KNP Logistics Ransomware: Cheap Security 2026 | SBCSG | The Small Business Cybersecurity Guy

KNP Logistics Group, trading as Knights of Old, was founded in 1865. It ran over 500 trucks across the United Kingdom and employed around 700 people. In terms of British freight transport, it was a landmark business. A century and a half of recessions, wars, oil crises, industrial strikes, and two pandemics had not ended it.

A guessed password did.

In June 2023, the Akira ransomware group gained access to KNP’s systems by brute-forcing a single employee account. Multi-factor authentication was not in place. The attackers encrypted the company’s critical data, targeted and wiped the local backups, and demanded a ransom estimated at around £5 million. KNP could not pay. It had cyber insurance, but the scale of the compromise was total: servers, endpoints, backups, disaster recovery systems. The insurer’s own crisis response team described it as a worst-case scenario.

On 25 September 2023, after three months of paralysis and recovery attempts, KNP entered administration. Around 700 people were made redundant. The business that had operated since the Victorian era was gone.

This is a case study of the cheap security decision. Not the zero-day vulnerability. Not the nation-state actor. The guessed password and the absent MFA.

What actually happened, in sequence

The Akira ransomware group emerged in March 2023 and, by the time of the KNP attack, had extorted over $42 million globally across more than 250 organisations. Their attack methodology is well-documented: credential-based entry through internet-facing systems without MFA, followed by lateral movement, privilege escalation, and then simultaneous encryption and backup destruction to maximise the pressure on the victim.

At KNP, the entry point was a VPN or remote access credential. Paul Abbott, the company director, confirmed publicly that hackers likely guessed an employee’s password. Cybersecurity researchers at Sophos later documented the typical Akira chain: compromised credentials used to gain a foothold, followed in some cases by exploitation of CVE-2024-40711 in Veeam Backup and Replication to destroy recovery capability.

The critical failure was the absence of MFA on internet-facing access. With MFA enforced, a guessed password is not a breach. It is a failed login attempt. The attacker needed the second factor, which they did not have, and the session would not have been granted. That one control, requiring a second form of authentication, is the single most effective defence against credential-based attacks. The NCSC has described it as one of the highest-value controls available. In Microsoft 365, it requires a conditional access policy and costs nothing in additional licensing for most business plans.

KNP had antivirus. Firewalls. Backup procedures. Monitoring tools. According to the BBC reporting on the collapse, the company’s security was described as in line with industry standards. That observation is important. It is a description of the minimum that many IT providers deliver. It is also a description of the minimum that the Akira group routinely defeats.

The £5 million ransom and the insurance that did not cover it

KNP paid, or attempted to pay, a ransom. Reports vary on the final sum and the outcome, but multiple sources confirm a demand of approximately £5 million and that, in the chaos of the incident, recovery from the ransom payment was not achieved. The backups were either encrypted or inaccessible, leaving the company with no viable path to resuming operations.

The cyber insurance, which KNP held, was not sufficient to cover the losses or enable a full recovery. The specific circumstances of the claim are not public. What is public is the outcome: a company with cyber insurance, which most small business guidance would describe as a safety net, ceased trading within three months.

This is not unusual. The Association of British Insurers reported £197 million in cyber claims paid in 2024, a 230% year-on-year rise. Industry analysis consistently highlights that around one in four UK cyber claims are now declined, most commonly for failures to meet basic control requirements. Missing MFA is the standard first check.

Whether KNP’s claim was declined, paid in part, or simply insufficient relative to the scale of the loss, the outcome illustrates the same underlying problem: cyber insurance is not a substitute for controls. It is a risk transfer mechanism that fails the moment the controls it assumes were in place are found to be absent.

The human dimension that Paul Abbott did not let the story avoid

There is a detail in the BBC reporting on the collapse that most case study write-ups move past quickly. Paul Abbott, the company director, said he has not told the employee whose password was guessed.

“Would you want to know if it was you?” he asked.

That framing sits at the centre of what cheap security actually costs, beyond the financial figures. An employee came to work, did their job, used a password they believed was acceptable, and inadvertently became the entry point for an attack that destroyed their employer and ended 700 careers. Nobody at KNP failed deliberately. Somebody failed on behalf of the organisation, because the organisation had not put the control in place that would have made the individual failure irrelevant.

MFA enforcement is not about trusting employees more or less. It is about removing the dependency on individual password hygiene by adding a second factor that a guessed or stolen password cannot satisfy. It makes the failure safe. Without it, the individual becomes the entire last line of defence, and a 700-job company rests on whether one person chose a strong password.

What the cost-benefit actually looked like

KNP was not a small startup. It had £100 million in annual revenue. It had 500 lorries and a management team with a century and a half of operational knowledge.

The controls most likely to have changed the outcome of the June 2023 attack were not exotic. MFA enforcement on remote access and VPN is achievable through Microsoft 365 conditional access policies at no additional licensing cost on most business plans, requiring an afternoon of configuration and testing. A competent IT provider will do it as a standard service. Endpoint detection and response, which detects behavioural anomalies consistent with ransomware execution rather than waiting for a signature match, runs at approximately £5 per endpoint per month for a business of KNP’s size. Immutable or air-gapped offsite backup, which the attackers would not have been able to destroy alongside the local copies, costs a few pounds per endpoint per month in cloud storage and backup agent licensing.

For a business of KNP’s scale, the annual cost of those three controls, properly implemented and verified, would have been a small fraction of the revenue, and a negligible fraction of the £5 million ransom demand, and a tiny fraction of the operational losses from three months of paralysis.

The company, by the evidence available, paid for industry-standard IT. It did not pay for security-first IT. The gap between those two descriptions cost 700 jobs and 158 years of business history.

The M&S comparison

KNP is not the only reference point. More recently, in spring 2025, Marks and Spencer disclosed a ransomware incident caused by the DragonForce group, involving compromised credentials used to access systems through a social engineering attack on the service desk. M&S disclosed it would make a maximum £100 million insurance claim. The Co-op, also hit in April 2025, confirmed it lacked comprehensive cyber cover and would receive no meaningful insurance support. Harrods also disclosed a cyber incident in the same period.

The pattern across these incidents is not technical sophistication. It is credential abuse, absent or bypassed MFA, and the downstream consequence of treating cyber security as an IT cost rather than a business continuity requirement. The difference between a company that absorbs a major incident and one that does not is, in almost every documented case, the quality of the controls that were in place before the attacker arrived.

How to Turn This Into a Competitive Advantage

KNP’s story is genuinely shocking, and it is genuinely ordinary at the same time. Most of the businesses that fail after a ransomware event had IT that looked fine from the outside. They had antivirus, firewalls, and a contract with a managed IT provider. They had cyber insurance. They had, by the standards of what most UK SMBs buy, standard provision.

The competitive advantage is in the gap between standard provision and security-first provision. If you can document that your controls go beyond the standard, that MFA is enforced and evidenced, that EDR is deployed and monitored, that your backups are tested and offsite, you are describing something that most of your competitors cannot. In regulated sectors and serious B2B tendering, that documentation is increasingly the difference.

You do not need the KNP story to happen to you. You need it to happen to a competitor and for your clients to ask the question that follows, and for you to have a better answer.

How to Sell This to Your Board

KNP is a board-level argument because it removes the abstraction entirely.

158 years. £100 million in revenue. 500 lorries. Industry-standard IT. Gone in three months because of one guessed password and one absent control that costs less than a business lunch per month per endpoint.

The board’s job is continuity. The question the KNP case raises is not whether a ransomware attack could affect this business. It is whether the controls in place would make the attack survivable. If the answer is uncertain, the board has a governance obligation to find out.

The Cyber Governance Code of Practice, published by the Cabinet Office in April 2025, formalises that obligation. This is not a optional conversation.

What This Means for Your Business

Five actions, in order of priority.

Enforce MFA on every internet-facing system today. Email, remote access, VPN, cloud services. Not available. Enforced. In Microsoft 365, this means conditional access policies with baseline access controls for all users.
Verify your backups are offsite and tested. If the attacker can reach your backup systems from the same network they compromised, your backups are not backups. They are additional encrypted data. An immutable offsite or cloud-based backup, with a documented and tested restore procedure, changes the recovery calculation entirely.
Ask your IT provider whether you have EDR. Not antivirus. EDR. Behavioural detection. If the answer is no, ask for a quote to add it. At £5 per endpoint per month, the conversation should be quick.
Put your cyber insurance policy next to your IT contract and identify every control the policy requires. Ask your provider in writing whether each one is being met. If there are gaps, close them before renewal.
Brief the leadership team on what a ransomware event looks like operationally. Not technically. Operationally. What can the business do on day one with no access to email, files, accounting software, or CRM? That scenario planning exercise is more valuable than any vendor demo.

KNP Logistics did not die because of a sophisticated attack. It died because of a basic control gap and a recovery plan that proved insufficient under pressure.

Both are fixable. The time to fix them is not after the event.

Related reading:

Sources

Source	Article
BBC	KNP Logistics cyber attack: company collapse and job losses
Sophos	The State of Ransomware 2024
NCSC	Multi-factor authentication for online services
NCSC	Offline backups in an online world
Association of British Insurers	Nearly £200 million paid in cyber claims to help UK businesses recover
DSIT	Cyber Security Breaches Survey 2025
Weightmans	How ransomware crippled KNP Logistics Group
Specops	How one weak password destroyed KNP: lessons in password neglect
Cabinet Office	Cyber Governance Code of Practice
The Small Business Cyber Security Guy	Cheap IT, Expensive Breach: The Bargain That Bankrupts UK Small Businesses