Guide

Ransomware recovery in the UK: what actually works

Ransomware is the single most disruptive incident most UK companies will ever face. This guide is the response sequence GoaTech runs with UK clients — aligned with NCSC guidance and current sanctions law.

First 24 hours

Isolate, don't wipe. Preserve encrypted samples and ransom notes for attribution. Notify your cyber insurer immediately — most policies require notification within 24-72 hours to remain valid. Engage legal counsel; do not communicate with the threat actor yet.

The decision to pay

NCSC and law enforcement position: do not pay. Legal position: paying certain sanctioned actors is a criminal offence under UK sanctions law (OFSI). Practical position: some businesses pay anyway. If payment is considered, it must go through a licensed negotiator with sanctions screening on the wallet — never direct.

Rebuild, don't restore

Restoring backups into a compromised environment reinfects them within days. The correct sequence is: build a clean forensic environment, restore data into it, validate integrity, then rejoin only after credentials, keys and Golden Ticket-style AD compromises are fully rotated and verified.

Frequently asked questions

Is it illegal to pay ransomware in the UK?
Payment itself is not automatically illegal, but making funds available to a sanctioned entity is a criminal offence under UK sanctions regulations. Many prolific ransomware groups are OFAC or OFSI sanctioned. Always screen before payment is even considered.
Will cyber insurance cover a ransom payment?
Increasingly no. Most UK cyber policies renewed in 2025-2026 exclude or heavily restrict ransom payments. They still cover forensics, legal, notification, and business interruption — often the larger cost anyway.

Get a UK ransomware readiness assessment

Talk to the GoaTech team. We'll map your current position and show what a tailored UK-focused programme looks like.

Get started