KNP, a 158-year-old Northamptonshire-based transport company operating under the brand *Knights of Old*, collapsed after a ransomware attack by the *Akira* gang. Hackers exploited a weak employee password to infiltrate the system, encrypt all critical business data, and lock internal operations. The attackers demanded an estimated £5 million ransom, which KNP could not afford. With no access to essential data—including logistics, customer records, and financial systems—the company ceased operations entirely, resulting in the loss of **700 jobs** and the permanent shutdown of a once-thriving business. Despite having cyber insurance and claiming compliance with industry IT standards, the attack rendered KNP irrecoverable. The incident underscores the devastating impact of ransomware on SMEs, where a single security lapse can lead to total organizational failure. The UK’s National Cyber Security Centre (NCSC) later highlighted the case as an example of how ransomware gangs exploit 'bad days' in corporate defenses, with no data recovery possible even after the attack.
Source: https://www.bbc.com/news/articles/cx2gx28815wo
TPRM report: https://www.rankiteo.com/company/knp-litho
"id": "knp816090225",
"linkid": "knp-litho",
"type": "Ransomware",
"date": "7/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Transportation and Logistics',
'location': 'Northamptonshire, UK',
'name': 'KNP Logistics (Knights of Old)',
'size': '500 lorries, 700 employees',
'type': 'Transport/Logistics Company'},
{'customers_affected': '6.5 million members (data '
'stolen)',
'industry': 'Retail',
'location': 'UK',
'name': 'Co-op',
'type': 'Retailer'},
{'customers_affected': 'Customer data stolen, delivery '
'disruptions',
'industry': 'Retail',
'location': 'UK',
'name': 'M&S (Marks & Spencer)',
'type': 'Retailer'},
{'industry': 'Retail',
'location': 'UK',
'name': 'Harrods',
'type': 'Luxury Department Store'}],
'attack_vector': ['Weak/Compromised Password',
'Social Engineering (Blagging/Tricking IT Helpdesk - in '
'case of M&S)'],
'data_breach': {'data_encryption': 'Yes (full system encryption)',
'data_exfiltration': 'Likely (standard ransomware tactic, '
'though not explicitly confirmed)',
'file_types_exposed': 'All operational files',
'number_of_records_exposed': 'All (entire system encrypted)',
'personally_identifiable_information': 'Unknown (not '
'specified for KNP; '
'confirmed for Co-op: '
'6.5M members)',
'sensitivity_of_data': 'High (operational and customer data)',
'type_of_data_compromised': 'All company operational data'},
'date_publicly_disclosed': '2025-07-21',
'description': 'A ransomware attack by the Akira gang exploited a weak '
"employee password to encrypt KNP Logistics' data, leading to "
"the company's collapse and 700 job losses. The attack locked "
'internal systems, with hackers demanding an estimated £5M '
'ransom, which KNP could not pay. The incident highlights the '
'growing threat of ransomware in the UK, with the NCSC and NCA '
'emphasizing the need for improved cybersecurity measures. '
'Other major UK companies, including M&S, Co-op, and Harrods, '
'have also been targeted in recent months.',
'impact': {'brand_reputation_impact': 'Severe (158-year-old company '
'destroyed)',
'data_compromised': 'All company data encrypted and lost',
'downtime': 'Permanent (company went under)',
'financial_loss': 'Company collapse (estimated £5M ransom demand, '
'actual loss likely higher)',
'operational_impact': 'Complete operational halt, 500 lorries '
'(Knights of Old brand) grounded, 700 '
'employees laid off',
'revenue_loss': 'Total (company ceased operations)',
'systems_affected': 'Entire internal infrastructure (fully or '
'partially dead)'},
'initial_access_broker': {'entry_point': 'Compromised employee password '
'(guessed by attackers)',
'high_value_targets': 'Entire company data'},
'investigation_status': 'Closed (company collapsed; NCSC/NCA ongoing broader '
'ransomware investigations)',
'lessons_learned': ['Weak passwords can lead to catastrophic outcomes, even '
'for compliant companies.',
"Ransomware gangs exploit 'bad days' in organizations "
'with minimal effort (e.g., password guessing).',
'Cyber insurance may not cover existential threats like '
'total data loss.',
'Lack of mandatory reporting hinders national response '
'efforts.',
'Paying ransoms fuels further attacks (per NCA and NCSC '
'warnings).'],
'motivation': 'Financial gain (ransom demand)',
'post_incident_analysis': {'corrective_actions': ["Proposed 'cyber-MOT' "
'certification for '
'businesses (by Paul '
'Abbott).',
'NCSC/NCA advocating for '
'stricter cybersecurity '
'standards and ransom '
'payment bans.'],
'root_causes': ['Single weak password as the sole '
'point of failure.',
'Inadequate backup/recovery '
'mechanisms.',
'Over-reliance on cyber insurance '
'without existential-threat '
'preparedness.']},
'ransomware': {'data_encryption': 'Yes (full system)',
'data_exfiltration': 'Unconfirmed (but typical for Akira gang)',
'ransom_demanded': '£5M (estimated)',
'ransom_paid': 'No (company could not afford it)',
'ransomware_strain': 'Akira'},
'recommendations': ['Implement multi-factor authentication (MFA) and strict '
'password policies.',
"Conduct regular 'cyber-MOT' audits to prove up-to-date "
'IT protections (proposed by Paul Abbott).',
'Mandatory reporting of ransomware attacks to '
'authorities.',
'Government restrictions on ransom payments (public and '
'private sectors).',
'Invest in offline/immutable backups to enable recovery '
'without paying ransoms.',
'Train employees on social engineering tactics (e.g., IT '
'helpdesk blagging).'],
'references': [{'date_accessed': '2025-07-21', 'source': 'BBC Panorama'},
{'source': 'National Cyber Security Centre (NCSC)'},
{'source': 'National Crime Agency (NCA)'},
{'source': 'UK Parliament Joint Committee on National Security '
'Strategy (December 2023)'},
{'source': 'National Audit Office (2024 report)'}],
'response': {'communication_strategy': 'Post-incident warnings by CEO (Paul '
'Abbott) to other businesses',
'containment_measures': 'None successful (data fully encrypted)',
'incident_response_plan_activated': 'Yes (but ineffective due to '
'total data loss)',
'law_enforcement_notified': 'Yes (NCSC and NCA involved)',
'recovery_measures': 'None (no backups or recovery possible)',
'remediation_measures': 'None (company collapsed)',
'third_party_assistance': ['Ransomware negotiation firm '
'(estimated £5M demand)',
'NCSC (post-incident analysis)']},
'stakeholder_advisories': 'Paul Abbott (KNP) now gives cybersecurity warning '
'talks to businesses.',
'threat_actor': 'Akira Ransomware Gang',
'title': 'Ransomware Attack on KNP Logistics Leads to Company Collapse',
'type': ['Ransomware', 'Data Breach', 'Business Disruption'],
'vulnerability_exploited': 'Weak password policy (single compromised '
'password)'}