Risk Matters Blog – The Anatomy of a Ransomware Attack

Risk Coalition Virtual Roundtable – 12 September 2025

Authors: Chris Burt, Halex Consulting/Risk Coalition, Vish Nayi, CyberQ Group, Carrie Stephenson, Brave LLP

Ransomware has become one of the most pressing threats to organisational resilience, disrupting critical services, damaging reputations, and testing board decision-making under pressure. At our September Risk Matters roundtable, the Risk Coalition convened non-executive directors, audit and risk committee members, and governance professionals to explore the “anatomy” of a ransomware attack: what happens before, during, and after, and how boards can prepare to respond.

The discussion was led by two subject-matter experts: Vish Nayi, Chief Solutions Architect at CyberQ Group, who brings extensive incident response experience, and Carrie Stephenson, co-founder of Brave LLP, who contributed perspectives on legal, compliance, and governance.

The Current Threat Landscape

Participants were reminded that ransomware is no longer a fringe issue. UK businesses face a cyberattack on average every 44 seconds, with ransomware affecting an estimated 19,000 businesses annually – roughly 52 each day. Phishing remains the dominant entry point, often serving as the precursor to more serious ransomware incidents.

As Vish noted, ransomware groups operate like multinational enterprises. They employ developers, negotiators, and managers; they track performance against KPIs; and they even offer “ransomware-as-a-service” to affiliates. In parallel, geopolitical factors – including state-sponsored activity – continue to fuel the scale and sophistication of attacks.

AI technology is creating new challenges. As Carrie explained, "Criminals are using AI to craft more convincing phishing and automate vulnerability scanning, while businesses rely on it for threat detection – creating a double-edged sword."

The financial impact is stark: the UK economy loses an estimated £27 billion annually to cybercrime. Yet for criminals, ransomware is a multi-billion-pound industry.

Before the Attack: Building Preparedness

The first theme of discussion was preparedness. Boards were urged to ask themselves whether they have:

  • A clear understanding of their organisation’s “crown jewels” – the data and systems critical to survival.

  • A defined risk appetite for cyber threats, recognising that “zero risk” is not realistic.

  • An incident response plan that is not only written but rehearsed. Too often, boards sign off policies they have never read or tested.

Vish highlighted common pitfalls: response plans locked in digital systems that become encrypted during an attack; key roles assigned to a single individual who may be unavailable; and reliance on cyber insurance that may not pay out if the organisation has not maintained promised controls.

Carrie emphasised the governance dimension: “Boards must address cyber resilience before a crisis strikes. Debating whether to pay a ransom should not take place for the first time in the middle of an attack. Businesses must adopt a proportionate and proactive approach to cyber security and assess the risk as part of a larger risk management framework.” Establishing principles in advance – including the legal, regulatory, and ethical implications of ransom payments – enables calmer decision-making under stress.

She stressed the personal stakes for directors: "If you're a NED, you hold fiduciary duties as a director – this encompasses good cyber security risk management. You have personal liability – do not assume your D&O covers you. It might cover decisions and actions but not wider costs.

Carrie challenged boards to examine their current approach: "Are you following a proven framework like Cyber Essentials? Are you building in cyber resilience and business continuity planning? Is it on the agenda? If not, it should be. Who is the designated lead? If no-one, assign one."

During the Attack: Decisions Under Pressure

When ransomware strikes, pressure mounts rapidly. Data is encrypted, operations stall, and a ransom demand arrives – typically in cryptocurrency.

Key dilemmas for boards include:

  1. Ransom payments – who has authority to decide, and on what basis? While some organisations pragmatically negotiate, government proposals now point towards tighter restrictions and mandatory reporting.

  2. Communications – how to handle regulators, insurers, employees, customers, and the media in the crucial first 24 hours. Misinformation or premature statements can magnify reputational damage.

  3. Law enforcement engagement – while support and guidance are improving, technical interventions are often limited once encryption has occurred.

The discussion also reflected on real-world examples, from large retailers forced to disclose outages, to smaller firms negotiating instalment payments on the dark web. These illustrate both the diversity of responses and the intense moral, legal, and financial pressures boards may face.

After the Attack: Recovery and Learning

Even if ransom is paid, restoration is uncertain. Criminals may not provide decryption keys, or they may strike again. True resilience lies in restoring systems independently and learning from the incident.

Boards should ensure:

  • Backups are offline, secure, and regularly tested.

  • Legal obligations – including mandatory reporting under emerging regulation – are understood and actionable.

  • Lessons learned feed into strategy, culture, and governance.

Carrie noted that new legislation, including the forthcoming Cyber Security and Resilience Bill (CSRB), will require boards to demonstrate more proactive oversight. The Bill is expected to expand regulatory scope into the value chain, impose stricter incident reporting (within 72 hours), and give regulators sharper enforcement powers.

Carrie highlighted the significance of these changes: "We're seeing a step-change in UK cyber regulation with the CSRB. This moves away from voluntary frameworks to encourage a culture of accountability, with compliance obligations that could result in significant penalties."

Policy and Legal Context

The roundtable considered the UK Government’s July 2025 consultation response on ransomware. Key proposals include:

  • A targeted ban on ransom payments for public bodies and critical national infrastructure (supported by 72% of respondents).

  • Exploration of an economy-wide prevention regime, though views were mixed.

  • Introduction of a mandatory reporting regime, strongly backed by respondents, to improve government visibility of ransomware threats.

The reality of ransom restrictions is becoming clearer. As Carrie warned, "Ransom payments may be a thing of the past for CNI providers and public sector organisations. The question becomes: how do you recover in the absence of being able to pay a ransom? We await answers from the government on what happens when there are no technical restoration options. 

For boards, the implication is clear: decisions about ransom payments and incident handling are moving from discretion to regulation.

Key Takeaways for Audit and Risk Committees

Several practical actions emerged from the session:

  1. Preparedness and validation – Incident response and continuity plans must be read, rehearsed, and printed. Boards should regularly test them through realistic simulations.

  2. Decision-making clarity – Authority for ransom payments (if legally permitted) should be pre-defined.

  3. Insurance scrutiny – Verify what is actually covered and under what conditions. Cyber insurance transforms operational risk to credit risk, rather than eliminating it.

  4. Supply chain resilience – Critical suppliers, including managed service providers, must be part of the resilience equation.

  5. Legal foresight – Understand the implications of AML, data protection, and emerging cyber legislation before an attack occurs.

  6. Culture of learning – Every incident must inform future governance and risk oversight.

Carrie emphasised the expanded regulatory focus on supply chains: "The CSRB extends due diligence requirements. Businesses that rely on external IT or security providers will be required to conduct due diligence, which means you need to be checking contractual agreements reflect security expectations."

Conclusion

Ransomware is not an IT issue alone – it is a strategic business risk. Boards cannot outsource responsibility; they must understand the threat, set clear principles, and test their organisation’s resilience.

The Risk Matters roundtable underscored that the anatomy of a ransomware attack involves more than encryption and extortion. It is about governance, legal, compliance, financial resilience, and the ability of directors to lead under pressure.

As new legislation reshapes the regulatory landscape, the imperative for boards is clear: move beyond compliance and embed cyber resilience at the heart of risk oversight.

Useful links:

National Cyber Security Centre – a great source of advice and guidance National Cyber Security Centre - NCSC.GOV.UK

NCSC Cyber Governance for Boards – board focused cyber resources Cyber Governance for Boards - NCSC.GOV.UK

NHS Cyber Security Guide for NEDs Cyber security guide for non-executive directors - NHS England Digital

UK Government Cyber Governance Code of Practice Cyber Governance Code of Practice - GOV.UK

📅 The next Risk Matters roundtable will be held at 9am (UK) on Friday 12 December 2025. We encourage audit and risk committee members to join the discussion.