Ransomware Isn’t the Disease. It’s Just the Symptom.

The Silence Before the Sirens

It always starts small. An email won't load. The accounting system crawls. Someone mutters something about “the internet being weird.” Then, the screen goes red. Then three. Then eight. And just like that, your morning transforms into a waking nightmare.

At 8:06 a.m., Sophie—Operations Manager, de facto tech whisperer, crisis triage officer in all but name—was sipping cold coffee, assuming the glitchy login screen on the finance machine was nothing more than the usual Monday hangover. By 8:15, the entire office had gone quiet. Screens flashed with the same crimson message: files encrypted, systems locked, a Bitcoin ransom demanded. £72,000 if they wanted their business back.

Staff stared. Phones rang. Fingers hovered over keyboards that no longer did anything. The MD barked out orders to call IT. The shared drive had vanished. Printers jammed. Email was dead.

When Sophie reached the IT provider’s voicemail for the fourth time, it was already over. They didn’t know it yet.

The Infection Didn’t Start This Morning

What happened here didn’t begin with that ransom screen. That was just the point at which everything failed, visibly, and all at once.

Ransomware isn't the beginning of the story. It’s the final act. The crash at the end of the flight that started nosediving years ago.

The truth, as unpalatable as it may be, is that ransomware isn't the cause of anything. It’s the result. The endpoint of a long string of poor decisions, misplaced trust, and ignored risks. The red screen is where the disease becomes impossible to ignore.

This company didn’t fall because it was targeted. It fell because it was vulnerable, wide open, and blissfully unaware—a self-inflicted wound masquerading as bad luck.

The Conditions Were Perfect

This wasn’t just a technical failing. It was the result of institutional decay. Over time, convenience was chosen over caution. The budget line for security was moved—or erased. The people responsible for cyber risk didn’t even know they were responsible. And the IT support? They sold peace of mind by the pound, but delivered little more than status reports and empty buzzwords.

The business had no meaningful oversight. There was no security strategy, audits, or plans beyond hope and muscle memory. Cyber Essentials was mentioned once during a board meeting, mispronounced, and promptly forgotten. The IT provider had offered a “compliance pack,” but it consisted of more than antivirus software, a half-baked VPN, and a phishing simulation no one ran.

The systems were cobbled together over the years with whatever was cheapest. The file server was still running Windows Server 2012. Remote Desktop was wide open. Staff passwords were unchanged for years, stored in a shared spreadsheet with zero permissions. MFA wasn’t “enabled,” it was “something they’d heard of.”

When something inevitably slipped through, nothing was in place to detect it. There was no endpoint protection with rollback, no logging, no alerts, and no monitoring. The backups were stored on a hard drive plugged into the network, vulnerable to the same fate as the live data. When the ransomware came, it found everything it needed in one place—exposed, unprotected, and connected.

The Myth of Being Too Small

This wasn’t a rare or unusual event. Across the UK, this is now routine. What happened to Sophie’s business is happening daily to law firms, estate agents, accountants, marketing agencies, nurseries, wholesalers, and charities.

They all tell themselves the same lie: they’re too small, obscure, and local to be a target.

That’s not how this works.

Ransomware doesn’t care about who you are. It cares about whether you’re vulnerable. And most small businesses are. They’re riddled with old tech, run by people with no security awareness, and supported by suppliers who deliver just enough to tick a box—but never enough to protect the business.

Cybercriminals aren’t scanning for names. They’re scanning for open ports, exposed credentials, and unpatched endpoints. You don’t get hit because they know you. You get hit because you’re easy.

The Breach Was Already Inside the Culture

The real attack didn’t happen when the file was opened. It happened the first time someone said, “We don’t need MFA; it’s too annoying.” It happened when the server patch was deferred again. It happened when the IT provider’s risk report was waved off because “we’ve never had a problem before.” It happened when the finance team insisted that backups were a waste of money.

This wasn’t a cyberattack. It was an autopsy.

Years of complacency. Years of hoping security was someone else’s problem. Years of underinvestment, outdated infrastructure, and unchecked access. Years of letting “good enough” become a standard.

The ransomware didn’t break this business. It exposed the fact that it was already broken.

Anatomy of an Avoidable Disaster

In Sophie’s case, the chain of events traced back to a single email: a fake invoice with a .zip file landed in the Finance Director's inbox. The attachment was opened without question, and the malware inside gave the attacker remote access within minutes.

No one noticed.

The attacker spent the next few days exploring. The internal network had no segmentation. One compromised account led to others. Shared folders revealed login credentials. Critical systems had no access controls. The backup server was just another machine on the same LAN. There were no firewall rules, air gaps, or protection.

They had everything they needed to bring the business down. They encrypted the entire estate, including the backups. The attackers knew the infrastructure better than the IT provider did.

And when it was over, the call to the MSP was answered with rehearsed detachment: “We don’t manage your backups directly. That wasn’t in scope. We advised you to look into it last year.”

What they didn’t say, but might as well have: “This was inevitable. We just didn’t want to be the ones to tell you.”

Insurance Denied. Trust Broken. Operations Halted.

The insurance claim was rejected within 72 hours. The underwriter pointed to the policy document: no MFA, endpoint detection, or regular awareness training. The business had attested that those controls were in place. They weren’t.

Now the business faced a ransom demand they couldn’t afford, data they couldn’t recover, and customers they couldn’t serve. Their reputation? Shot. Their staff? Panicked. Their leadership? Exposed as asleep at the wheel.

The MSP, still under contract, began drafting termination clauses.

Sophie, who had no formal cybersecurity training, was suddenly responsible for coordinating recovery. She acted as incident manager, PR officer, and executive therapist—because no one else would.

This Isn’t About Malware. It’s About Mindset.

It’s tempting to think ransomware is the enemy. But the true enemy is the culture that allowed it in: the lazy supplier relationships, the cut-and-paste advice, the leadership teams that think digital risk is an IT issue, not a business one, the managers who conflate uptime with security, and the businesses that’ve mistaken “not yet breached” for “secure.”

If you’re a small business reading this and thinking, “we’re fine”, you’re not. You just haven’t had your red screen yet.

The Cost of Inaction Is Already Due

This isn’t about buying some software and moving on. It’s about fundamentally changing how small businesses approach risk. Because security isn’t a switch you can flick when you remember. It’s a discipline. A habit. A culture.

You don’t need a million-pound budget. You need accountability. You need visibility. You need someone who knows what a good security baseline looks like—and the authority to enforce it.

You need to stop delegating trust without verification. You must stop assuming that your IT provider is doing what’s necessary. You need to stop pretending that ransomware is someone else’s problem.

Because the real sickness isn’t malware. It’s leadership that doesn’t lead, systems that aren’t maintained, and priorities that ignore reality until it explodes.

Next in the Series

Part 2 – The Carriers: How Crap MSPs, Slack Vendors, and a Culture of Complacency Are Fueling the Epidemic (Coming Soon)