top of page
Search

Incident Report: Knights of Old Ransomware Attack (2023)

  • Writer: Avraham Cohen
    Avraham Cohen
  • 6 days ago
  • 27 min read

Introduction

In mid-2023, Knights of Old – a historic UK logistics and haulage firm – suffered a catastrophic cyberattack that ultimately led to the company’s collapse after 158 years of operation.


This report provides a technical and strategic analysis of the incident, detailing the threat actor involved, how the attack unfolded, the tactics used by the adversaries, the impact on the organization’s infrastructure and business, the incident response actions taken, and the lessons learned.


The goal is to inform cybersecurity professionals (CISOs, SOC analysts, threat intel teams) about the key takeaways and recommendations from this case.


Threat Actor Profile: Akira Ransomware Group

Attribution: The attack on Knights of Old has been attributed to the Akira ransomware gang, a Russia-linked cybercriminal group.


Akira first emerged around March 2023 and operates a ransomware-as-a-service (RaaS) model, enabling affiliates to carry out attacks in exchange for a profit share.


The group is known for targeting organizations in North America and Europe, primarily small and mid-sized enterprises, though it has hit some larger entities as well.


Notable victims attributed to Akira include manufacturing and education institutions like Nissan Canada, Stanford University, and Yamaha Motor Co., among others.


Motivation and Behavior: Akira is financially motivated, specializing in double-extortion ransomware attacks.


In a double-extortion scenario, the attackers not only encrypt the victim’s files to disrupt operations, but also steal sensitive data and threaten to publish it unless a ransom is paid.


Akira maintains a dark web “leak site” where they list victim companies and post stolen data if victims refuse to pay. This tactic increases pressure on organizations to meet ransom demands due to the added threat of data breaches and reputational damage.


Tactics and Tools: The Akira gang’s ransomware (named “Akira”) initially was a Windows executable (written in C++) appending a “.akira” extension to encrypted files.


By mid-2023, they had also developed a Linux/VMware ESXi variant to target virtual infrastructure.


Later in 2023, they experimented with a Rust-based encryptor (codenamed “Megazord”) for certain attacks, showing adaptability in their tooling.


Akira’s playbook is similar to other ransomware groups: they seek to gain initial access stealthily, escalate privileges, map out and exfiltrate data from the network, then deploy the ransomware widely.


The group is known to leave a distinctive ransom note on infected machines, often written in a blunt or taunting tone.


In the Knights of Old incident, the message left on company systems included a stark warning: “If you’re reading this, it means the internal infrastructure of your company is fully or partially dead.” 


This was followed by instructions to begin a “constructive dialogue” with the attackers – a hallmark of Akira’s negotiation style, which mixes intimidation with an invitation to talk.


Operations and Impact: By late 2024, Akira had compromised over 350 organizations worldwide and reportedly extorted at least $40 million USD in ransom payments.


The group tends to focus on organizations that may lack advanced cybersecurity defenses, making legacy companies like Knights of Old an attractive target.


Investigations by law enforcement and threat intelligence teams have tied Akira to known Russian cybercrime circles, though individual operators often remain anonymous.


There is no indication that Akira is nation-state sponsored; rather, it’s a financially driven criminal enterprise.


The attack on Knights of Old exemplifies Akira’s modus operandi and destructive potential when an organization is unprepared.


Attack Timeline and Entry Vectors

Overview: The breach and eventual ransomware deployment unfolded over roughly two months in the summer of 2023. Below is a timeline of key events and the attackers’ entry points into the Knights of Old (KNP Logistics Group) network:

  • June 26, 2023:  Threat actors infiltrated Knights of Old’s internal network, gaining initial access using stolen login credentials. It is suspected that the attackers obtained a valid username/password (likely through prior data breaches or an infostealer malware) and leveraged it to log into the company’s VPN or remote access system. Notably, multi-factor authentication (MFA) was reportedly not enabled on the remote access, allowing the stolen credentials alone to suffice. (Akira actors have been known to exploit VPN appliances with known vulnerabilities or weak authentication to penetrate networks.)

  • Late June – Early July 2023: With a foothold in the network, the attackers quietly expanded their access. During this period, they likely established persistence (such as creating new admin accounts in Active Directory) and performed reconnaissance. There were early signs of abnormal activity – for example, unusual user logins or system processes – but these did not trigger a full alarm. The breach went largely undetected by the Knights of Old IT team at this stage, allowing the adversaries to escalate their attack. It is likely the attackers were mapping out critical servers (file shares, database servers, logistics systems) and preparing the ransomware deployment. They also began exfiltrating sensitive data out of the network. Internal communications, customer databases, financial records, and other critical datasets were stealthily collected and transferred to attacker-controlled servers. (The volume of data taken has not been publicly quantified, but included corporate documents and a customer information database per the attackers’ claims.)

  • Mid-July 2023: The attack fully materialized as a ransomware incident. Around this time, Knights of Old’s IT systems were suddenly encrypted by the Akira ransomware. The attackers executed their payload across the network, targeting a wide range of systems. Core operational servers and databases were rendered unusable as files got encrypted with Akira’s cipher. All critical digital services went offline – including dispatch and fleet management systems, route planning tools, warehouse management, email and communication platforms, and financial accounting systems. Employees found themselves locked out of computers, and logistics operations came to an immediate standstill. Along with the encryption, the attackers left ransom note files on the infected machines, which contained instructions and a grim message about the state of the network. Knights of Old’s leadership and IT staff now realized the gravity of the situation: they were in the midst of a major ransomware attack.

  • Late July 2023: In the aftermath of the encryption event, Knights of Old initiated its incident response. The company publicly acknowledged it had suffered a “significant cyber incident” affecting operations. Internally, emergency measures were taken: infected systems were isolated, and incident response consultants were brought in to investigate the breach. Forensic analysis confirmed that a ransomware attack (specifically Akira) had occurred and that the attackers had also stolen large amounts of data (making this a double-extortion scenario). Knights of Old’s team discovered a ransom note and also learned that the attackers had listed the company on a darknet leak site as an ongoing victim – a clear indication that the perpetrators would leak stolen data if demands weren’t met. During this period, the company struggled to resume operations. Manual workarounds were attempted: for instance, dispatchers and drivers resorted to phone calls and paper records to coordinate deliveries. Despite these efforts, critical data (including digital schedules, truck routing info, and inventory records) was inaccessible, making it nearly impossible to operate effectively. By the end of July, it became apparent that the damage was severe and recovery was faltering. Third-party cyber auditors and experts assessing the breach found that many systems were irreparably impacted and that the timeline for any restoration would be extensive.

  • Early August 2023: Roughly 1–2 weeks after the ransomware detonation, Knights of Old’s parent company KNP Logistics Group made the decision to file for administration (insolvency protection). The ransomware attack’s disruption had crippled cash flow: with operations frozen, the company could not fulfill orders or invoice customers, yet expenses (employee salaries, fleet leases, etc.) continued to mount. Moreover, the attack corrupted crucial financial data, making it impossible for Knights of Old to produce required financial reports for its lenders. This led to a breach of covenants and loss of confidence from investors and creditors. The leadership sought emergency funding to stay afloat, but potential investors were unwilling to step in given the uncertainty and chaos post-attack. With no way to quickly recover systems or secure funds, the company had no choice but to enter administration to shield itself from creditors while attempting to contain the fallout.

  • September 2023: By early September, Knights of Old ceased all operations entirely. The administration process could not save the business; after 158 years of continuous operation, the company was effectively defeated by the cyberattack. Approximately 730 employees were laid off as the business folded. (One subsidiary of the group was sold off to another firm, preserving about 170 of those jobs, but Knights of Old as an entity was closed.) The Akira ransomware gang, true to their threats, began leaking sensitive data stolen from Knights of Old on their extortion site, further damaging the firm’s reputation even as it was closing down. The incident garnered significant public attention as a sobering example of how a cyberattack can directly lead to the collapse of a company.


Entry Vector Details: The initial intrusion on June 26 was enabled by compromised credentials.


It is not publicly confirmed how the attackers obtained valid credentials, but possibilities include passwords harvested by malware (infostealers) from an employee’s PC, or credentials leaked from a prior breach of a third-party service.


Knights of Old did have some security measures in place (the company adhered to certain international security standards and had cyber insurance), but a crucial gap was the lack of multi-factor authentication on remote access.


This allowed the attackers to use a stolen username/password to directly log in.


Additionally, cybersecurity authorities later noted that Akira actors often exploit known vulnerabilities in VPN servers to facilitate access when MFA is absent.


It’s possible the attackers leveraged a vulnerability in a VPN appliance or remote desktop service as part of the break-in, though the stolen login was the primary key.


In summary, a combination of weak external access controls (single-factor login, possibly an unpatched VPN gateway) and credential compromise provided the foothold for the adversaries.


Techniques, Tactics, and Procedures (TTPs) Used by Attackers

Once inside Knights of Old’s network, the threat actors (Akira affiliates) employed a range of techniques to advance their attack.


The operation unfolded much like a textbook modern ransomware intrusion, involving stealthy movement, privilege escalation, data theft, and ultimately file encryption.


The following are the key TTPs observed or inferred in this incident:

  • Initial Compromise and Reconnaissance: Using the stolen credentials, the attackers accessed the company’s network (likely via a VPN or remote desktop gateway). They bypassed security authentication due to missing MFA. If a VPN appliance was used, they may have also exploited known software vulnerabilities (for example, Akira is known to target certain Cisco VPN vulnerabilities to bypass authentication). After entry, the attackers likely established a backdoor for persistence. According to subsequent investigations, Akira operators often create new domain administrator accounts on compromised networks to ensure continued access. The Knights of Old incident probably saw the creation of rogue accounts or scheduled tasks that allowed the hackers to regain access even if the original stolen credential was reset. With a stable foothold, the attackers conducted network reconnaissance: they ran discovery tools to map the network topology, identify critical servers, and enumerate shared folders and directories. Open-source or hacker tools such as SoftPerfect Network Scanner and Advanced IP Scanner (both observed in other Akira cases) may have been used to scan for hostnames/IPs and live systems within the corporate network. This reconnaissance phase allowed the attackers to plan which systems to target for data theft and encryption (focusing on file servers, database servers, and domain controllers).

  • Privilege Escalation and Lateral Movement: The adversaries escalated their privileges to domain administrator level, giving them broad control. To achieve this, they likely harvested additional credentials from within the network. Common techniques would include credential dumping from memory – for instance, running tools like Mimikatz or LaZagne on compromised machines to extract passwords and hashes from the Windows Local Security Authority (LSA) process (LSASS). They may also have used Kerberoasting attacks (extracting encrypted service tickets to crack service account passwords offline) to gain higher-level credentials. With admin credentials in hand, the attackers moved laterally, accessing multiple servers and workstations. This could involve using Windows administrative tools (like PsExec or WMI) to remotely execute commands on other systems, or RDPing into servers directly. They likely disabled or tampered with security software on machines that they controlled – shutting down antivirus services and deleting system logs to avoid detection. By the time they were ready to launch the ransomware, the attackers had unrestricted access across Knights of Old’s Windows domain and possibly backups or storage systems. (Notably, if Knights of Old had any online backups reachable from the network, those would have been prime targets for the attackers to locate and disable or encrypt, to eliminate the victim’s recovery options.)

  • Data Exfiltration (Double Extortion): In parallel with lateral movement, the Akira attackers engaged in extensive data exfiltration. They gathered sensitive data from file shares, databases, and email servers. This data likely included customer contracts, delivery records, employee information, financial and accounting data, and proprietary business documents. The data was packaged (possibly compressed and split into archives) and then transferred out of the network to servers controlled by the attackers. Common methods for exfiltration include using HTTPS or FTP to upload data to a cloud storage or an attacker-owned site, or even using tools like Rclone to push data to a private cloud bucket. While the exact tool isn’t confirmed publicly, we do know the attackers obtained a “database with customers’ data” and other corporate information, as they later advertised in their leak message. The exfiltration was completed before the ransomware payload was executed, so that the attackers could use the stolen data as leverage for extortion even if the company managed to restore IT systems from backups.

  • Ransomware Deployment and Encryption: After achieving full access and stealing data, the threat actors proceeded to deploy the Akira ransomware payload across the environment. This likely involved staging the ransomware binary on multiple key systems and either executing it manually on each or using automated scripts to trigger it enterprise-wide (for example, via a domain Group Policy startup script or scheduled task). The ransomware rapidly encrypted files on servers and workstations, appending the “.akira” extension (in this period of 2023, the group was using the C++ Akira malware that uses that extension). Critical business databases, application files, and documents were scrambled by strong encryption, rendering them unusable. In Knights of Old’s case, virtually all core data became inaccessible within a short time frame. Even virtual machines might have been encrypted if the attackers deployed their Linux/ESXi variant on hypervisors (though it’s not confirmed if they did so here). The attackers took care to also delete system backups and shadow copies on Windows machines (a standard ransomware procedure) to prevent local restoration. Each affected system received a plain-text ransom note file – typically named “akira_readme.txt” or similar – containing the gang’s message and contact instructions. The ransom note text in this incident was particularly dire: it stated that the company’s infrastructure was essentially destroyed and urged the victim to contact the attackers on an assigned communication channel. The note also implied knowledge of the damage caused: “We’re fully aware of what damage we caused by locking your internal sources,” the attackers wrote, displaying a mix of menace and a prompt to negotiate. They provided an email or darknet chat portal for company representatives to reach out for ransom terms. The attackers also posted a public message on their leak site mocking Knights of Old (riffing on the company’s name, they wrote: “Delivering freight when you’re a knight is not as convenient… We will share their corporate information… and customers’ data. Everything will be uploaded soon.”). This public leak notice was aimed to pressure the company by damaging its reputation and demonstrating seriousness.

  • Command and Control & Automation: Throughout the attack, the adversaries likely maintained remote command-and-control (C2) channels to manage the intrusion. Given the interactive nature of ransomware operations, much of the attack was human-driven (hands-on-keyboard activity through tools like remote desktop, PowerShell, or Cobalt Strike beacons). The attackers might have also deployed C2 malware or utilized legitimate administrative channels for stealth. For example, using a VPN connection or an RDP session from the initial access point as their primary C2, pivoting within the network from that single point. They also may have scheduled certain tasks (like a timed execution of ransomware during off-hours to catch the victim off-guard).


In summary, the Knights of Old attack saw the full kill chain of a modern ransomware attack: initial infiltration via stolen credentials, silent reconnaissance and spread, harvesting of credentials and data, then a simultaneous detonation of ransomware to maximize damage.


The threat actors demonstrated knowledge of the environment (hitting the most crucial systems) and executed their plan within a matter of weeks.


By the time the encryption was discovered, the attackers had already achieved their objectives.


Impact on Infrastructure and Operations

The ransomware attack had a devastating impact on Knights of Old’s IT infrastructure and day-to-day operations.


Virtually all digital services that the company relied on were disrupted.


The immediate technical impact and the subsequent business consequences included:

  • Operational Paralysis: The encryption of servers in mid-July 2023 effectively brought all core operations to a halt. Knights of Old, as a logistics and haulage company, depended heavily on its IT systems for scheduling deliveries, tracking shipments in real time, managing its vehicle fleet, routing drivers, handling warehouse inventory, and communicating with customers and partners. All these functions were instantly paralyzed. Fleet dispatchers could not access the software that tells drivers where to go and what to pick up or deliver. Warehouse personnel lost access to inventory databases. The transport management system was down, so new orders could not be processed. Even basic office functions like email and internal communications were unavailable, making coordination extremely difficult. In effect, the company’s “digital backbone” was taken offline. Knights of Old found itself unable to carry out even the most fundamental business processes, such as printing delivery manifests or updating customers on shipment statuses. This level of downtime is crippling in the logistics industry, where timing and information flow are critical.

  • Data Loss and Corruption: Key data stores were encrypted or otherwise corrupted by the attack. Most critically, financial data and accounting databases were impacted. The company’s financial systems contained records of invoices, payments, payroll, and compliance-related data. With these inaccessible, Knights of Old could not issue invoices for completed deliveries, hampering cash inflow. Worse, they could not produce up-to-date financial statements and reports. This became a major issue because the firm had obligations to report its financial status to lenders and creditors. The BBC reported that the ransomware damaged critical financial data, making it impossible to meet reporting deadlines set by lenders. This led to the company defaulting on certain loan covenants and losing the trust of its banks. In addition, customer data was at risk: the attackers stole and threatened to leak customer records, which likely included client names, contracts, delivery logs, etc. The prospect of this data being published created a data privacy and reputational crisis alongside the operational one.

  • Business Continuity Breakdown: Knights of Old did attempt to invoke manual processes as a fallback – for example, trying to dispatch trucks using phones, paper documents, and spreadsheets created from memory. However, given the scale of the company (hundreds of drivers and vehicles across the UK and Europe), manual operation was unsustainable and error-prone. Customers quickly felt the impact: deliveries were delayed or missed entirely in the days following the attack. Some major clients, facing their own supply chain pressures, had to divert shipments to alternative logistics providers when Knights of Old could not fulfill orders. This led to a loss of business and customer confidence. Internally, employees were left idle or performing minimal tasks, as many could not do their usual jobs without system access. The company’s reputation took a hit as word spread that it was crippled by a cyberattack; in the competitive logistics market, reliability is paramount, and Knights of Old was suddenly seen as unreliable.

  • Financial Impact: The operational paralysis quickly translated into a financial freefall for the company. With virtually no revenue coming in (no new orders could be processed, existing orders were severely delayed), Knights of Old was hemorrhaging money. Meanwhile, fixed costs and obligations remained: fuel costs for trucks that were still out, salaries for 700+ staff, rent for depots, maintenance for the fleet, etc. Estimates indicated that each day of downtime was costing significant sums in lost revenue and added expenses. Moreover, the company faced potential contractual penalties for failing to meet service agreements with clients. Insurance was in place but the claims process was slow – Knights of Old’s cyber insurance carrier was still assessing the incident and the claim as the weeks passed, meaning immediate relief funds were not available. Compounding matters, investors and creditors saw the chaos and began to pull back. Knights of Old had been seeking fresh investment or credit lines (as the logistics sector was already facing tight margins in 2023), but due to the attack, potential funding deals collapsed. Confidence in the company’s survival was eroded. The administrators later noted that the cyberattack directly undermined efforts to secure critical financing needed to keep operating.

  • Employee and Stakeholder Impact: By the end of the summer, with no resolution in sight, the company had to shut down operations and enter insolvency. Over 700 employees lost their jobs as a direct result of the attack and the subsequent collapse. Many of these were long-tenured staff who had helped build the company’s legacy. The local community (Kettering, where Knights of Old was based) was also affected by the loss of a major employer. Suppliers and business partners dealing with Knights of Old faced losses too – some small trucking subcontractors and vendors were left with unpaid invoices that they might not recover fully due to the insolvency process. Customers experienced disruptions in their supply chains and had to incur costs switching to new logistics providers on short notice. The incident thus had a ripple effect beyond just the company’s walls, illustrating how a cyberattack on one organization can propagate economic damage to others.


In essence, the ransomware attack converted a thriving logistics company into a non-operational state in a matter of weeks.


The inability to access critical systems and data meant Knights of Old could not function or generate revenue, leading to a cascading failure of business continuity.


Even though the ransom amount (if one was specified by the attackers) is not publicly known, the indirect costs lost business, remediation expenses, legal and insolvency costs, and the collapse of the company far outweighed any single ransom demand.


Knights of Old’s century-and-a-half legacy was undone by this single cyber incident, demonstrating that the impact of ransomware can be truly existential for a business.


Detection and Response Efforts

Knights of Old’s detection and incident response efforts were ultimately unable to contain the attack, and examining them provides insight into what went wrong:

  • Initial Detection (or Lack Thereof): The breach in June 2023 was not immediately detected. The company did not realize that attackers were in their systems until the ransomware was executed weeks later. There were some red flags (for instance, logs would later show unusual login times and the creation of a new administrative account that nobody on the IT staff recognized), but these signs were either missed by monitoring tools or not acted upon in time. At the start of the incident, Knights of Old did not have a dedicated Security Operations Center (SOC) or 24/7 threat monitoring service that might have caught the intruder’s early movements. This meant the attackers had ample dwell time in the network without interference. It appears that the first unmistakable indicator of the attack was the ransomware detonation itself – by then, of course, it was too late to prevent damage.

  • Immediate Response to Ransomware: Once the ransomware was sprung in mid-July and files started encrypting, Knights of Old’s IT team and leadership reacted quickly to assess and triage the situation. The priority was to contain the incident: network segments were shut down or disconnected to try to stop any further spread of malware. Servers were powered off in some cases to preserve them for potential forensic analysis. The company’s management convened an emergency response team, which included internal IT managers and external cybersecurity consultants (likely brought in through their cyber insurance breach response coverage). They also alerted law enforcement agencies; although details are sparse, it’s typical for a major incident like this to be reported to the UK National Cyber Security Centre (NCSC) or the police. Knights of Old issued an initial public statement acknowledging a “major cyber incident” and asking customers and partners for patience. This was done to explain service disruptions while avoiding explicit mention of “ransomware” early on (a common practice to manage reputation). Internally, the atmosphere was chaotic: employees were instructed not to turn on their computers until they could be checked, and all network access was halted to prevent any lingering threat from causing more harm.

  • Investigation and Ransom Negotiation: Digital forensics experts began investigating how the attackers got in and what they had done. They quickly identified the ransomware strain as Akira, and the presence of the ransom notes made it clear who was responsible. It was also confirmed that data had been exfiltrated (for example, evidence of large transfers or the attackers’ leak announcements). At this point, Knights of Old’s leadership faced the critical decision of whether or not to engage with the attackers and consider paying a ransom. The specific ransom demand hasn’t been disclosed, but given Akira’s typical operations, it could have been in the millions of dollars range (the median ransom demand by similar groups in 2023 was several million USD). The company weighed its options. Paying the ransom might theoretically restore access (if the hackers provided a decryption key) and could possibly avert the public release of stolen data. However, there were serious downsides: no guarantee the criminals would honor the deal, the company’s finances were already strained, and paying a large sum might not even be feasible. Moreover, UK authorities discourage ransom payments since they fuel further criminal activity. Ultimately, Knights of Old did not pay the ransom – as evidenced by the fact that their data was later leaked and their systems remained locked. It’s possible that the decision was made for them by circumstance (they did not have the liquidity to pay, especially with bank accounts potentially frozen once in administration). The company’s focus instead shifted to attempting recovery through other means.

  • Attempts at Recovery: Knights of Old’s IT department tried to restore systems from whatever backups existed. Unfortunately, it became clear that the backups were inadequate. Either the backups were also encrypted by the attackers (since they likely had access to backup servers), or they were not recent enough to be useful. The company had some offsite backups, but not for all systems, and restoring what they had still left significant data gaps. Additionally, the complexity of rebuilding dozens of interlinked systems (logistics apps, databases, etc.) from scratch was extremely high, especially under time pressure and without full data. The incident responders and IT team likely got some systems partially running in the weeks after the attack, but these were not enough to resume normal operations. During late July, as these recovery attempts faltered, the company continued operating in a limited manual mode, but clients were growing dissatisfied.

    It’s worth noting that in July 2023, a free decryptor for Akira ransomware was released by cybersecurity firm Avast. This tool was made public after security researchers discovered flaws in the Akira encryption implementation, allowing decryption in some cases. Knights of Old’s incident response team would presumably have become aware of this tool (it was discussed in security circles and in the media). However, it is uncertain if the decryptor helped in this case. The decryptor’s effectiveness could depend on the version of Akira used; it’s possible the variant that hit Knights of Old was not fully recoverable by the tool, or that by the time it was available, the company had already decided on insolvency. A spokesperson for the company’s administrators later declined to say whether the decryptor was used or not. Given the outcome, if it was tried, it likely did not result in a meaningful restoration of data.

  • Communication and Stakeholder Management: Throughout the incident, Knights of Old’s management had to communicate with various stakeholders: employees, customers, partners, regulators, and the public. Internally, staff were regularly briefed on the situation, though initially many details (like the group name Akira or the ransom amount) may have been kept to a small executive circle. Customers were informed that a cyber incident was causing delays. As the crisis deepened, some customers (especially larger ones) were directly contacted by Knights of Old executives to work out contingency plans or to apologize for service failures. Regulators and data protection authorities were likely notified as well, since customer data was compromised (under UK law, the Information Commissioner’s Office must be informed of personal data breaches). By the time the company moved into administration, public statements became more straightforward, admitting that a ransomware attack had occurred and that it had severely impacted the business’s viability.

  • Decision to Enter Administration: The final phase of response was not a technical one but a legal/business action. On August 2, 2023 (approximately), Knights of Old’s board, in consultation with insolvency professionals, decided to file for administration. This is essentially placing the company under the control of appointed administrators to either restructure or wind it down in an orderly fashion. The ransomware attack was cited as the primary reason for insolvency in the official filings. Once in administration, the focus shifted from recovery to salvaging what value they could. The administrators attempted to find buyers for parts of the business; one key division was sold to another logistics firm to save a fraction of the jobs. For the incident responders, this meant that full restoration of systems was no longer the goal – instead, they worked on forensic analysis (for insurance and legal purposes) and extracting whatever data could be saved for winding down (such as payroll data to pay employees their last wages, etc.). The company likely cooperated with law enforcement investigations into the Akira group as well, providing indicators of compromise and information from the attack.


In hindsight, Knights of Old’s response efforts were hampered by the lack of an effective incident response plan and disaster recovery capability.


They were essentially reacting on the fly to a worst-case scenario.


The IT team and partners did what they could – containing the spread, investigating the breach, and communicating with stakeholders – but without usable backups or the option to pay a ransom, the company was stuck.


It’s a harsh reminder that even a prompt and earnest response cannot always save a company if the preparation wasn’t sufficient beforehand.



Lessons Learned and Hardening Recommendations

The collapse of Knights of Old stands as a cautionary tale for all organizations about the importance of cybersecurity preparedness.


There are several key lessons and takeaways from this incident, along with recommendations to prevent or mitigate such attacks in the future:

1. Treat Cybersecurity as a Business Risk, Not Just IT’s Problem: Knights of Old believed they were reasonably secure – they had implemented standard security protocols and even held cyber insurance. Yet, the attack revealed that compliance checkboxes alone were insufficient. Executive oversight and a culture of security are crucial. Companies must recognize that a major cyber incident can threaten the entire business. Regular board-level reviews of cyber risk, investing in resilience, and scenario planning (e.g. “what if our systems were down for 2 weeks?”) should be standard practice. As former Knights of Old director Paul Abbott said after the incident, “Whatever you think you’ve done [for security], get it checked by experts. People don't think it's going to happen to them.”. This mindset shift is essential in the ransomware era.

2. Strengthen Initial Defenses – Especially Credentials and Remote Access: The initial intrusion was made possible by stolen credentials and lack of multi-factor authentication. Every organization should enforce MFA on all remote access points (VPNs, RDP, webmail, etc.). Had MFA been in place, a stolen password alone would likely not have been enough to breach Knights of Old. Additionally, companies should implement strong password policies and monitor for credential compromises. Using threat intelligence services to watch darknet markets for stolen account credentials tied to your organization can provide early warning if your employees’ logins have been leaked. Given that phishing and infostealer malware are common ways attackers obtain credentials, continuous security awareness training for staff is needed to reduce the risk of credential theft. In short: make it as hard as possible for attackers to use a single stolen password to invade your network.

3. Patch Critical Systems and Address Known Vulnerabilities: Ransomware groups like Akira often exploit known, addressable vulnerabilities in VPN appliances, firewalls, or servers to gain entry (for example, the Akira group has exploited specific Cisco VPN appliance flaws). It’s vital to keep external-facing systems fully patched and up-to-date. Organizations should prioritize patching any “gateway” systems (VPNs, web servers, etc.) and follow threat advisories (such as CISA alerts) about actively exploited CVEs. Regular penetration testing can help identify any forgotten open ports or weak spots in perimeter defenses. In Knights of Old’s case, whether a VPN exploit was used or not, this attack underscores the need for a rigorous vulnerability management program to shut known doors that attackers might use.

4. Network Segmentation and Least Privilege: The ease with which the attackers’ ransomware spread across Knights of Old’s network indicates a flat network architecture where many systems were fully reachable once inside. Implementing network segmentation can limit the blast radius of an intrusion. For example, segregating critical servers (like financial databases or logistics control systems) on separate network segments with strict access controls can slow down or contain an attacker’s lateral movement. Similarly, following the principle of least privilege for user and service accounts will make it harder for an adversary to escalate privileges. Regularly audit domain admin accounts and highly privileged credentials – these should be very few in number and tightly monitored. If Knights of Old had tighter internal network controls and monitoring on admin account usage, the attackers might have been detected or unable to access everything so freely.

5. Deploy Advanced Detection and Response Capabilities: One of the biggest lessons is the importance of early detection. Detecting the attackers during their two-week dwell time could have averted the worst damage. Companies should invest in Endpoint Detection and Response (EDR) tools on servers and workstations, which can catch suspicious behavior like Mimikatz usage or unusual processes. A centralized Security Information and Event Management (SIEM) system with alerts for anomalies (e.g., an employee logging in at odd hours or a surge in data transfers) can tip off responders before ransomware is launched. Even if an organization cannot staff a 24/7 SOC internally, partnering with a Managed Detection & Response (MDR) service or subscribing to threat intelligence alerts can bridge the gap. In essence, speed is everything – the sooner an intrusion is identified and contained, the less likely it will escalate to a full-blown ransom event. Knights of Old’s experience shows that without vigilant monitoring, attackers can operate unchecked.

6. Prepare and Practice an Incident Response Plan: Every organization needs a documented incident response (IR) plan that covers ransomware scenarios. This plan should define roles and communication flows for handling an attack. Key elements include: how to isolate infected machines, who to call for external help (IR consultants, legal counsel, law enforcement), and how to communicate with employees and customers during downtime. Just as importantly, this plan must be practiced through drills or tabletop exercises. Knights of Old was caught scrambling to respond; a practiced team could have moved more decisively. The IR plan should also include guidelines on ransom payment deliberation – involving executives, legal, and law enforcement input – so that decision can be made calmly and not in panic.

7. Robust Data Backup and Recovery Strategy: One of the fatal factors in this case was the lack of usable backups and business continuity options. Organizations must maintain regular backups of critical data and system images, stored offline or in a segregated network that attackers cannot easily reach. Simply having backups isn’t enough; the backups must be tested periodically to ensure they can actually restore operations in a timely way. Knights of Old might have survived if they could have restored key systems within a few days of the attack. Consider a multi-tier backup approach (daily incremental backups, weekly full backups, plus real-time replication for crucial systems) and ensure backup credentials and access are separate from the main network authentication (so that an adversary who compromises the domain can’t directly delete or encrypt backups). Disaster recovery planning is critical: identify how you would rebuild entire servers or migrate services to cloud environments if needed. In the logistics industry, having some manual fallback or alternate site to run basic operations can also buy time.

8. Comprehensive Business Continuity Planning: Beyond IT recovery, a Business Continuity Plan (BCP) could have mitigated the operational fallout. This includes having contingency plans for how to operate if IT systems are unavailable. For a logistics firm, that might involve pre-arranged procedures for manual dispatch or partnerships with other logistics providers to handle overflow in an emergency. Knights of Old attempted ad-hoc manual operations, but a pre-planned approach would have been more effective and could have kept customers from leaving. BCPs should be updated for cyber scenarios (traditionally they focused on natural disasters, etc.) – e.g., how to handle orders, communications, and cash flow if your digital systems are locked by ransomware for days or weeks.

9. Adequate Cyber Insurance and Financial Resilience: Knights of Old did have cyber insurance, but the case shows insurance is not a panacea. Policies have limits and exclusions; in this instance the losses far exceeded what their policy covered. Organizations should review their cyber insurance coverage limits in light of the potential business interruption costs, not just the immediate incident response costs. Additionally, ensure the policy covers ransomware incidents and related expenses (like hiring IT forensics, PR management, legal fees, and even ransom payment if that’s a consideration). However, even with insurance, companies must maintain a level of financial resilience – access to emergency funds or credit – to weather the immediate aftermath of an attack. Knights of Old was in a position where lack of short-term funding after the attack was a critical issue. This suggests that having a financial contingency (like an emergency line of credit or reserves earmarked for disasters) could give a company more breathing room to recover rather than rush into insolvency.

10. Learn from Incidents and Engage with the Security Community: Finally, it’s important for organizations to learn from cases like Knights of Old and stay informed on the evolving threat landscape. Cyber threat actors continuously adapt their techniques. Sharing information about incidents (with industry groups, authorities, or via anonymous platforms) can help others prepare. For example, had Knights of Old been aware of similar attacks on other companies and the tactics used, they might have tightened their VPN access or watched for certain indicators. Proactively engaging with organizations like the NCSC, and implementing their guidance (such as the NCSC’s ransomware alerts and CISA’s #StopRansomware advisories), can greatly improve an organization’s defensive posture. The human element is crucial too – fostering a security-aware culture where any employee who notices something strange (like their computer acting weird or files being renamed) knows how to report it immediately, can make a huge difference in early detection.

In conclusion, the Knights of Old incident underscores that ransomware is not just an “IT problem” but an existential business threat. A multi-pronged approach of preventative controls, vigilant detection, practiced response, and resilient recovery capabilities is needed to defend against such attacks. Organizations should take this case as a rallying cry to re-examine their own readiness. As one cybersecurity expert noted in the wake of the incident, “It really can happen to anyone… no matter how big or small”. The cost of preparing now is far less than the cost of picking up the pieces after a successful ransomware attack.


References

  1. James Grant & Annabel Amos. “IT warning after hackers close 160-year-old firm.” BBC News, 4 May 2025. (BBC article on Knights of Old collapse, with quotes from a former director and context on the ransomware note and impact.)

  2. Alexander Martin. “UK logistics firm blames ransomware attack for insolvency, 730 redundancies.” The Record (Recorded Future News), 26 Sep 2023. (News report detailing KNP Logistics Group’s insolvency filing, the role of the June 2023 ransomware attack, and mention of the Akira gang and decryptor.)

  3. Ryan Gallagher. “Ransomware Gangs’ Merciless Attacks Bleed Small Companies Dry.” Insurance Journal (via Bloomberg), 6 Dec 2024. (Article discussing ransomware impact on SMBs, featuring Knights of Old as a case study; includes details on the Akira gang, their ransom note language, and financial stats on Akira’s activities.)

  4. Alberto Casares. “How Ransomware Attacks Dismantled a 150-Year-Old Company: The Knights of Old Case.” Constella Intelligence Blog, 7 Jan 2025. (Threat intelligence blog post that outlines the timeline of the Knights of Old attack according to reporting from The Times, including the June 26, 2023 initial breach via stolen credentials and the attackers’ leaked message.)

  5. Veronika Hanakova. “The Fall of Knights of Old – 150 Years of History Erased in Just 3 Months.” LinkedIn Article, 25 Mar 2025. (Detailed retrospective on the Knights of Old incident, describing how the attack unfolded, the taunting message from attackers, and the business collapse, as well as general lessons on cybersecurity.)

  6. Cybersecurity & Infrastructure Security Agency (CISA). “#StopRansomware: Akira Ransomware (AA24-109A).” Joint Cybersecurity Advisory by FBI, CISA, etc., April 2024. (Official advisory detailing Akira ransomware tactics, techniques, and indicators, including initial access methods like VPN credential abuse, tools used such as Mimikatz, and mitigation recommendations.)

  7. Partners& (Insurance Brokers). “Cyber attack results in a logistics business going under.” Partners& Blog, 12 Oct 2023. (Blog post highlighting the Knights of Old case as an example of cyber insurance importance; reiterates basic facts of the attack and collapse in June–September 2023.)

  8. BBC News. “Kettering firm KNP Logistics Group’s sudden collapse upsets drivers.” BBC News Northampton, 2023. (Local news coverage of the collapse of KNP Logistics Group (Knights of Old), focusing on the human impact and noting the cyberattack cause.)


(All the above sources are publicly available and provide insight into the Knights of Old incident and the broader context of ransomware threats.)

 
 

Recent Posts

See All

The New Standard
in Cyber Security

Knowledge Base

Address

Alkmaar, 1827NR
Netherlands

Contact

+31-619069970

info@sdosecurity.com

Opening Hours

Mon - Fri

8:00 am – 8:00 pm

© 2020 by SDO Security

  • LinkedIn
bottom of page