RANSOMWARE

xtraHop, a leader in modern

( NDR), has unveiled new research showing the extent of cybersecurity failure in UK organisations.

Attackers are gaining extended, undetected access to enterprise systems – often only discovered once significant damage is already underway, leaving many wide open to ransomware – a threat seen at several well-publicised UK incidents this year.

Late detection has catastrophic impacts

The 2025 ExtraHop Global Threat Landscape Report stresses critical weaknesses in UK enterprise security strategies: visibility gaps that allow ransomware groups to remain undetected and move laterally across enterprise networks.

This means ransomware entry points have evolved beyond crude brute-force techniques to highly sophisticated social engineering campaigns, noted as the most common initial point of entry for attackers. This shift that bypasses perimeter controls makes earlystage detection, before significant costs have been accrued, much harder.

The effects are readily apparent. Only half of organisations( 50.6 %) targeted by ransomware incidents in the last 12 months detected an attack during the reconnaissance or initial access phases.

“ The longer attackers dwell inside a network, they can gather intelligence and time an attack to maximise disruption and capitalise on higher ransom demands,” said Raja Mukerji, Chief Scientist and Co-Founder, ExtraHop.

“ UK organisations need to quickly spot unusual behaviours at the network level before intrusions escalate to full-scale ransomware events. Without speed behind detecting ransomware, organisations can be susceptible to expensive damages and downtime like we’ ve seen at a number of enterprises this past year.”

Closing down‘ Attacker advantage’

When asked how long threat actors had access to systems prior to ransomware incidents, the average time cited by IT and security decision makers was 9.5 days – rising to over 2 weeks in the manufacturing sector and 10.6 weeks in the UK Government. These extended infiltration windows were attributable to a range of reasons, with 41 % of organisations pointing to limited visibility as their biggest challenge to timely response to security threats. Many also cited overwhelming alert volumes, understaffed SOC teams and fragmented tools as additional challenges.

Identification, not prevention

ExtraHop’ s research indicates prevention alone is insufficient – detection both before and after an attack is essential to gain confidence damage is limited. Once attackers bypass the first line of defence they can remain hidden for weeks, mapping the network to escalate privileges, exfiltrate data and deploy malware.

Almost half of UK organisations( 45.8 %) report that it takes them a week or more to respond to and contain a security alert. Without continuous monitoring and response systems, security teams are blind to early warning signs, delaying response to timely security events.

Together, these factors make it easier for ransomware groups such as Ransomhub, Scattered Spider and LockBit to remain undetected and harder for security leaders to respond before damage is done.

28 WWW. INTELLIGENTCISO. COM