When the attacker doesn't want a ransom
Most business continuity plans carry a quiet assumption: the attacker wants paying. If the worst happens and ransomware locks your systems, there is at least a counterparty on the other end. Someone made a demand, someone can be negotiated with, and there is a price that ends the disruption. The plan may never say this out loud, but the logic runs through it. There is a deal to be done.
A new report on the Jaguar Land Rover breach pulls that assumption out from under you. According to a New York Times story dated 26 June 2026, people close to the investigation have linked Russian hackers to the attack that hit JLR last year. The breach shut production for nearly six weeks and is estimated to have cost the British economy £1.9bn ($2.5bn), with about $350m of that falling on JLR in the 2026 financial year. Microsoft, which had been tracking the group, reportedly raised the alarm with JLR. The detail that matters for the rest of us is simpler than the geopolitics. Nobody asked for money.
An attack that looked like ransomware and wasn't
On the surface it had the shape of a ransomware incident. Systems encrypted, operations halted, the now-familiar script. But the usual second act never arrived. No demand landed, no negotiation opened, no price was ever set.
That absence is what has security people pointing at a nation state rather than a criminal gang. Cynthia Kaiser, a senior vice president at the Halcyon Ransomware Research Center and a former FBI deputy director, set out the reasons: no ransom demand, timing that landed just before a new vehicle rollout, novel ransomware with what she called a "mind-blowing" algorithm, and a Land Rover fleet with strong links to British royalty and the military. "This is the first time I can remember," she said, "where it is now highly suspected that Russia at least tacitly approved an economically destructive attack."
Pete Chronis, a former chief information security officer at Paramount, put it more plainly in a LinkedIn post. "When JLR got hacked, nobody asked for money. Sit with that. Ransomware gangs lock you up because they want a payout. Whoever hit JLR didn't want one. No demand, no negotiation. They just wanted the company on the floor. That's why Russia is in the frame, and why this reads less like crime and more like sabotage."
Attribution took a while to settle there. The group Scattered Lapsus$ Hunters initially claimed responsibility, following the Scattered Spider extortion of Marks & Spencer and the Co-op. The early read was ordinary, profit-driven crime. The thing that broke that read was the missing demand.
You are not the target, but the lesson still lands
Your business is almost certainly not a nation-state target. JLR makes cars for royalty and the military; you do not. It would be easy to file this under "interesting, not relevant" and move on.
Two parts of it are relevant anyway.
The first is blast radius. The £1.9bn figure is not JLR's loss alone. It rippled out through suppliers, dealers, and logistics that had built their week around JLR running. When a big customer or supplier goes dark for six weeks, the firms downstream wear it too, with no contract clause that covers a sabotage attack. If you sit in a supply chain, the next attack on the company above or below you is partly your problem.
The second is the assumption itself. The motive behind the JLR attack may be exotic, but the failure mode it exposes is not. An attacker who wants you down rather than paid is not a uniquely Russian invention. A disgruntled former contractor, a destructive worm with no off switch, a ransomware crew that takes your money and never sends the key: all of them leave you in the same place. There is no deal to do, and recovery is entirely on you. A continuity plan that secretly relies on a payout has no answer for any of them.
What to do this quarter
You do not need a geopolitical risk assessment. You need a continuity plan that works when nobody picks up the phone.
- Plan for no payout. Write down what you do if there is no demand to negotiate and no key coming. If the honest answer is "we would have to pay to get our data back," that is not a plan, it is a hope. The plan is the set of steps that get you trading again without the attacker's cooperation.
- Keep backups the attack cannot reach. Offline or immutable copies, held somewhere the same incident cannot encrypt or delete. A backup that lives on the network you are trying to recover is part of the blast radius, not the way out of it.
- Test the recovery time, not just the backup. Knowing a backup exists is not the same as knowing how long a full restore takes. The cost of the JLR incident was measured in weeks of lost production, not in a single locked file. Time the restore before you need it, because every day you cannot trade is the real bill.
- Have a tested first hour, not a written one. The first few minutes of an incident are about preserving your options, not rushing to fix. Knowing who calls whom, where the runbooks are, and how to stand up a clean environment is the difference between a hard week and a closed business.
- Know who you tell. A breach with personal data in it means notifying the Information Commissioner's Office, usually within 72 hours. Report the crime to Action Fraud. Decide now who makes those calls, so the decision is not being taken for the first time at 2am.
The uncomfortable read here is that an attacker who wants you down is, in one narrow sense, simpler than one who wants paying. There is no negotiation to get wrong and no ransom decision to agonise over. There is only how fast you can recover on your own. That is a question worth answering before someone else asks it for you.
How Steelwise can help
Pressure-testing a continuity plan against the case where nobody wants paying, and timing the recovery before it counts, is the kind of review we do with clients. Get in touch.
Further reading
- NCSC: Mitigating malware and ransomware attacks
- NCSC: Offline backups in an online world
- Action Fraud: Reporting fraud and online crime