How do you know you haven’t already been compromised?

Another week, another series of high-profile ransomware attacks. This time on UK retailers.

It’s shocking, but not surprising. But hopefully it can act as a wake-up call to business. Even if you think you’re safe – you’re probably not. And it’s better to start thinking that way.

Ransomware is a very successful business model. Industrialized, scalable, and ruthless. What used to be a disruptive malware event is a persistent sophisticated multi-stage extortion operation. Encrypting your files is no longer the main goal, it’s the distraction. The real objective is pressure, financial, legal, reputational.

Attackers don’t just scramble your data, steal it, and leak it, they weaponise it against you for commercial gain. Yes, attackers insist on a profit margin and solid return on the investment. It’s just business, not as you know it, but not dissimilar to many profitable business models. Recoup the hours at the keyboard, add a margin, settle the cost for the initial access (into your business), which can be at a premium if in a high demand sector.

Becoming a victim requires almost nothing. One compromised password, one phishing click, one unpatched supply chain service, one call to an untrained service desk analyst. Outside of the Nation States (one for another day) threat actors don’t typically rely on sophisticated ‘zero-day’ exploits, they can exploit zero-discipline.

Most breaches start with basics: exposed services, reused passwords, unpatched systems. Once on the inside, it’s slow and steady, no unnecessary risks, attackers take their time. Remember, this is business and failure to execute the ransomware, not only costs money, it impacts on professional status and promotion opportunities. Attackers learn the environment – often knowing your own complex infrastructure better than you do – identify pressure points, and wait for the right moment.

They don’t need to move fast. In fact, the most effective ones don’t. Once inside, they ‘live off the land’, a term used to describe a self-sustaining existence, in this context without letting anyone else know you are alive. Actors using legitimate trusted IT admin tools, and processes to blend in with normal operations. (I’m simplifying here, as there are many native tools which are used to hunt actors, which can be used stealthily by the hunted.) They rarely install flashy malware.

This approach avoids common binary and pattern recognition detection, leaving few traces. Living off the land lets attackers escalate privileges, map networks, and steal data without tripping alarms. They disable and disarm security tools long enough to impersonate a service account or privileged identity, and set persistence through tasks that are designed to look routine. It’s not just stealthy, it’s strategic.

The breach isn’t when ransomware deploys. It’s when they walked through your front door weeks or months ago, and you never knew.

Risk appetite and reform

CEOs are starting to get used to thinking about how to respond to ransomware attacks. But this might all be about to change.

This year, the UK government proposed new rules to fight ransomware, by banning payments in all public sector bodies, including local government and operators of Critical National Infrastructure, making companies report attacks, and asking all those not banned to seek approval before paying ransoms. At this point payments could still be banned when reported to the authorities.

The goal is laudable. To stop attackers from profiting and improve cyber resilience. But if the proposed reforms are implemented, fallback options will disappear. Quiet payments. Private resolutions. Gone. Incidents will require reporting, and rightly so. Payments may require permission or be banned. This shifts decision making from technical teams to the boardroom. Those who’ve prepared will lead. Those who haven’t will fail in public.

But if these reforms do become law, expect unintended consequences.

There’s a risk of punishing the ransomware victim twice, which will further demotivate and risk alienating our cyber response specialists. If payment becomes illegal, and the business cannot recover without it, then what? Is your CISO prepared to commit a crime? Business collapse? Not every company has the capability, the technical infrastructure, the capital funds to rebuild from scratch, or the resilience to survive without options. Policy without enablement becomes punishment. Compliance can’t replace capability.

A more effective intervention would be to make cyber risk statutory. Include it in company accounts. Force formal risk disclosure, not vague marketing language. Make cyber risk auditable and genuinely owned by the board. If financial risk needs sign-off, so does exposure to systemic compromise. The Cyber Security and Resilience Bill should embed this. As a former CISO I recall one of my CEOs who had plenty of risk appetite, using a cyber attack fiasco as a badge of honor, rather than a learned experience in the board room. This individual went on to lead another organization who also became victim to the same cybercrime. No more badges. No more press-release security.

Cyber resilience isn’t something you buy

Following the recent attacks, the National Cyber Security Center advised every company to tighten up. I think every CEO should be asking one question, “how do I know we haven’t already been compromised?”

If the answer is silence, you already have your answer. If there’s no evidence, no threat hunting, no real-time insight, you’re uninformed. And that’s worse.

If there’s any doubt, start hunting. Threat hunting is not reserved for offensive specialist red teams. I’ve spoken and written about breaking down these silos in the past. It’s a mindset, and defenders are great at it. Look for what doesn’t belong, and there can be plenty hidden in plain sight.

Start with suspicious traffic, anti-forensic clean-up behavior, unexpected logons, and log deletion. Check for any tools using other tools to start, inspect processes or create scheduled tasks. Investigate systems that behave differently than they did yesterday. Instigate your own registry telemetry to identify anomalies. You don’t need proof of a breach to hunt. You need curiosity, critical thinking discipline, collaboration, and time.

Ransomware isn’t going away. It’s painfully easy to execute, the business model is evolving with cheap effective AI agents that operate relentlessly. If your industry or sector isn’t in the headlights today, tomorrow it will be. The only thing more dangerous than the threat itself is the illusion that you’re ready, and your business and its supply chain can operate manually for a month or more. Resilience isn’t something you buy.  And right now, most aren’t even close.

Looking to overhaul and update your organization's own cyber security? Upskill your teams with our comprehensive Cyber Security training offering.