Insights

January 16, 2026

This Nearly Killed a Business – A Real Ransomware Incident

Posted by

Jez Nolan

Play Video

Most cyber security stories are told after the fact.

This one didn’t get the chance.

The Thursday before Christmas, a UK business narrowly avoided complete collapse due to an in-progress ransomware attack. Not a scare email. Not a theoretical risk. Attackers were already inside the network, preparing to encrypt everything.

If intervention hadn’t happened when it did, the company would not exist today.

The Email Most Companies Would Ignore

Late that afternoon, the business received an email from the National Cyber Crime Unit, part of the National Crime Agency.

The message stated that a text file had been discovered containing internal network information – including credentials and access details.

Many organisations would have assumed this was fake.
Plenty would have ignored it until after Christmas.
That decision would have been fatal.

What Had Already Happened Behind the Scenes

Once logs were analysed properly, the situation became clear.
Attackers had:

  • Exploited vulnerabilities in the company’s main firewall
  • Created their own administrative accounts
  • Downloaded the full firewall configuration
  • Cracked an embedded account used to authenticate VPN users against Active Directory
  • Added a guest account to the VPN user group

At that point, this was no longer a breach in progress.
The attackers didn’t just have access – they had control.

The Most Dangerous Part Was the Waiting

Two attackers had already been inside the network overnight. One for several hours. Another for even longer.

They then left.
And came back the next morning.

This wasn’t chaos or opportunism. It was preparation.

The intent was obvious: deploy ransomware either immediately or over the Christmas break, when nobody would notice for days.

Why This Was a Business-Ending Event

This company employs around 120 full-time staff, with over 300 additional people depending on the business.

All backups were stored onsite.

If ransomware had been deployed:

  • Production systems would have been encrypted
  • Backups would have been encrypted at the same time
  • Recovery options would have been close to zero

This wouldn’t have caused disruption.
It would have ended the business.
That’s the reality many directors still underestimate.

“But We Have Internal IT”

This business did have an internal IT team.

They were capable, committed, and doing their best – but they were overstretched and operating with a tiny budget. Like many internal teams, they were constantly dealing with “shouty” user issues.

The quiet work didn’t get prioritised:

  • Regular patching
  • Security hardening
  • Monitoring
  • Proper backup testing

That quiet work is where breaches live.

This wasn’t incompetence.
It was structural neglect.

What Actually Prevented a Total Collapse

Immediate action was taken to shut down access:

  • Unauthorised admin accounts were removed
  • VPN access was disabled
  • Remote firewall management was blocked
  • Insurers were contacted immediately

What followed was more than 28 hours of work across Friday and the weekend:

  • Deep forensic analysis
  • Emergency patching
  • Stabilising systems that failed once years of updates were applied
  • Managing insurer calls while actively securing the environment

This happened in the run-up to Christmas, during a period of acute personal strain, because that’s what people in this industry often do when things are on the line.
Quietly. Without drama.

The Line That Matters

None of this would have happened if the network had been properly managed.

This wasn’t bad luck.
It wasn’t unavoidable.
It wasn’t “one of those things”.

It was the result of treating cyber security as an overhead rather than a business-critical function.

Why Good MSPs Are Not a Cost Centre

This is what good managed service providers actually do.
They:

  • Prevent incidents you never hear about
  • Do the unglamorous work consistently
  • Absorb risk on behalf of the business
  • Protect livelihoods quietly

They’re not trying to sell “old rope”.
They’re not an unnecessary overhead.
They are protection.

The Uncomfortable Reality

If your business is doing nothing – or the bare minimum – you are already at risk.

Cyber attacks don’t start with ransomware.
They start with complacency.

If you think this won’t happen to you, you’re wrong.

A Sensible Next Step

You don’t need to panic.
But you do need to be realistic.

At the very least, get an independent cyber security review:

  • Not a tick-box exercise
  • Not a generic scan
  • Not a sales pitch

Just an honest assessment of where you stand.

Because the cost of prevention is nothing compared to the cost of being wrong.

On-Topic Cyber Security Checklist

See our Quiet Cyber Security Checklist Insights article to see how well you are covered.

Other Self-Assessments

Also see our Assessments page to benchmark your current technology partnership and resilience in under 3 minutes. This page contains two self-assessments:

  1. Service Self Assessment (IT Partnership Scorecard)
  2. Cyber and Continuity Resilience Check

Speak to us to see how we can look
after all your business and IT needs

020 3745 6630
CONTACT US
GET AN ONLINE QUOTE

Chat with us now - bottom right

Author:
Jez Nolan

Posted:
January 16, 2026

Jez is an avid solution finder, working with your business to find the most sensible tech and non-tech answers that result in less stress, more time and more profit. He is the Managing Director of Ingenious and has been in the IT Industry for nearly 30 years. He has extensive business and IT experience, starting in large corporates and now applying best practices to the SMB/SME.

Get An
Online Quote

No waiting or sales calls needed. To get an instant online quote just complete a few details and choose between our three support packages to suit your needs best.

Get A Quote