Proactive ransomware defence

Ben Lister at NetSPI argues that ransomware defence starts with Breach and Attack Simulation

 

The recent wave of ransomware attacks targeting UK businesses, including Marks & Spencer, Adidas, and Co-op, highlights just how damaging and opportunistic these threats can be.

 

For Marks & Spencer alone, the incident is projected to result in a £300 million loss in operating profit, has wiped over £1 billion from its market valuation, and disrupted online operations for seven weeks. Beyond the financial fallout, the breach also severely impacted customer trust due to exposed personal data.

 

What stands out is the simplicity of the methods used. In Marks & Spencer’s case, the compromise likely stemmed from social engineering of a 3rd party vendor, underscoring that cyber-criminals often rely on basic, low-tech techniques to gain access. All it takes is a single vulnerability to open the door.

 

This surge in ransomware activity isn’t confined to high-profile names. The 2025 Cyber Security Breaches Survey reveals that ransomware attacks have doubled year-on-year since 2024.

 

In light of this, security teams must move beyond reactive measures and embrace proactive strategies. Breach and Attack Simulation (BAS) offers a vital defence by continuously testing security environments against the very same methods used by attackers, exposing weaknesses before they can be exploited.

 

What is Breach and Attack Simulation?

BAS is cyber-security technology that safely simulates a wide range of real-world cyber-attacks to test an organisation’s resilience on a continuous, and often automated, basis. It replicates threats across all stages of the cyber-kill chain: phishing, malware delivery, lateral movement, and data exfiltration. These simulations test whether security controls are properly configured and functioning as intended.

 

Unlike traditional, point-in-time tests, BAS offers the flexibility of both on-demand and automated testing. This allows security teams to monitor their security posture in real-time, identify gaps as they appear, and adapt quickly to emerging threats and changing environments.

 

Most commonly, BAS is used to detect security tool misconfigurations or weaknesses that attackers could exploit to gain unauthorised access. These insights should be shared with key stakeholders to facilitate more informed decisions and proactive remediation. As such, BAS is becoming an essential component of modern cyber-security strategies, empowering organisations to validate, not assume, the strength of their defences.

 

Why BAS outperforms traditional testing

Penetration testing and red teaming remain critical for assessing defences against targeted, complex threats like advanced persistent threats (APTs) or insider compromise. However, ransomware actors don’t typically operate with stealth or sophistication – they exploit routine missteps and common vulnerabilities.

 

These types of operational gaps often fall outside the scope of traditional testing, especially when exercises are run only once or twice a year. The risk? A new misconfiguration introduced post-assessment could sit undetected for months, long enough for an attacker to exploit it.

 

BAS addresses this blind spot by offering on-demand and continuous testing. It allows for the automation of safely simulated real-world attack techniques across the cyber-kill chain; these simulated attacks can expose weak spots as they emerge. For CISOs, this means fewer surprises and faster remediation, with security controls tested against the actual tactics ransomware actors are using today.

 

By integrating BAS into the defensive tech stack, organisations shift from point-in-time confidence to ongoing assurance that their environment is resilient, responsive, and ready to defend.

 

Maximising the impact of BAS

While BAS is a powerful addition to the defensive stack, it works best when organisations understand its scope and use it in conjunction with other security measures. The flexibility of BAS testing is designed to continuously simulate known attack techniques and behaviours at scale, making it ideal for validating existing controls and surfacing misconfigurations. However, like any tool, its effectiveness depends on how it’s implemented and integrated.

 

BAS isn’t designed to replace traditional testing like human-led exercises such as red teaming; it complements these efforts by running continuously, providing real-time insights between manual assessments and helping teams maintain a high level of readiness.

 

To get the most out of BAS, tuning and prioritisation are essential. Well-configured BAS platforms help teams focus on what matters most, reducing noise and enabling faster remediation of genuinely impactful findings.

 

As BAS technology evolves, its breadth of simulations and ease of integration are expanding rapidly. The value lies not just in what it tests today, but in how it enables teams to build a more agile, responsive approach to continuous control validation.

 

Resilience necessitates a shift in mindset 

When it comes to ransomware prevention, it is about having the right tools at every level. Most ransomware actors follow well-worn playbooks, enabled by the rise of RaaS, which lowers the barrier to entry and makes attacks more frequent, not necessarily more advanced. This means that the basics are more important than ever, including tested backups, endpoint visibility, staff training, and detection of the common tactics used by ransomware actors, all of which should be foundational.

 

True resilience comes from shifting the organisational mindset, from reactive fixes to proactive simulation. That means proactively simulating attacker behaviour, routinely testing recovery processes, and understanding how and where ransomware threats are likely to emerge.

 

Turning the tables on ransomware

With ransomware threats escalating and the consequences ranging from financial damage to long-term reputational harm, BAS emerges as a critical tool for confronting the real-world tactics cyber-criminals rely on most.

 

The Marks & Spencer incident is a powerful illustration of the stakes involved. In 2025, UK businesses must accept that ransomware attacks are a matter of when, not if. The real question is: Who will find the weaknesses first - your security team, or the attackers? BAS helps ensure it’s the defenders who get there ahead of time.

 

---

 

Ben Lister is Head of Threat Research at NetSPI

 

Main image courtesy of iStockPhoto.com and Pakin Jarerndee