Reports say a criminal crew quietly copied a law firm's most sensitive records, then locked the doors from the inside and demanded payment. We explain it in plain English, no jargon, and give you the simple habits that stop it.
Picture switching on your computer and finding a strange new ending stuck onto every file name. Contracts. Client letters. Case notes. All scrambled. Then a message appears: pay us, or we publish everything you own. That, in plain terms, is a ransomware attack. According to cyber monitoring reports, it recently hit a law firm here in the UK, with a group called Gunra named as the crew behind it. Important files were reportedly scrambled and normal work stopped while the firm worked out how bad it was.
Think of ransomware like a burglar who slips into your house while you sleep. They do not just steal things. They photocopy every private letter you own, change every lock in the house, then slide a note under the door: "Want your keys back? Pay up. And we have copies of your secrets, so pay again or we post them online."
Criminals are not random. They pick targets like a pickpocket picks a busy train: lots of value, not much resistance. Law firms tick both boxes, and so do most small businesses.
Contracts, financial records, private cases and confidential emails can all be sold or used for blackmail.
Missing a legal deadline is serious, so victims feel huge pressure to pay quickly and quietly.
Unlike big banks, smaller firms rarely have a full security team watching around the clock.
One leaked client file can do more damage than the downtime, so the threat of exposure stings.
In short, attackers see a high reward with a lower chance of getting caught. That is the whole business model, and it is exactly the gap a smaller business can close with a few sensible habits.
People imagine a hacker smashing through a firewall in thirty seconds. The reality is slower and quieter. Most attacks unfold step by step, often over days or weeks.
Usually through a stolen password, a fake email someone clicks, or out-of-date software with a known hole in it.
For days or weeks they explore, learning where the important files and backups live. This waiting is called dwell time.
They hunt for admin accounts, the ones that open everything, so they can move freely without tripping alarms.
Before locking anything, they steal a copy of the most sensitive files to use as leverage later.
They try to disable security tools and delete backups so you cannot simply restore and walk away.
Only now do they scramble everything at once and drop the ransom note. The damage was done long before.
Here is the good news hidden in that list. Because attackers spend so long creeping around first, there are many chances to catch them before the lock clicks shut. That window is where good defence lives.
Older ransomware just locked your files. Modern crews, including the kind blamed here, play a meaner game called double extortion. They steal a copy of your data first, then lock you out. Now there are two demands.
The burglar steals your diary first, then locks your front door. Demand one: "Pay to get back into your house." Demand two: "Pay again, or we read your diary out loud to the whole street." Even a business with perfect backups still has to worry about the diary being published.
This is why "we have backups, so we are fine" is no longer the full answer. Backups get your files back. They do not un-leak stolen secrets. For a firm holding private client matters, the threat of exposure alone can be terrifying, and the criminals know it.
Case files, billing, email and document systems can all go dark at once. Staff sit idle.
Court dates and client commitments do not pause for an attack. Missing them has knock-on effects.
Recovery, specialists, legal advice and insurance excess add up fast, often more than any ransom.
Clients ask hard questions and regulators may want answers about how the data was protected.
This is why the smartest move is never "what do we do after?" It is "what do we do so this is unlikely, and survivable if it ever happens?" That is the part you can actually control, starting today.
You do not need a big budget or a tech degree. Attackers chase easy targets, so the goal is simple: be more effort than you are worth. Do even the first four of these well and you have shut the front door on most attacks.
Also called MFA. After your password it asks for a code from your phone, so a stolen password alone becomes useless.
Store at least one copy offline or fully separated, and actually test that you can restore it. An untested backup is a guess.
Those annoying update prompts often fix the exact holes attackers use. Turn on automatic updates where you can.
Most attacks start with one click. A quick "does this look right?" habit, especially for invoices and logins, blocks a huge share.
Most people do not need admin rights. The fewer all-access accounts you have, the less an attacker can do with a stolen one.
Remote desktop and VPNs are favourite doorways. Protect them with MFA and only open them when truly needed.
One page: who to call, how to isolate a machine, where the backups are. Practise it once. In a real incident, calm beats clever.
You cannot protect what you forgot you had. List your websites, logins and old systems facing the web, and close what you do not need.
Seven simple habits that stop the vast majority of attacks. Be honest, tick only what you can prove today. Nothing leaves this page.
The single biggest win against stolen passwords.
So we can recover without paying anyone.
Closing known holes before they are used.
The team knows how to question a suspicious email.
Limiting the damage a single stolen account can do.
The favourite doorway is locked.
So nobody panics on the worst day.
The reported attack on a UK law firm is a reminder that the businesses most reliant on trust and quick access are exactly the ones criminals squeeze. But the defence is not a mystery. Strong logins, tested backups, fast updates, an aware team and a simple plan will carry a smaller business further than most expensive tools sitting unused.
You do not need to do everything this week. You just need to start being a harder target than the business next door. That is usually enough to make a criminal move on.
Cybersecurity is a shared responsibility and a foundation for prosperity. We urge all organisations, no matter how big or small, to act with the urgency that the risk requires.
NCSC guidance, October 2025313SEC helps UK small businesses find the gaps before criminals do. No jargon, no scare tactics, just a clear picture of where you are and what to fix first. Real people, UK-based in Cardiff, replying within a working day or two. Reach us however suits you.
You'll get a real reply within a couple of working days. No sequence, no list.