July 15, 2026

Cyber Essentials

Ransomware now picks victims by unpatched device: the Cyber Essentials checklist that closes the gap

Ransomware now picks victims by unpatched device

New Check Point figures show UK organisations absorbing a third more cyber attacks than a year ago, and the fastest-growing ransomware group is choosing its victims by which devices are already exploitable. Jonathan Krause, founder of Forensic Control and former New Scotland Yard Hi-Tech Crime Unit investigator, explains why that makes the Cyber Essentials basics the right response.

By Jonathan Krause | Founder, Forensic Control | 15th July 2026

What Check Point’s June figures show

UK organisations faced an average of 1,589 cyber attacks a week in June 2026, a 34% rise on the same month a year earlier, which is roughly double the global rate of increase of 17%. For most people who own security at a mid-sized firm, a number like that tends to prompt a search for a new platform, when the more productive response is usually a Cyber Essentials checklist worked through against your own estate over an afternoon.

The figures come from Check Point Research, whose June threat data was reported on 13 July, and ransomware sat at the centre of it. There were 646 ransomware attacks logged for the month, up 33% year on year, and the leaderboard changed hands: a group called The Gentlemen, which did not exist eighteen months ago, overtook the long-established Qilin to become the most active operator, responsible for 17% of published attacks against Qilin’s 11%.

I have been reading these monthly numbers for years, and the headline figure is rarely the part that stays with me. What caught my attention this month was how The Gentlemen picks who to hit, because in the cases that reach us the entry point tends to be fairly mundane rather than clever, more often than not an unpatched device sitting quietly on the edge of the network.

Chosen because your device was reachable, not because you were a target

Most people picture an attacker deciding to go after their business and then hunting for a way in, but The Gentlemen tends to work the other way round. Check Point describes the group as both a ransomware-as-a-service (RaaS) operation and an initial access broker, which means it sells its affiliates ready-made entry into networks it has already broken into.

The raw material for that is a stockpile of roughly 14,000 FortiGate firewall devices the group had already compromised through a single known flaw, tracked as CVE-2024-55591, an authentication bypass in Fortinet’s firewall software. Rather than choosing a victim and then looking for a door, an affiliate simply picks a device from the pool, and the victim turns out to be whoever happens to own it.

You can see the effect in the geography, where the United States, which usually accounts for around half of ransomware victims, made up only 12% of The Gentlemen’s, because the targeting follows the devices rather than the map. For a UK firm, that means being caught not because someone decided the business was worth attacking, but because a firewall or a virtual private network (VPN) gateway happened to be reachable and unpatched.

The attack starts where Cyber Essentials starts

Here is the part that gets lost in the coverage of AI-driven crime. The Cyber Essentials scheme covers five technical controls: firewalls, secure configuration, user access control, malware protection, and patch management. It was built around exactly this kind of attack, the one that walks in through a known weakness on an internet-facing device.

Two of those five controls do most of the work against a device-driven attacker. Patch management requires critical vulnerabilities to be fixed within 14 days of a patch being released, while secure configuration means removing default passwords and closing off services that face the internet without needing to. Certification against the Cyber Essentials scheme is, in practice, a structured way of shutting the doors The Gentlemen walks through.

I made a related argument when BT launched its AI security package for smaller firms earlier this year, that for most organisations the tooling is rarely the weak point and the fundamentals are. This month’s data is the attacker-side evidence for the same case, and what it really changes is not the advice so much as the speed at which an unpatched device now gets found.

What v3.3 already locked down

The scheme has already moved in this direction. The updated requirements known as v3.3 came into force in the UK on 27 April this year, and under them, failing to enable multi-factor authentication (MFA) on a cloud service that offers it is now an automatic assessment failure, with no partial credit and no second chance within that assessment cycle.

Edge devices sit in the same category of risk. A firewall or VPN gateway that the manufacturer no longer supports cannot be patched when the next flaw is disclosed, which is a large part of how a device ends up on a list like The Gentlemen’s. In our assessments, out-of-support hardware quietly running at the perimeter is one of the more common findings, and the owner is often surprised it is still there at all.

Your Cyber Essentials checklist for this week

You do not need to wait for an assessment to act on any of this, and the place to start is the edge of your network. List every internet-facing device you own, meaning your firewall and your VPN or remote-access gateway, whether that is a FortiGate, a SonicWall, a Cisco, or something else, then check each model against the vendor’s end-of-support list and confirm the firmware is on the current release.

From there, move to the cloud side and confirm that MFA is switched on for every user, not just administrators, across Microsoft 365, Google Workspace, and your remote-access VPN. Little of this calls for a meeting or a budget line, since an hour and a list will cover most of it, and the work maps directly onto the controls an assessor would check.

The two tells that flag a network at real risk

When we first assess an organisation, a few things tell me most of what I need to know straight away. The first is the presence of old, unpatched versions of software. The second is any ordinary user logged in to an administrator account to carry out their day-to-day work.

Unpatched software points to a lack of technical controls, or at least controls that are not working as they should. The unnecessary use of admin accounts points to something different, a lack of basic information governance and policy. When both show up together, they usually bring a good deal of other poor practice with them, and the network is at real risk.

What is a Cyber Essentials checklist and what does it cover?

A Cyber Essentials checklist works through the scheme’s five technical controls: firewalls, secure configuration, user access control, malware protection, and patch management. In practice that means confirming your internet-facing devices are supported and patched, default passwords are removed, unnecessary services are not exposed to the internet, multi-factor authentication is enabled on cloud services, and critical updates are applied within 14 days. It is the baseline UK certification for demonstrating basic cyber hygiene.

How does ransomware choose which organisations to attack?

Increasingly, it does not choose the organisation at all. Groups like The Gentlemen operate as initial access brokers, compromising large numbers of internet-facing devices through a known vulnerability, then selling affiliates self-service access to whatever they have already broken into. The victim is selected by device availability, not by name, sector, or size. An unpatched firewall or VPN gateway is what puts an organisation on the list.

What is CVE-2024-55591 and does it affect my firewall?

CVE-2024-55591 is a critical authentication bypass vulnerability in Fortinet’s FortiOS and FortiProxy software, used in FortiGate firewall devices. It allows an attacker to gain access without valid credentials. Check Point has linked it to a stockpile of roughly 14,000 pre-compromised FortiGate devices. If you run a FortiGate appliance, confirm the firmware is patched to a fixed release and that the device is still within its supported life.

Does Cyber Essentials protect against ransomware?

Cyber Essentials is a baseline, not a complete security programme, but it closes the specific gaps most ransomware attacks rely on to get in: unpatched software, exposed services, default credentials, and cloud accounts without multi-factor authentication. Because current ransomware groups select victims by which devices are exploitable, meeting the five controls removes an organisation from the pool of easy targets. Cyber Essentials Plus, which includes active vulnerability scanning, gives a higher level of assurance.

Under Cyber Essentials v3.3, is missing multi-factor authentication an automatic fail?

Yes. The v3.3 requirements came into force in the UK on 27 April 2026. From that date, failing to enable multi-factor authentication (MFA) on a cloud service that offers it is an automatic assessment failure, with no partial credit within that assessment cycle. This applies to Microsoft 365, Google Workspace, and any other cloud tool your organisation accesses with business credentials where MFA is available.

How quickly can Forensic Control get my organisation Cyber Essentials certified?

Most organisations achieve certification within a few working days of completing their self-assessment, provided they meet the five controls. We recommend a short pre-assessment review to identify gaps first, particularly out-of-support edge devices and any cloud services missing multi-factor authentication, since those are the most common reasons an assessment stalls. Contact us on 020 7664 4522 to begin.

Ready to take control of your cyber security?

Safeguard your business with our expert cyber security solutions. Whether you require digital forensics, penetration testing or proactive security assessments, our team is ready to assist. Contact us today to discuss your security needs and take the first step towards a more secure future.

Forensic Control
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.