“We encourage businesses to be proactive – through regular data backups, strong access controls, keeping systems up to date, and following National Cyber Security Centre guidance,” Chief Superintendent Amanda Wolf said, summing up the advice to firms that report ransomware attacks.
Report Fraud and City of London Police: the raw numbers
Between April 2025 and March 2026, the UK’s Report Fraud service — run by City of London Police — was contacted by 323 corporate ransomware victims, the force said. That works out to more than 26 successful ransomware attacks each month across that 12‑month period. More than half of those reports came from small and mid-sized companies, the police added.
Financial impact: losses rose sharply but are likely understated
Financial losses associated with the reported incidents rose by roughly 50% year on year, reaching about £270,000 per incident on average (reported as approximately $357,000). The City of London Police cautioned that this figure is probably an underestimate because many businesses do not fully disclose the amount they lost or paid.
Sectors named most frequently: manufacturing, scientific and technical, education
Not all victims disclosed their industry, but among those that did the largest number of reports came from manufacturing (42 reports), followed by the scientific and technical sector (21) and education (19). The reporting does not present a complete sectoral map, but these counts indicate where victims were most willing to identify their vertical.
Security leaders: do not pay; prevention and resilience first
Kevin Knight, CEO of Talion, urged corporate victims not to pay extortion demands, warning that attackers “will rarely return data in full, and it can often be returned in a format that completely differs from its original form.” He added that even when a ransom is paid, “decryption keys don’t always work, which means organizations can pay a demand, but they still can’t rebuild their data.”
Knight and Chief Superintendent Wolf converged on practical prevention measures: regular and thorough backups, strong access controls, keeping systems up to date, and following guidance from the National Cyber Security Centre. Knight argued these practices reduce risk and called resilience and prevention “the solution to these problems.”
Closed Door principal Cyber Essentials assessor Timon Johnson warned that the true extent of ransomware activity will remain hidden so long as reporting remains voluntary and incomplete, a point that underpins the broader debate over possible legal changes.
Small and mid-sized companies, policymakers, and security teams
- Small and mid-sized companies: Over 50% of Report Fraud alerts came from these firms, making them the most frequently reported victims. The source material implies these companies should prioritize regular backups, access controls and patches to reduce both frequency and impact.
- Policymakers and regulators: The UK is “still mulling plans for mandatory ransomware reporting and a ban on payments from public sector bodies and critical infrastructure (CNI) providers.” Policymakers will be watching whether a legal framework can incentivize more accurate and open reporting — an outcome some experts say would make the problem more visible.
- Security teams and technologists: Experts quoted in the reporting stress prevention-first measures and highlight the difficulty of recovery even when a ransom is paid, signaling that investments in backups, cold-storage and access controls remain the operational priorities.
Last year was “a particularly bad one” for UK firms, the reporting notes, with high‑profile breaches at Marks & Spencer, Co-op Group and Jaguar Land Rover that together cost the national economy billions; this week Russian hackers were blamed for the Jaguar Land Rover incident, with experts saying the attack may have had sabotage motives rather than purely financial ones.
Taken together, the figures and expert commentary in the Report Fraud data outline a familiar but stubborn pattern: rising monetary impact, concentrated reporting from smaller firms, and persistent underreporting that clouds the true scale of criminal activity. The next concrete step flagged by sources is policy: whether mandatory reporting and payment bans will be adopted — and whether that will draw a clearer picture of ransomware’s toll.
