a number of ransomware protection methods you can implement to safeguard your business.

Practice good housekeeping

Educating your employees to practice good housekeeping when it comes to using the internet is a simple yet highly effective method of ransomware protection. This includes:

  • Avoid clicking on links on unfamiliar websites
  • Don’t click links in an email from an unknown sender
  • Don’t open email attachments if you don’t know the sender
  • Only download software or media files from websites you trust
  • Never insert USBs or other removal storage devices into your computer if you don’t know where they’re from
  • Never give out personal details. This information can be used in phishing emails to target you specifically. The more an attacker knows about you, the more convincing scams can be
  • Always use a VPN, especially when on public Wi-Fi
  • Don’t enter personal information or log in details while using public Wi-Fi
  • If you don’t use Java and Flash Player, uninstall it. If you only use it occasionally, disable it until you need it

Use mail server content scanning and filtering

Since emails are one of the most common ways for attackers to infiltrate systems, it makes sense to install content scanning and filtering on your mail servers. This software reduces the likelihood of malware-infected emails and attachments reaching inboxes, meaning employees are less likely to open them.

Use security software and keep it updated

Anti-virus software is a must for any business. It offers an extra layer of security when browsing the internet, checking emails and downloading and streaming. It works by blocking infected files and preventing ransomware and other viruses from infecting your computer.

Don’t forget to keep your software updated however. A lot of people ignore updates because they’re in the middle of something or think it’s not important. These updates include the latest patches and protection against newly identified viruses so it’s a crucial part of protecting your organisation.

Change settings in Microsoft

When using Microsoft Windows, set the group policy setting for macro settings to ‘disable macros with notification.’ This stops macros from running automatically when a document is opened.

In Office 2013 and 2016, you can edit the group policy settings to block macros from running when using Word, Excel and PowerPoint documents from the internet.

Back up data

You can be as security savvy as they come and still fall victim to an attack. Attacks are getting incredibly smart and can happen to anyone. For this reason, it’s a good idea to have everything backed up.

This ensures you can access any lost data should you fall victim to a ransomware attack. If you’re using an external hard drive, don’t leave it connected to your computer when you’re not using it, otherwise it could become infected too.

It’s a good idea to back everything up in the cloud because this ensures your information is kept safe and that you will be able to retrieve it even if your entire workforce has been infected with ransomware. 

Should I pay the ransom if I fall victim to an attack?

As tempting as it may be to pay the ransom, cyber security experts advise against doing so.

In some cases, attackers can’t actually access your information – they simply have the ability to prevent you from seeing it.

Another reason you should avoid paying is because the majority of victims still don’t get their data back even after making the payment. This puts you further out of pocket and delays getting your business back up and running.

The best thing you can do for the security of your business is to ensure you have significant ransomware protection in place.

For more tips and advice when it comes to staying safe online, why not have a read of the following articles?

The information in this article is for general guidance about cyber security good practice only and is not legal advice.
We have tried to ensure that this guidance is accurate and relevant as at November 2020. However, Nominet UK does not accept liability for any loss, damage or inconvenience arising as a consequence of any use of or failure to use any information contained in this guidance. 
Monique Holtman

After completing her degree in Journalism, Monique began her career at a digital marketing agency. It was here she discovered a passion for online marketing with a particular focus on content creation for the web. Six years ago Monique set up her own copywriting business, Copyworks Group, which specialises in creating content for websites, blogs, newsletters and social media pages.

Sign up to the UK Domain newsletter

Get all our monthly news and updates direct to your inbox