Every so often, something comes along that reminds us why we do what we do in Cyber Security. This case study is one of those examples.
I was recently contacted about a UK pharmaceutical SME, turning over around £9 million a year. On the surface, they were a successful and well-run organisation. But in just a few hours, they went from being fully operational to completely paralysed by a type of malware most businesses fear: ransomware.
You won’t hear about this case in the news — the company isn’t a household name. But this is the reality for SMEs: even without public profile or brand recognition, you can still be a prime ransomware target.
This story isn’t about scare tactics. It’s about showing what can happen when prevention alone isn’t enough, and why resilience matters just as much.
What Happened?
The company operates across the UK and internationally. When attackers struck, they knew exactly where to hit.
- Within hours, every critical system was encrypted.
- The business couldn’t trade, process orders, or access essential files.
- And crucially, they had no segregated, secure backups.
The cyber criminals behind the attack had a detailed understanding of the organisation’s setup — they knew the backups were not segregated, that the operating system environment was poorly configured, and that there was no way to recover.
For over two weeks, the business was offline. By then, they had already lost around half a million pounds in revenue. With no other options, they were forced to pay the ransom.
Why It Was So Effective
Once the dust began to settle, three issues became clear:
- Poorly configured Active Directory. This made it easy for them to escalate privileges and spread quickly.
- No tested backups. With nothing resilient to fall back on, the business had no leverage when faced with a ransom demand.
The criminals were running what looked like a Ransomware-as-a-Service (RaaS) model, which meant the tools and infrastructure to launch the attack were ready-made.
They knew they had the upper hand, refused to lower the demand, and waited until the business had no choice but to make a ransomware payment.
The Boardroom Dilemma
When the board met to discuss the situation, one of the first questions raised was: “If we pay, aren’t we funding terrorism?”
It’s an understandable ethical concern. But the immediate reality was harsher: paying doesn’t guarantee recovery. And worse still, once you make a ransomware payment, your business is often marked on underground forums as a company willing to pay — making you a repeat ransomware target.
In fact, it later emerged that this company had already suffered a ransomware attack two or three years earlier. That history only confirmed the point: once you’re seen to pay, you’re more likely to be hit again.
Paying and Rebuilding
In the end, the business did pay. They eventually received a decryption key and began restoring their encrypted files. But recovery has been slow and painful. Even with the key, rebuilding takes weeks.
Rebuilding has included:
- Migrating away from vulnerable on-premise infrastructure to Microsoft 365.
- Deploying Managed Detection and Response (MDR), with 24/7 human-led monitoring.
- Re-running Cyber Awareness training, after confirming the likely entry point was a phishing click.
Reviewing their use of Remote Desktop Protocol (RDP).
Redesigning Active Directory to remove the weaknesses that allowed attackers to spread unchecked.
- Running penetration testing services to identify and remediate any remaining security holes.
Why Awareness, MDR and Testing Matter
This case highlights something we see time and again: security measures are only effective if they’re put in place for the right reasons.
- Cyber awareness training isn’t about ticking a box. It’s about preparing staff to spot and stop phishing emails before they become a crisis.
- MDR isn’t about shiny new tools. It’s about detecting unusual behaviour early enough to prevent ransomware encrypts from spreading across your environment.
- Penetration testing isn’t just for regulators. It shows you exactly how your organisation could be compromised — whether through phishing, weak passwords, or exposed RDP services.
These aren’t nice-to-haves. They’re the difference between containing an incident and paying criminals.
The Fire Safety Analogy
I often compare this to fire safety. You put alarms, sprinklers, and extinguishers in place to reduce the chance of a fire starting or spreading. But even with the best precautions, fires still happen.
That’s why we also have evacuation plans, insurance, and fire drills. We don’t just try to prevent the fire, we plan to survive it.
This company had some preventative measures, but no recovery plan. When the fire came, it consumed everything.
What We Can Learn
Breaches happen. Types of ransomware are evolving constantly, and with RaaS, attacks are easier to launch than ever. But what you can control is how prepared your organisation is to respond.
This pharmaceutical SME’s story is a stark reminder of why we invest in Cyber Security: not to spend budget for the sake of it, but to protect the businesses we’re trusted to safeguard.
So here’s the question I’d leave you with: if ransomware hit your systems tomorrow, how confident are you that you could keep operating? And how quickly could you recover?
We’ll continue to share updates as this case develops. In the meantime, revisit your defences: train your people, test your systems, run attack simulations, lock down RDP, strengthen your backups, and put MDR in place. Because resilience isn’t optional — it’s what keeps your business alive when prevention alone isn’t enough.
Ready to achieve your security goals? We’re at your service.
expertise to help you shape and deliver your security strategy.
About the author
