Table of Contents
🔍 Introduction to the Knights of Old Cyber Attack
The Knights of Old cyber attack was a ransomware incident in June 2023 that ultimately led to the closure of KNP Logistics, a 158-year-old UK haulage firm trading as Knights of Old. The Akira ransomware group encrypted the company’s systems and demanded approximately £5 million. Knights of Old declined to pay and could not recover operations. By September 2023, the business had ceased trading, with 730 employees made redundant, making it one of the clearest examples of a ransomware attack causing the collapse of a UK business.
The incident remains a significant case study in cyber resilience because it demonstrates how a single successful ransomware attack can disrupt operations, create severe financial consequences and ultimately threaten an organisation’s survival. The lessons from Knights of Old continue to inform how businesses approach ransomware prevention, recovery planning and cyber security governance.
At CyPro, we help firms strengthen their cyber resilience through practical defence measures like Managed Detection & Response (MDR), giving teams early visibility of threats and time to act before damage is done. By the end, you’ll have a clearer picture of why learning from the Knights of Old cyber attack can be crucial to protecting your own business.
Key Facts
| Facts | Details |
| When | Initial intrusion 26 June 2023; full business closure announced September 2023 |
| Attacker | Akira ransomware group (Russian-speaking RaaS operation, active since March 2023) |
| Entry vector | Compromised employee credentials (weak password, no enforced MFA) |
| Ransom demand | ~£5 million – Knights of Old refused to pay |
| Outcome | 730 employees made redundant; 500 trucks taken off the road; the 158-year-old firm (founded 1865) ceased trading. Kettering premises later sold for £8 million |
📉 What was the Knights of Old cyber attack?
The Knights of Old cyber attack was a ransomware incident in which the Akira ransomware group gained access to KNP Logistics’ network using compromised credentials. Attackers encrypted critical systems, reportedly exfiltrated company data and demanded a multimillion-pound ransom, causing widespread operational disruption across the business.
The attack affected core operational systems responsible for finance, administration and logistics management, preventing the business from functioning normally. Despite recovery efforts, the organisation was unable to restore operations and ultimately ceased trading.
At CyPro, we often see that timely containment through Managed Detection & Response can dramatically reduce the fallout from breaches like the Knights of Old cyber attack.
Key Takeaway The Knights of Old cyber attack began with stolen credentials and ended in complete business closure. It’s a stark reminder that ransomware recovery hinges on early detection and strong incident response – not ransom negotiation.
🏢 Who were Knights of Old (KNP Logistics)?
Knights of Old was a UK logistics and haulage company operating as part of KNP Logistics Group. Founded in 1867, the business employed around 700 people. Before the ransomware attack, it was one of the UK’s longest-established transport operators, providing warehousing and distribution services across the country.
| Number of Staff | ~700 employees (prior to collapse in 2023) |
| Sector | Haulage and logistics (transport and distribution across the UK) |
| Revenue | Estimated £100-150 million annually before the cyber attack (industry reports, not publicly detailed) |
| Services | Nationwide road haulage, distribution, warehousing and logistics management |
| Founded | 1867 (as Knights of Old, later merged into KNP Logistics Group) |
| Ownership | Privately owned group (KNP Logistics Group Ltd) |
| Funding | Privately financed; no evidence of significant external or government funding |
Why was Knights of Old a Prime Target?
- Data sensitivity: Logistics firms handle large volumes of client data, shipment details and financial records – valuable to attackers for extortion and resale.
- Operational dependence on IT: Automated scheduling and real-time tracking meant downtime equalled immediate loss of service.
- Complex supply chain links: Third-party connectivity often introduces hidden vulnerabilities that can be exploited.
These factors made the Knights of Old cyber attack particularly damaging, as ransomware disrupted not just internal systems but partner operations too. It highlights how legacy businesses that have modernised digitally often face risks tied to older infrastructure or incomplete security upgrades.
📅 When did the Knights of Old cyber attack happen?
The cyber attack began on 26 June 2023 when attackers gained access to the company’s network using compromised credentials and deployed Akira ransomware. The disruption continued throughout the summer of 2023 and ultimately contributed to KNP Logistics entering administration in September 2023.
Sequence of Events
- Initial breach (26 June 2023): Attackers gained access using stolen credentials and launched ransomware across Knights of Old’s network.
- Immediate disruption: Employees were locked out of admin, finance and payment systems. Drivers were told to turn around mid-route as logistics operations halted completely.
- Data exfiltration: The Akira group claimed to have stolen corporate and customer data, threatening to publish it online if the ransom wasn’t paid.
- Ransom demand: Around £5 million was requested, with the attackers posting a public taunt referencing “Knights’ honour” and threatening to leak customer databases.
- Response: Knights of Old reportedly refused to pay. Systems remained offline for months, leading to full operational collapse.
- Outcome (September 2023): Unable to recover systems or resume trading, Knights of Old entered administration, resulting in 730 redundancies.
Key Takeaway The Knights of Old cyber attack shows how delays between breach and detection can turn disruption into collapse. Timely response and continuous monitoring are often what keep businesses alive after ransomware hits.
👤 Who carried out the Knights of Old cyber attack?
The incident has been attributed to the Akira ransomware group, which claimed responsibility for the intrusion and subsequently listed the company on its leak site. According to reporting by the BBC and other sources, the attackers encrypted company systems, claimed to have stolen data and demanded approximately £5 million from the business.
Akira emerged in 2023 and is known for combining ransomware with data extortion tactics. In the Knights of Old incident, the group allegedly stole company and customer information before threatening to publish it unless its demands were met (CISA).
CyPro continues to see ransomware groups adopting increasingly aggressive extortion techniques, making rapid detection and containment critical once an attacker gains initial access to a network.
🔓 How did the attackers breach Knights of Old?
Attackers reportedly gained access to Knights of Old’s network on 26 June 2023 using compromised employee credentials. Once inside, they were able to move through the environment, access critical systems and ultimately deploy Akira ransomware. Reports indicate that weak authentication controls and the absence of enforced multi-factor authentication (MFA) contributed to the initial compromise.
Weak Authentication and Credential Management
Attackers reportedly gained access using compromised employee credentials. Without enforced MFA, stolen passwords can allow attackers to impersonate legitimate users and establish an initial foothold within a network.
Security and Governance Challenges
The company’s IT environment reportedly included legacy infrastructure, which made patching and monitoring more cumbersome. Older systems often lack modern security features like behavioural analysis or automated alerting.
Cyber security consultant Paul Abbott noted that leadership did not fully appreciate the cyber risks facing the business or the relative affordability of preventative security measures compared with the cost of a major incident.
Chain of Events and Attack Progression
Once inside the network, the attackers reportedly stole data, encrypted systems and demanded payment while threatening to publish stolen information. This follows a common ransomware pattern of credential compromise, data theft, encryption and extortion.
Case Study – Preventing Credential-Based Breaches in a UK Manufacturing Business We worked with a mid-sized UK manufacturing business that had seen repeated unauthorised login attempts through remote access systems. Our team carried out a full credential hygiene audit, identifying over 40 accounts with weak or reused passwords and no MFA.
By implementing stronger authentication controls and our Managed Detection & Response service, we reduced successful intrusion attempts by 90% within six weeks. The client now receives real-time alerts on suspicious login activity, dramatically lowering the risk of an attack similar to the Knights of Old cyber attack.
Human and Organisational Factors
Technical controls alone are rarely sufficient. Security awareness, clear governance and defined incident response responsibilities all play an important role in limiting the impact of a cyber attack.
CyPro frequently finds that governance and awareness gaps can be as significant as technical security weaknesses.
Key Takeaway The Knights of Old cyber attack shows that weak passwords and outdated systems often open the door to ransomware. Strengthening authentication and leadership awareness can make the difference between early containment and total collapse.
🏭 Why did Knights of Old close after the cyber attack?
The Knights of Old cyber attack had devastating consequences for one of the UK’s oldest logistics firms. What began as a ransomware incident quickly escalated into a business crisis, leaving operations unable to continue and ultimately resulting in the closure of the 158-year-old company. By September 2023, KNP Logistics had entered administration and approximately 730 employees had lost their jobs (BBC).
💰 How much was the Knights of Old ransom demand?
According to BBC reporting, the attackers demanded approximately £5 million from Knights of Old following the ransomware attack. The company reportedly did not pay the ransom and instead attempted to recover operations through other means.
Operational Impact
- Total shutdown: All logistics and freight operations were halted as staff lost access to routing, invoicing and payment systems.
- Supply chain disruption: Customers faced delayed or cancelled deliveries, with knock-on effects for retail and manufacturing partners.
- Data exposure: The stolen data included client records and internal documents, later threatened for publication by the attackers.
Financial Impact
- Immediate losses: The business was unable to process payments or invoices, causing severe liquidity issues.
- Administration costs: The company entered administration, incurring additional legal and restructuring expenses.
- Employee claims: Redundancies led to unpaid wages and subsequent legal action by former staff, compounding financial strain.
Reputational Impact
- Trust erosion: The exposure of client data damaged long-standing relationships across the logistics network.
- Public scrutiny: Media coverage of the shutdown highlighted weak cyber resilience, undermining confidence in similar legacy firms.
- Long-term perception: For many customers, the Knights of Old cyber attack became synonymous with how ransomware can end even trusted brands.
Case Study – Recovering Operations After a Ransomware Lockout We worked with a mid-sized manufacturing business that faced a similar ransomware lockout affecting production and finance systems. Our team deployed Managed Detection & Response to contain the breach within hours, restored backups from clean environments, and guided their leadership through crisis comms.
Within ten days, 90% of core systems were operational, and customer satisfaction scores rebounded by 28% within the quarter. This experience shows how swift intervention and clarity of action can prevent the kind of long-term damage seen in the Knights of Old cyber attack.
⚖️ How does the Knights of Old cyber attack compare with other UK ransomware-driven closures?
The Knights of Old cyber attack stands apart from other high-profile cyber incidents affecting organisations such as the British Library and Allianz. While those organisations experienced major disruption and data exposure, KNP Logistics ultimately ceased trading. The incident highlights the potentially catastrophic business impact of ransomware when recovery efforts fail.
At CyPro, we help UK organisations strengthen ransomware resilience through proactive monitoring, incident response planning, security awareness training and tested recovery processes.
| Incident | Year | Sector | Outcome | Notable Lesson |
| Knights of Old (KNP Logistics) | 2023 | UK logistics | Business closed | 730 jobs lost Weak password + no MFA → terminal failure |
| Travelex | 2020 | UK forex | Administration after Sodinokibi attack | Unpatched VPN; ransom paid |
| Lincoln College (US) | 2022 | Education | Permanent closure after attack + COVID | Cyber attack as the final blow on an already-weak business |
| Hackney Council | 2020 | UK public sector | Years of recovery, ~£12m cost | Service continuity, not closure – different funding model |
🛡️ What can UK SMEs learn from the Knights of Old cyber attack?
The Knights of Old cyber attack is not an isolated case. According to the UK Government’s Cyber Security Breaches Survey 2024, 50% of UK businesses and 32% of charities identified a cyber security breach or attack in the previous 12 months. For UK SMEs, the key lesson is that cyber resilience is just as important as prevention, helping organisations recover quickly when incidents disrupt critical systems and operations.
Key Lessons for UK SMEs
1. Strengthen access controls
Compromised credentials were reportedly central to the attack. UK SMEs should enforce multi-factor authentication (MFA), remove dormant accounts, review privileged access and reduce password reuse.
2. Keep systems patched and supported
Legacy systems and unpatched software create avoidable weaknesses. SMEs should maintain an accurate asset inventory, apply updates promptly and isolate unsupported systems until they can be upgraded or replaced.
3. Improve monitoring and detection
Ransomware attacks often escalate quickly once attackers gain access. Centralised logging, alerting and Managed Detection & Response can help identify suspicious activity earlier, before attackers move laterally or encrypt critical systems.
4. Test backups and recovery plans
Backups only protect a business if they can be restored quickly. SMEs should keep offline backups, test recovery regularly and run incident response exercises so teams know what to do under pressure.
5. Use recognised security frameworks
Cyber Essentials, Cyber Essentials Plus and ISO 27001 give SMEs practical ways to improve security maturity. These frameworks help organisations formalise controls, reduce common risks and demonstrate a stronger approach to cyber resilience.
Key Takeaway The Knights of Old cyber attack showed how everyday oversights – from outdated systems to poor monitoring – can end a long-standing business. Regular reviews and expert support can turn these weak points into strengths before it’s too late.
🤝 How does CyPro help UK SMEs prevent ransomware-led collapse?
Preventing ransomware is not just about blocking attacks — it is about ensuring a business can continue operating if an incident occurs. CyPro helps UK SMEs strengthen cyber resilience through proactive monitoring, access control, security assessments and recovery planning designed to reduce operational disruption.
How CyPro supports ransomware resilience
CyPro supports organisations with services such as Managed Detection & Response, which provides continuous monitoring and rapid threat detection to help identify suspicious activity before ransomware can spread across critical systems.
To uncover weaknesses before attackers do, CyPro delivers attacker-aligned assessments and threat intelligence-led assessments that help organisations understand how real-world ransomware groups could target their people, processes and technology.
Preparation is equally important. Through simulated ransomware scenarios, organisations can test incident response plans, recovery procedures and decision-making under pressure, helping teams respond more effectively when incidents occur.
CyPro also helps businesses strengthen their security foundations through frameworks such as the UK Government’s Cyber Essentials scheme, Cyber Essentials Plus and ISO 27001, reducing exposure to common attack methods and improving overall cyber maturity.
Key Takeaway The Knights of Old cyber attack proves preparation is everything. Organisations should strengthen access controls, modernise legacy systems, and invest in detection through MDR. Regular response rehearsals and external assessments turn theory into resilience.
Our team at CyPro helps businesses assess their exposure and put effective controls in place to stay secure and operational. Reach out to us to explore how we can strengthen your defence before the next attack strikes.
📚 Broader Lessons & Trends from the Incident
The Knights of Old cyber attack is more than a story of one company’s downfall – it reflects a wider pattern in how ransomware continues to disrupt UK businesses. In 2025, the NCSC handled four major cyber incidents every week, while incidents involving small businesses continue to increase as well. For leaders, this shows that what happened to Knights of Old isn’t an isolated case, but instead part of a growing trend affecting every sector from logistics to FS and manufacturing.
Wider Industry Trends
- Operational impact: The sale of Knights of Old’s Kettering premises for nearly £8 million and 500 trucks taken off the road reveal how ransomware can end physical operations, not just digital ones.
- Preventable breaches: As one industry leader put it, “the most tragic element of this story is that the breach could almost certainly have been prevented through something as simple as Cyber Essentials.”
- Resilience over prevention: Businesses are shifting from pure prevention to resilience – ensuring they can recover quickly even when defences fail.
❓ Frequently Asked Questions
When did the knights of Old cyber attack happen?
The Knights of Old cyber attack began on 26 June 2023, when the Akira ransomware group encrypted KNP Logistics’ systems. Operations stopped within days, and the business announced full closure in September 2023, less than three months after the initial breach.
Who was responsible for the Knights of Old cyber attack?
The Akira ransomware group claimed responsibility for the Knights of Old cyber attack. Akira is a Russian-speaking ransomware-as-a-service operation that emerged in March 2023 and has been the subject of joint advisories from CISA, the FBI, NCSC and Europol.
How did the attackers get into Knights of Old’s systems?
According to subsequent reporting, the Akira group gained access using a stolen employee password on a system without enforced multi-factor authentication. From there they moved laterally through the network, encrypted key servers, and demanded a ransom of approximately £5 million.
How much was the Knights of Old ransom demand?
Akira demanded approximately £5 million from Knights of Old. The company declined to pay, in line with NCSC guidance discouraging ransom payments, but lacked the backups and recovery capability to restore operations independently.
Why did Knights of Old close after the cyber attack?
Knights of Old (KNP Logistics) closed because the ransomware attack destroyed access to the operational systems needed to run a 500-vehicle haulage fleet, and the company could not recover within the cash-flow window required to retain customers and lenders. By September 2023 the business had filed for administration, leaving 730 employees redundant.
Could Knights of Old have been saved?
Most analyses point to the same controls that would have prevented or limited the attack: enforced multi-factor authentication, regular offline backups, modern endpoint detection, and a tested incident response plan. Cyber Essentials Plus certification covers the basics that, applied earlier, would likely have changed the outcome.
What lessons should UK SMEs take from the Knights of Old cyber attack?
The headline lesson is that ransomware can be an extinction-level event for a UK SME. The practical lessons are: enforce MFA on every account; maintain immutable, offline backups tested quarterly; achieve at least Cyber Essentials Plus certification; and rehearse an incident response plan that assumes systems will be encrypted within hours.
