Summary
- City of London Police says 323 UK organisations reported ransomware attacks between April 2025 and March 2026.
- More than half of those reports came from SMEs, while recorded financial losses rose by 50%.
- Underreporting means official figures probably understate the operational and financial damage facing UK businesses.
City of London Police has warned UK organisations to strengthen ransomware defences after new Report Fraud data showed 323 organisations reported attacks between April 2025 and March 2026.
The figure equates to more than 26 reported attacks a month. More than half of the reports came from small and medium-sized enterprises, with 175 SME reports recorded during the period. Reported financial losses totalled about £270,000, a 50% increase on the previous year, although police say the true figure is likely to be higher because businesses often underreport losses.
The campaign, launched by Report Fraud on 29 June, urges organisations not to pay ransoms and to report attacks immediately. Reports where the organisation’s sector was listed show that manufacturing recorded 42 reports, scientific and technical organisations recorded 21, and education recorded 19. The spread shows that ransomware is not confined to large enterprises, banks, or high-profile public bodies. It is hitting organisations where interruption can stop orders, production, teaching, research, payroll, and supplier communication.
The underreporting problem is central to the UK’s ransomware picture. Ransom payments can create legal, compliance, and reputational complications, especially where money may support criminal groups. Businesses may also fear customer reaction, insurer scrutiny, regulatory questions, or damage to supplier relationships. Those pressures can push incidents into private recovery processes, leaving law enforcement with an incomplete view of the threat.
Report Fraud is the UK route for reporting fraud and cyber crime in England, Wales, and Northern Ireland. Its ability to support victims and develop intelligence depends on organisations reporting incidents early enough for advice, disruption, and coordination to be useful. Where incidents are handled quietly through internal teams, insurers, or negotiators, the wider market loses information that could help prevent similar attacks.
For SMEs, ransomware is often an operational event before it is a data event. A locked device estate can halt bookings, stock systems, customer service, manufacturing equipment, logistics, finance, and communications. Even when backups exist, recovery can take days or weeks if systems are fragmented, identity controls are weak, documentation is poor, or incident response plans have not been tested.
The police guidance focuses on practical controls: regular backups, strong access controls, keeping systems updated, and following National Cyber Security Centre advice. Those measures are familiar, but many attacks still exploit exactly those weaknesses. Criminal groups look for exposed remote access, unpatched systems, stolen credentials, weak passwords, and insufficient segmentation. Once inside, they move through networks, encrypt systems, and apply pressure through disruption and sometimes data theft.
The spending challenge for smaller businesses is difficult. SMEs are being pushed to adopt cloud software, digital payments, AI tools, connected devices, online customer services, and integrated supply systems. Each can improve productivity, but each also expands the environment that must be governed. Security investment often lags behind digital adoption because resilience is treated as overhead until an incident turns it into a survival issue.
Supplier pressure is likely to increase. Larger companies, public-sector buyers, and regulated organisations increasingly expect smaller partners to demonstrate cyber controls, backup procedures, access management, and response plans. Cyber insurance applications can also force more detailed evidence of security maturity. Ransomware therefore affects market access as well as immediate recovery cost.
The Report Fraud figures will not capture the full scale of UK ransomware damage, but they show where pressure is falling. SMEs remain heavily exposed, losses are rising, and reporting culture is still fragile. Organisations that treat ransomware as a remote IT problem are leaving operational continuity vulnerable to a criminal business model that depends on silence, panic, and poor preparation.










