Mitigation

There are a number of methods you can use as a first step to mitigate the extent of a ransomware attack:

1. Isolate the affected system, as ransomware programs will scan the network for vulnerabilities to then propagate elsewhere.
2. Report the attack to the relevant authorities. In some instances, if you’re able to identify the attackers, they may be able to obtain the decryption key on your behalf if they’ve come across them before.
3. Secure backups in order to avoid paying the ransom. Most attackers are sophisticated and will be fully aware that you will try to take that route, so will likely do everything they can to locate the backups and either delete them or encrypt them as well.

Your employees should also be given regular training and guidance on how to spot key risks and indications of ransomware attacks as they are the front line of defence who fraudsters will often target first.

Should you pay the ransom?

If none of those options work, then you may consider whether it would be more straightforward to simply pay the ransom. However, there are some key things to bear in mind here:

1. UK law enforcement agencies don’t encourage or endorse making payment of ransoms in these situations. Paying ransoms only shows the attackers that these kind of attacks work and are profitable, thereby incentivising future attacks. There have been reports that when a company has paid a ransom, they see a further attack at a later date because a hacker knows they can get a pay day.
2. Under the Terrorism Act, it’s an offence for an entity to pay a ransom if it knows or has reasonable cause to suspect that the money will or may be used for the purposes of terrorism. Under the Proceeds of Crime Act, it’s an offence to enter into an arrangement that the entity knows or suspects will facilitate the use or control of criminal property.
3. The Government announced in July 2025 that it’s planning to introduce a ban on public sector bodies and operators of critical national infrastructure from paying ransom demands. Whilst businesses are not presently covered by the proposed ban, there would be a notification requirement to the government of any intention to pay a ransom. The intention is that the government could then provide those businesses with advice on the whether such payment would risk breaking the law.
4. However, the ICO issued a statement in 2022 stating it had received reports of legal professionals assisting their clients in making ransom payments, believing this would help protect stolen data and potentially reduce any penalties imposed by the ICO should it undertake an investigation. The ICO was clear that this was not the case, the ICO doesn’t consider that entities making the payment of monies to these attackers will mitigate any penalties imposed if the ICO later takes enforcement action against them.

Despite these legal considerations, organisations still need to appreciate that even if the ransom is paid, it doesn’t necessarily mean that the data will be released back to them. They are dealing with criminals and most organisations are unlikely to feel comfortable placing trust in those criminals.

However, on the other hand, these groups want to establish a reputation as following through on their word to encourage future payments of ransom from other organisations.

How we can help

Our team of experts from around the business are here to help, bringing real-world experience and specialist knowledge to the table to make sure you find a way to solve your cybersecurity concerns.

If you need support to protect your business from a ransomware attack or have any questions, please contact Sally Mewies or Jack Heward.