How one weak password destroyed KNP: A sad lesson in the cost of password neglect

Businesses fail all the time, for all sorts of reasons. Especially startups and fledgling ventures. So when a business like Knights of Old (trading as KNP Logistics Group) survives a century and a half, through enough recessions, wars, government changes, and technological advances to fill many history books, it would be fair to say it’s pretty resilient. Sadly, it would be something a lot more minor and simpler that would signal the end of KNP – a weak password.

In June 2025, the 158-year-old British transport firm, collapsed under the weight of a devastating ransomware attack that began with one guessed password. The breach not only encrypted every corner of the company’s digital estate but also obliterated its backups and disaster recovery systems, forcing KNP to enter administration and leaving some 700 employees without jobs.

This cautionary tale underscores a foundational truth in cybersecurity: complexity and legacy alone cannot defend against human fallibility. When password security is neglected, an entire organization can be undone overnight.

How did the KNP attack play out?

The infiltration started when attackers from the Akira ransomware group guessed an employee’s weak internet facing password, gaining unfettered access to KNP’s systems. With no multifactor authentication (MFA) to block access, the cybercriminals were free to deploy their ransomware payload, encrypting critical data and locking down operational infrastructure.

Secure your Active Directory access with MFA for Windows logon, VPN & RDP.

A subsequent ransom demand (estimated at around £5 million) proved unaffordable, and with backups destroyed or inaccessible, KNP had no path to recovery. Within days, every one of its 500 trucks was sidelined, and the business ceased trading.

While KNP held cyberattack insurance and even enlisted a “cyber crisis” response team from its insurer, the scope of compromise was total: servers, endpoints, backups, disaster recovery sites—nothing remained untouched. According to the cyber-crisis team that attempted to assist KNP, this was “the worst-case scenario” for any organization.

How Akira operates

The group, since March 2023, is alleged to have extorted some $42 million from over 250 organisations worldwide. Cybersecurity researchers at Sophos observed that Akira affiliates frequently leverage a twostep chain of compromise:

• Step 1: Credential-based foothold. Specops research shows attackers frequently steal VPN passwords with malware. A lot of these passwords turned out to be weak or reused. Some gateways even run unsupported versions, making them trivially exploitable by gangs such as Akira.
• Step 2: Veeam vulnerability. After initial access, they exploit CVE-2024-40711 in Veeam Backup & Replication (RCE via deserialization) to create local administrator accounts and deploy Fog or Akira ransomware.

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) corroborates this attack chain, warning that the combination of compromised VPN credentials and unpatched backup software presents a high-risk scenario for organizations of all sizes.

The wider ransomware landscape

Ransomware attacks in the UK have surged, with 63% of government sector businesses claiming to have been hit during a 12-month period (August 2023 to August 2024). Recent high-profile attacks include major retailer Marks & Spencer, who were struck with DragonForce ransomware after a password was compromised through their service desk.

Attackers increasingly favor a “double extortion” model, in which they not only encrypt data but also threaten to leak sensitive information publicly. This amplifies the pressure on victims to pay, as reputational harm looms alongside operational paralysis.

Yet, as the KNP case demonstrates, the core failure often lies not in exotic zero-day exploits but in basic hygiene lapses. A single weak password became the open door for Akira’s operators. Initial access typically comes via VPN services without MFA, legacy remote access software, or spear phishing campaigns, underscoring that credential security remains a common vector for these attacks.

Scan your Active Directory for 1 billion known breached passwords

Specops analysis: How the KNP cyber-attack could have been avoided

David Ketler, Specops Cybersecurity Specialist, had this to say: “The criminals are believed to have gained access to KNP’s internet systems via a weak password that was used by one of the employees at the firm. Actually, the password was so weak it’s thought that it was simply guessed correctly.

“Although it’s currently unproven, based on the assumption the story is true, and it was the result of a guessed password: an internet-connected system should never be authenticated by only a password. Whether this endpoint was a VPN, or an internet-connected machine such as a server or workstation, it should have had additional protections.

“Best security practice is no longer simply ensuring a password is strong. A well-formed security program involves layers of controls such as multi-factor authentication, and enforcement of strong password rules backed by a breached corpus. One can refer to NIST 800-63B for guidance to this effect.

“It’s well understood that end-users will choose weak passwords if security controls are not in place to ease friction and enforce good password hygiene. That’s not to put the blame on the user, it’s simply human nature; our brains contain a lot of passwords, and we strive to reduce the mental load involved.

“Although the exact details remain unverified, the prevailing narrative is clear: relying on a single password to protect an internet connected endpoint (whether a VPN gateway, server, or workstation) is no longer sufficient. Modern best practices demand layered controls.”

Best practices for password security

While no single control is foolproof, a robust password security program incorporates multiple layers:

1. Multifactor authentication (MFA): Even if a password is compromised, a second factor (e.g., a time-based one-time code or hardware token) can block unauthorized logins.
2. Strong password policies backed by breached password detection: Blocking weak and common passwords and enforcing the creation of long, complex, passphrases greatly reduces the risk of compromise. Having the ability to check your Active Directory for known breached passwords enhances protection further.
3. Least privilege and zero trust: This can help to limit lateral movement within the network and ensure that a single breached account cannot unlock every resource.
4. Educate administrators: Reinforce that human error is inevitable; controls should reduce, not eliminate, reliance on perfect user behavior.
5. Regularly audit and update: Conduct independent cyber audits, patch software promptly, and retire unsupported systems. Know your go-to response if the worst does occur.

Protect your organization from password attacks

The tragic end of Knights of Old illustrates a sobering reality: minimizing the attack surface starts with the simplest building blocks. For IT leaders and security teams, the lesson is clear: invest in foundational controls today, before human error becomes tomorrow’s headline. By combining strong password rules, breached password screening, MFA, and proactive vulnerability management, organizations can harden their defenses and ensure that the weakest link in their chain is never a password.

Specops Password Policy helps enforce strong password policies and continuously scans your Active Directory credentials against 4 billion+ known breached passwords, reducing the risk of easily guessable or compromised passwords. Combined with centralized reporting and directory wide policy controls, organizations can offload the mental burden from end users while maintaining rigorous defense postures.

Specops Password Policy would have blocked KNP’s weak credential before attackers even tried. By enforcing complexity rules and screening against breached password lists, Specops ensures that easily guessed or compromised passwords never grant access to your systems. Book your live demo.