Ransomware has become one of the most dangerous cybersecurity threats facing small businesses in the UK today. In recent years, cybercriminals have ramped up their efforts, targeting organisations of all sizes, sectors, and levels of technical sophistication.
But there is one line of defence that remains crucial not just for prevention, but for recovery: backups.
This blog looks at why having a reliable backup strategy is essential, how backups can help your business bounce back from a ransomware attack, and practical advice on building ransomware-resistant backup systems, all with small UK businesses in mind.
What Is Ransomware, and Why Should You Care
Ransomware is a form of malicious software that encrypts your data, locking you out of your files, systems, and applications. Attackers then demand a ransom—often in cryptocurrency—in exchange for the decryption key.
Unfortunately, paying the ransom doesn’t guarantee you’ll get your data back. According to the UK’s National Cyber Security Centre (NCSC), many victims who pay still experience prolonged downtime, further data loss, or even repeat attacks.
Common Forms of Ransomware
Ransomware has evolved significantly over the past decade, with cybercriminals deploying increasingly sophisticated and targeted attacks. Understanding the different forms of ransomware is essential for individuals and organisations to recognise threats and take appropriate defensive measures. Below are some of the most common types of ransomware in circulation today:
1. Crypto Ransomware
Crypto ransomware is one of the most prevalent and damaging forms of ransomware. It works by encrypting a victim’s files—documents, photos, databases, and other valuable data—rendering them inaccessible without a decryption key. Once the encryption process is complete, the malware displays a ransom note demanding payment, often in cryptocurrencies like Bitcoin, in exchange for the decryption key. Victims are usually given a limited time to pay, after which the decryption key may be permanently destroyed or the ransom amount increased.
What makes crypto ransomware particularly harmful is that it typically does not interfere with the core functions of the computer, allowing the user to see their files but not open them. This visibility adds psychological pressure, as victims can see what they are losing unless they comply with the attacker’s demands.
Some well-known examples include WannaCry, CryptoLocker, and Ryuk, which have caused widespread disruption to hospitals, corporations, and public infrastructure around the world.
2. Locker Ransomware
Unlike crypto ransomware, locker ransomware doesn’t target individual files. Instead, it locks users out of their entire system, preventing them from accessing the desktop, files, or applications. Victims are typically presented with a full-screen ransom message, often impersonating law enforcement agencies, accusing them of illegal activity and demanding a “fine” to unlock the device.
While locker ransomware tends to be more disruptive to daily operations than destructive (since it often doesn’t encrypt data), it can still halt business processes, especially in environments where downtime is critical. In some cases, the system’s keyboard and mouse may become unresponsive, and restarting the machine offers no relief, further escalating panic.
This form of ransomware is more commonly seen on mobile devices and older operating systems where users have not implemented up-to-date security practices or patches.
3. Double Extortion Ransomware
Double extortion is a newer and more dangerous form of ransomware attack. In addition to encrypting files, attackers also steal sensitive data before locking systems. They then demand a ransom not only for the decryption key but also to prevent the publication or sale of the stolen data. This tactic significantly raises the stakes, especially for businesses holding proprietary, financial, or customer information.
Victims who might have considered restoring data from backups are pressured into paying to avoid reputational damage, regulatory fines, or lawsuits arising from a data breach. This form of attack has been increasingly used by ransomware gangs such as Maze, Conti, and REvil, who even operate dark web “leak sites” to publish stolen data from non-compliant victims.
Double extortion demonstrates how ransomware has evolved from simple encryption-based attacks to complex, multi-layered threats targeting both data integrity and organisational reputation.
Why Backups Are the Cornerstone of Ransomware Recovery
In today’s digital landscape, ransomware attacks are no longer a rare occurrence they’re a growing and constant threat to businesses of all sizes. For UK small and medium enterprises (SMEs), the damage from a ransomware infection can be devastating, leading to lost data, halted operations, and even reputational harm. But there’s one crucial safeguard that can make all the difference: having robust, secure, and up-to-date backups.
Think of backups as your digital insurance policy. When ransomware strikes and your files are encrypted or systems locked down, a well-maintained backup gives you a way out—without having to pay the criminals or suffer catastrophic data loss. Here’s why backups are considered the cornerstone of ransomware recovery:
1. Avoid Paying the Ransom
One of the primary goals of ransomware is to force victims into paying large sums of money in exchange for the decryption key to restore their data. But if your organisation has a reliable backup strategy in place, you don’t need to negotiate or pay the ransom. Instead, you can simply restore your systems from the clean backup, eliminating the attacker’s leverage.
2. Faster and More Efficient Recovery
Time is money—especially when your business operations are disrupted. Ransomware can cause significant downtime, costing thousands in lost productivity. However, regular and tested backups enable a much faster recovery process. Rather than starting from scratch or attempting costly data recovery, you can quickly restore the affected systems and resume business with minimal interruption.
3. Preserve Data Integrity
Ransomware doesn’t just block access to data—it can also corrupt or tamper with it. Secure backups help maintain the integrity of your data by providing an unaltered version that was saved before the attack. This ensures your business records, customer information, and operational data remain accurate and trustworthy when restored.
4. Meet Legal and Regulatory Obligations
For UK businesses, data protection isn’t just best practice—it’s a legal requirement. Under the UK General Data Protection Regulation (GDPR), companies must ensure the availability and recoverability of personal data. Backups play a key role in demonstrating compliance, especially in sectors like finance, healthcare, and legal services. Failing to back up data adequately could lead to fines or legal consequences following a breach.
5. Guidance from the Experts
The UK’s National Cyber Security Centre (NCSC) strongly emphasises the importance of backups in its official guidance on ransomware resilience. As the NCSC states, “The ability to restore systems and data from backups is the single most important step for recovery.” Their advice is clear: having regular, isolated, and tested backups is essential for any organisation wanting to recover swiftly from a cyberattack.
The True Cost of Ransomware Without Backups
Not all backups are created equal. If your backup is stored on the same network as your production data, ransomware can and often does encrypt the backup too.
To build ransomware-resistant backups, consider the following key principles:
1. The 3-2-1 Rule
A time-tested strategy:
- 3 copies of your data
- 2 different storage media (e.g. local drive + cloud)
- 1 copy stored offsite (physically or via the cloud)
This ensures redundancy and mitigates risk from single points of failure.
2. Immutability
Backups must be immutable meaning they can’t be changed or deleted once written. Many backup systems now offer immutable storage that protects against encryption or deletion by ransomware.
Learn more about immutability on Cloudian’s guide.
3. Offline or Air-Gapped Backups
An air-gapped backup is physically separated from your network meaning ransomware can’t reach it. This can be a removable drive or tape stored securely offsite.
The NCSC strongly recommends using offline backups as part of a layered defence.
4. Cloud Backups with Versioning
Cloud storage with file versioning can help you restore previous, clean versions of files before infection occurred.
Ensure your cloud backup provider offers:
- Encryption at rest and in transit
- Role-based access controls
- Multi-factor authentication
Providers like UKCloud, Acronis, and Carbonite offer SME-friendly cloud backup options.
Practical Backup Tips for UK Small Businesses
You don’t need an enterprise IT department to build a strong backup system. Here’s a practical checklist tailored for UK small business owners:
✅ Audit Your Data
- Identify what data is critical to your operations.
- Prioritise systems and files essential for business continuity.
✅ Use Automated Backups
Manual backups are prone to human error. Use automated tools that run on a daily schedule.
✅ Diversify Your Storage
- Use a combination of local (on-premise) and cloud-based backups.
- Store one copy in an offsite location or with a trusted cloud provider.
✅ Test Your Backups
Don’t just assume your backups work. Regularly test the restore process to ensure backups are functional and complete.
✅ Use Encryption and Authentication
Secure your backup systems with strong passwords, multi-factor authentication (MFA), and encryption to protect against unauthorised access.
✅ Document Your Recovery Plan
Have a simple, step-by-step disaster recovery plan that includes:
- Where your backups are stored
- How to access and restore them
- Who’s responsible in your team
Template tools are available from the UK’s Cyber Essentials scheme.
Backup Options: Local vs Cloud vs Hybrid
Let’s quickly compare backup options to help you decide what works best for your business:
| Backup Type | Pros | Cons |
|---|---|---|
| Local (external HDD, NAS) | Fast, inexpensive, under your control | Vulnerable to physical damage, theft, or ransomware if not air-gapped |
| Cloud Backup | Offsite, scalable, managed by experts | Recurring cost, dependent on internet speed |
| Hybrid Backup | Combines local + cloud | Most resilient option |
For small UK businesses, a hybrid approach offers the best balance of security, speed, and resilience.
How to Recover from a Ransomware Attack Using Backups
So the worst-case scenario has happened—your systems have been compromised by ransomware. It’s a stressful moment, but if you’ve maintained proper backups, there is a recovery path. Acting quickly and methodically is key to reducing downtime, data loss, and reputational damage. Here’s a practical step-by-step guide to recovering from a ransomware attack using your backups.
Step 1: Immediately Isolate Infected Systems
As soon as you suspect a ransomware infection, act fast to contain it. Disconnect all affected systems from the network—including Wi-Fi, Ethernet, external drives, and cloud sync services. This prevents the ransomware from spreading further to other devices or backup locations. If you use shared folders or servers, isolate them as well.
Step 2: Report the Incident
In the UK, it’s essential to report ransomware attacks to the proper authorities. This not only helps you potentially receive support, but it also contributes to national cyber threat intelligence.
-
Report to Action Fraud UK – This is the UK’s national reporting centre for fraud and cybercrime.
-
Notify the NCSC Incident Management Team – The National Cyber Security Centre offers guidance and may provide assistance for large-scale or critical incidents.
Keeping law enforcement informed can also help if the attackers demand a ransom payment or if legal proceedings become necessary.
Step 3: Assess the Damage and Backup Integrity
Once the infection is contained, identify the scope of the attack:
-
What data and systems have been encrypted?
-
Are operational systems still functional?
-
Are your backups still intact, or have they been targeted too?
It’s critical to verify that your backups are clean and uninfected. Ideally, backups should be stored in a separate location or offline (“air-gapped”) to prevent ransomware from accessing them.
Step 4: Restore From Backup Safely
When you’re confident your backups are unaffected, begin the restoration process in a controlled environment. Use clean machines or virtual environments for restoration.
-
Run comprehensive antivirus and anti-malware scans before reconnecting to the main network.
-
Only restore from tested, known-good backups.
-
Prioritise restoring essential systems first to resume business operations.
If you’re using cloud-based backup solutions, many providers offer built-in ransomware detection and clean rollback options.
Step 5: Strengthen Your Cyber Defences
Recovery is not just about restoring data—it’s also a wake-up call to reassess your security posture. After the incident:
-
Review and test your backup strategy. Use the 3-2-1 rule: 3 copies of data, on 2 different media, with 1 stored offsite.
-
Update user access controls. Apply the principle of least privilege.
-
Train staff regularly on phishing scams and suspicious activity reporting.
-
Consider enrolling in the Cyber Essentials scheme. This government-backed certification helps businesses improve cyber hygiene and demonstrate a commitment to security.