In the wake of a rapidly evolving ransomware campaign exploiting vulnerabilities in Microsoft’s SharePoint server software, it’s becoming increasingly evident that the era of low-impact cyberattacks is over.

The campaign, linked to the threat group dubbed Storm-2603, has now extended into ransomware deployment and its crippling networks, paralyzing operations and exposing a glaring truth: Basic cyber hygiene is no longer good to have. It is a mission-critical business imperative.

With at least 400 confirmed victims and more likely undiscovered, the breach has already affected key institutions, including the US Department of Homeland Security and the National Institutes of Health. This is no longer just about data theft but about operational shutdowns, regulatory chaos, reputational destruction and even national security implications. For UK businesses, this attack is more than a foreign affair. It’s a flashing red light just as the UK prepares to roll out the Cyber Security and Resilience Bill later this year.

A new threat landscape

What makes this incident so chilling isn’t just the scale, it’s the convergence of threats. State-aligned hackers, unchecked vulnerabilities in widely used enterprise tools and the silent spread of ransomware through legitimate software supply chains reveal the brittleness of modern IT infrastructure. 

But there’s another threat on the horizon that businesses must confront now: What happens when the next ransomware attack isn’t from an external hacker but from your own AI systems gone rogue?

As companies adopt AI to automate everything from cyber security to customer service, the risk of accidental or malicious misuse of AI grows. AI-driven systems misconfigured or exploited could become vectors for ransomware or data leakage. And unlike human hackers, an AI gone rogue doesn’t need rest, money or motivation. It just needs access.

Why the UK’s Cyber Security and Resilience Bill matters

The UK’s draft Cyber Security and Resilience Bill, expected to be published after this summer, aims to enforce tougher obligations on companies to secure their digital infrastructure with a specific focus on critical service providers and businesses handling sensitive data. It’s a direct response to escalating threats like Storm-2603’s campaign.

Key aspects expected to be covered include:

• Mandatory incident reporting and vulnerability disclosures 
• Cyber resilience frameworks embedded into procurement 
• Regulatory consequences for unpatched systems and misconfigured tools 
• Security requirements for AI-enabled platforms 

This development is an essential shift from reactive security to security by design. The days of “patch-and-pray” are over. Compliance must now include continuous system monitoring, AI risk assessments and scenario-based resilience testing.

How companies can respond now

This ransomware surge offers a moment of reckoning for UK businesses. What are key actions organisations can do now?

1. Move beyond routine patching

The Storm-2603 campaign was enabled by Microsoft’s failure to fully patch known vulnerabilities. This is a call to treat software patching not as routine maintenance, but as a critical safety measure, akin to fire suppression systems in a building. Patch management must become as non-negotiable as financial audits.

2. Simulate ransomware before it’s real 

Run proactive ransomware simulations. Implement exercises that go beyond IT teams and involve legal, compliance and board-level executives. Knowing how your organisation would respond before a breach hits can be the difference between resilience and ruin.

3. Invest in AI-enhanced breach detection

Relying solely on traditional perimeter defences is no longer effective. Behavioural analytics and AI-powered anomaly detection tools can identify unusual activity, such as lateral movement within your network, before ransomware is deployed.

4. Embed cyber hygiene into corporate culture

Too many organisations still treat phishing simulations and training as tick-box exercises. This crisis proves that awareness is a life-or-death business issue. Cyber hygiene needs the same internal attention and governance as bribery, fraud, and financial compliance.

A public health approach to cyber security?

This moment also invites a broader reimagining of how we think about cyber security. Vulnerabilities in widely used software affect thousands of organisations, often without their knowledge, just as a virus spreads undetected. Regulators should:

• treat major software vulnerabilities as public health hazards 
• create a national registry of high-risk software dependencies 
• encourage or require real-time vulnerability disclosure sharing across sectors 

As businesses struggle to keep pace with emerging threats, Vinciworks is here to help organisations not just react but lead. Our cyber security training is designed for a world where compliance, IT and AI strategies must work together. With engaging e-learning, interactive modules we help staff stay compliant, reduce risk and meet regulatory obligations across all industries. Try it here.