On June 29, 2026, the City of London Police and the UK's Report Fraud service initiated a national awareness campaign to address the escalating threat of ransomware. The campaign is supported by newly released data showing that 323 UK organizations officially reported attacks in the 2025-2026 fiscal year, with small and medium-sized enterprises (SMEs) being the primary victims. The manufacturing, scientific, and education sectors were the most frequently targeted. Authorities are strongly advising businesses against paying ransoms, as it does not guarantee data recovery and fuels the criminal economy. The campaign's core message is a shift towards proactive defense, emphasizing the importance of data backups, software patching, and employee training.
The campaign provides a statistical overview of the ransomware problem in the UK to encourage better defensive postures among businesses. Key findings for the period between April 2025 and March 2026 include:
The central policy promoted by the campaign, in line with guidance from the National Cyber Security Centre (NCSC), is to not pay the ransom. The rationale is that paying does not guarantee data recovery, may result in the device remaining infected, and directly funds criminal enterprises, encouraging further attacks.
The data clearly shows that ransomware is a widespread threat across the UK, but it disproportionately affects certain organizations:
While the campaign itself does not introduce new legal requirements, it reinforces existing obligations under regulations like the UK GDPR. A successful ransomware attack involving personal data is a data breach that must be reported to the Information Commissioner's Office (ICO) within 72 hours if it poses a risk to individuals' rights and freedoms. The campaign's call for reporting incidents to Report Fraud is for intelligence-gathering purposes to help law enforcement track threat actors, which is separate from regulatory compliance reporting.
The business and operational impacts of the ransomware trend are severe:
The campaign provides a clear action plan for businesses to improve their resilience:
Northamptonshire Police join UK ransomware campaign, detailing severe SME impacts including business closure and clarifying ransom payment legality.
Training users to identify and report phishing attempts is a crucial first line of defense against ransomware.
Keeping systems and software patched prevents attackers from using known vulnerabilities for initial access or privilege escalation.
Mapped D3FEND Techniques:
Enforcing MFA on all remote access points and critical accounts makes it much harder for attackers to gain access with stolen credentials.
Mapped D3FEND Techniques:
Segmenting the network can limit the lateral movement of ransomware, preventing it from spreading from one compromised host to the entire network.
Mapped D3FEND Techniques:
The cornerstone of ransomware resilience, as highlighted by the UK police campaign, is a robust backup and restoration strategy. Organizations must implement the 3-2-1 backup rule: three copies of data, on two different media types, with one copy off-site or immutable. Backups must be tested regularly to ensure they are viable for restoration. For ransomware, it is critical that at least one backup copy is 'offline' or logically air-gapped (e.g., on tape, rotated external drives, or in an immutable cloud storage bucket). This prevents the ransomware from encrypting the backups along with the primary data. Having a tested, reliable backup system removes the attacker's primary leverage and enables the organization to restore operations without considering the ransom payment, directly supporting the campaign's 'Don't Pay' message.
A systematic and timely patch management program is a fundamental defense against ransomware. Threat actors frequently exploit known vulnerabilities in internet-facing systems (like VPNs and RDP) and common software (like web browsers and office suites) to gain initial access. Organizations, especially the SMEs targeted in the UK, should prioritize patching vulnerabilities listed in CISA's KEV catalog. Automated patch management tools can help ensure that critical and high-severity patches are deployed across all endpoints and servers promptly. This proactive stance significantly reduces the attack surface, making it much harder for ransomware operators to find an entry point into the network. This directly addresses the preventative measures advocated by the NCSC and UK police.
To protect against credential-based attacks that often lead to ransomware deployment, organizations must enforce multi-factor authentication (MFA) on all remote access services (VPN, RDP), cloud services (Microsoft 365, Google Workspace), and privileged accounts. Stolen credentials are a top commodity for ransomware gangs. MFA provides a critical layer of defense that can block an attacker even if they have a valid username and password. For maximum effectiveness, organizations should prioritize phishing-resistant MFA methods like FIDO2 security keys over less secure methods like SMS or simple authenticator app push notifications, which are susceptible to MFA fatigue attacks.
Start of the fiscal year period during which 323 ransomware attacks were reported.
End of the fiscal year period for the ransomware attack data.
The City of London Police and Report Fraud launch the national 'Don't pay the ransom' campaign.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.