,

UK ransomware figures expose SME resilience gap

Report Fraud says 323 UK organisations reported ransomware attacks over the past financial year.

UK ransomware figures expose SME resilience gap
Summary
  • Report Fraud says 323 UK organisations reported ransomware attacks between April 2025 and March 2026.
  • More than half of the reports came from small and medium sized businesses.
  • The figures highlight the gap between national cyber policy and everyday business resilience.

Report Fraud has warned organisations not to pay ransoms after 323 UK organisations reported ransomware attacks between April 2025 and March 2026, with small and medium sized businesses making up more than half of the reports.

The reporting service, run by City of London Police, said 175 of the ransomware reports came from SMEs. The figures are not a complete measure of UK ransomware activity because many attacks are never reported, but they give a useful public signal of how the threat is landing outside the large enterprise and public sector incidents that usually dominate headlines.

Ransomware is often discussed through major breaches: hospitals, councils, transport systems, manufacturers, and national retailers. Those incidents deserve attention because the operational consequences can be severe. Smaller organisations face a different and often less visible problem. They may lack dedicated security staff, mature backup processes, tested recovery plans, cyber insurance support, and legal or communications expertise.

That makes the decision making environment brutal when an attack hits. A small company that loses access to orders, payroll, customer records, stock systems, or booking platforms may have limited cash reserves and little tolerance for downtime. Attackers know that. Ransomware economics depend on finding victims for whom recovery is painful enough that payment appears, in the moment, to be the least damaging option.

Report Fraud’s campaign advises organisations not to pay. That advice is sound from a law enforcement and ecosystem perspective because payments fund criminal groups and do not guarantee recovery. In practice, many businesses need more than a warning. They need affordable resilience: usable backup tools, tested restore processes, incident contacts, identity protection, endpoint controls, and simple guidance that can be applied before a crisis.

The SME share of the figures should concern policymakers. The UK is tightening its cyber resilience agenda, with planned reforms intended to expand reporting, improve oversight, and strengthen the protection of essential services and supply chains. Regulation alone does not give small businesses the capability to recover from encrypted systems or stolen data.

Supply chain risk also runs through the figures. SMEs are not isolated from the wider economy. They provide services to larger companies, public bodies, local authorities, healthcare providers, schools, manufacturers, and professional services firms. A ransomware incident at a small supplier can become a disruption for a larger customer, particularly where data access or operational dependency is shared.

The insurance market has also changed the incentives. Cyber insurance can help with incident response and recovery, but premiums, exclusions, and underwriting requirements have become more demanding. Businesses that cannot show basic controls may struggle to obtain cover or may find that cover does not behave as expected during a major incident.

The practical baseline is unglamorous. Multi factor authentication, offline or immutable backups, patching, least privilege access, staff phishing awareness, tested recovery procedures, and clear escalation routes still do much of the work. The challenge is not that these controls are unknown. It is that many organisations do not have the time, expertise, or budget to implement them properly.

The reporting gap is another problem. If victims do not report, law enforcement has less visibility of attacker methods, infrastructure, and targeting. Under reporting also distorts national policy because the true burden on smaller businesses remains partly hidden. Report Fraud’s message is therefore about intelligence as well as victim support.

The latest figures do not suggest ransomware is disappearing or becoming a problem only for critical infrastructure. They show a threat that has become normalised across the business base. For the UK economy, that normalisation is expensive. Lost trading, recovery costs, legal advice, reputational damage, and management distraction all drain productivity from companies that often have little slack to absorb it.

Ransomware resilience will improve when smaller organisations can treat recovery as a routine business control rather than a specialist cyber project. Until then, the gap between national warnings and practical readiness will remain one of the UK’s most persistent cyber weaknesses.