UK Police Data Shows Over 320 Businesses Hit by Ransomware, Prompting National 'Don't Pay' Campaign

UK Police Launch Campaign as Ransomware Attacks on Businesses Surge

MEDIUM
June 30, 2026
July 2, 2026
4m read
RansomwarePolicy and ComplianceRegulatory

Related Entities(initial)

Full Report(when first published)

Executive Summary

On June 29, 2026, the City of London Police and the UK's Report Fraud service initiated a national awareness campaign to address the escalating threat of ransomware. The campaign is supported by newly released data showing that 323 UK organizations officially reported attacks in the 2025-2026 fiscal year, with small and medium-sized enterprises (SMEs) being the primary victims. The manufacturing, scientific, and education sectors were the most frequently targeted. Authorities are strongly advising businesses against paying ransoms, as it does not guarantee data recovery and fuels the criminal economy. The campaign's core message is a shift towards proactive defense, emphasizing the importance of data backups, software patching, and employee training.


Regulatory Details

The campaign provides a statistical overview of the ransomware problem in the UK to encourage better defensive postures among businesses. Key findings for the period between April 2025 and March 2026 include:

  • Total Reports: 323 organizations filed official ransomware reports.
  • SME Impact: Over half of the reports (175) came from SMEs, highlighting their vulnerability.
  • Financial Losses: Reported losses rose 50% year-over-year to approximately £270,000. However, authorities state this is a significant underestimate due to widespread underreporting.
  • Top Affected Sectors: Where specified, the most impacted industries were Manufacturing (42 reports), Scientific and Technical (21 reports), and Education (19 reports).

The central policy promoted by the campaign, in line with guidance from the National Cyber Security Centre (NCSC), is to not pay the ransom. The rationale is that paying does not guarantee data recovery, may result in the device remaining infected, and directly funds criminal enterprises, encouraging further attacks.

Affected Organizations

The data clearly shows that ransomware is a widespread threat across the UK, but it disproportionately affects certain organizations:

  • Small and Medium-Sized Enterprises (SMEs): As the majority of victims, SMEs are particularly at risk due to often having fewer resources for dedicated cybersecurity staff and infrastructure.
  • Manufacturing Sector: This industry is a prime target, likely due to the high cost of operational downtime, which attackers believe increases their leverage for payment.
  • Scientific and Technical Sector: These organizations hold valuable intellectual property, making them attractive targets for data theft and extortion.
  • Education Sector: Schools and universities often have limited budgets, large user bases, and a wealth of personal data, creating a target-rich, resource-poor environment for attackers.

Compliance Requirements

While the campaign itself does not introduce new legal requirements, it reinforces existing obligations under regulations like the UK GDPR. A successful ransomware attack involving personal data is a data breach that must be reported to the Information Commissioner's Office (ICO) within 72 hours if it poses a risk to individuals' rights and freedoms. The campaign's call for reporting incidents to Report Fraud is for intelligence-gathering purposes to help law enforcement track threat actors, which is separate from regulatory compliance reporting.

Impact Assessment

The business and operational impacts of the ransomware trend are severe:

  • Financial Costs: Beyond the ransom itself, costs include business downtime, recovery expenses, incident response consultants, legal fees, and potential regulatory fines.
  • Operational Disruption: For sectors like manufacturing, a ransomware attack can halt production lines, leading to massive revenue loss and supply chain disruptions.
  • Reputational Damage: A public breach can erode trust from customers, partners, and investors.
  • Data Loss: Even if a ransom is paid, there is no guarantee that decryption keys will work or that data will be fully restored. Attackers may have also stolen the data for double extortion.

Compliance Guidance

The campaign provides a clear action plan for businesses to improve their resilience:

  1. Regular Backups: Maintain regular, tested backups of important data. Crucially, these backups must be kept offline or on a segmented network so they cannot be encrypted during an attack. This is the single most effective way to recover from ransomware without paying. This aligns with D3FEND File Restoration.
  2. Software Updates: Implement a robust patch management process to keep operating systems, applications, and security software up to date. Many ransomware attacks exploit known vulnerabilities. This is a core principle of D3FEND Software Update.
  3. User Training: Train employees to recognize and report phishing emails, which are a primary initial access vector for ransomware. This maps to MITRE Mitigation M1017 - User Training.
  4. Incident Response Plan: Develop and test an incident response plan that specifically covers ransomware. This plan should outline steps to take, who to contact, and how to make recovery decisions without succumbing to pressure.
  5. Report Incidents: Report all ransomware incidents to Report Fraud to help UK law enforcement build a national intelligence picture and pursue the criminals responsible.

Timeline of Events

1
April 1, 2025
Start of the fiscal year period during which 323 ransomware attacks were reported.
2
March 31, 2026
End of the fiscal year period for the ransomware attack data.
3
June 29, 2026
The City of London Police and Report Fraud launch the national 'Don't pay the ransom' campaign.
4
June 30, 2026
This article was published

Article Updates

July 2, 2026

Northamptonshire Police join UK ransomware campaign, detailing severe SME impacts including business closure and clarifying ransom payment legality.

MITRE ATT&CK Mitigations

Training users to identify and report phishing attempts is a crucial first line of defense against ransomware.

Keeping systems and software patched prevents attackers from using known vulnerabilities for initial access or privilege escalation.

Mapped D3FEND Techniques:

Enforcing MFA on all remote access points and critical accounts makes it much harder for attackers to gain access with stolen credentials.

Mapped D3FEND Techniques:

Segmenting the network can limit the lateral movement of ransomware, preventing it from spreading from one compromised host to the entire network.

Mapped D3FEND Techniques:

D3FEND Defensive Countermeasures

The cornerstone of ransomware resilience, as highlighted by the UK police campaign, is a robust backup and restoration strategy. Organizations must implement the 3-2-1 backup rule: three copies of data, on two different media types, with one copy off-site or immutable. Backups must be tested regularly to ensure they are viable for restoration. For ransomware, it is critical that at least one backup copy is 'offline' or logically air-gapped (e.g., on tape, rotated external drives, or in an immutable cloud storage bucket). This prevents the ransomware from encrypting the backups along with the primary data. Having a tested, reliable backup system removes the attacker's primary leverage and enables the organization to restore operations without considering the ransom payment, directly supporting the campaign's 'Don't Pay' message.

A systematic and timely patch management program is a fundamental defense against ransomware. Threat actors frequently exploit known vulnerabilities in internet-facing systems (like VPNs and RDP) and common software (like web browsers and office suites) to gain initial access. Organizations, especially the SMEs targeted in the UK, should prioritize patching vulnerabilities listed in CISA's KEV catalog. Automated patch management tools can help ensure that critical and high-severity patches are deployed across all endpoints and servers promptly. This proactive stance significantly reduces the attack surface, making it much harder for ransomware operators to find an entry point into the network. This directly addresses the preventative measures advocated by the NCSC and UK police.

To protect against credential-based attacks that often lead to ransomware deployment, organizations must enforce multi-factor authentication (MFA) on all remote access services (VPN, RDP), cloud services (Microsoft 365, Google Workspace), and privileged accounts. Stolen credentials are a top commodity for ransomware gangs. MFA provides a critical layer of defense that can block an attacker even if they have a valid username and password. For maximum effectiveness, organizations should prioritize phishing-resistant MFA methods like FIDO2 security keys over less secure methods like SMS or simple authenticator app push notifications, which are susceptible to MFA fatigue attacks.

Timeline of Events

1
April 1, 2025

Start of the fiscal year period during which 323 ransomware attacks were reported.

2
March 31, 2026

End of the fiscal year period for the ransomware attack data.

3
June 29, 2026

The City of London Police and Report Fraud launch the national 'Don't pay the ransom' campaign.

Sources & References(when first published)

Over 300 UK Firms Hit by Ransomware in a Year
Infosecurity Magazine (infosecurity-magazine.com) June 30, 2026
Cheshire businesses warned: don't pay the ransom as cyber-attacks rise
Cheshire Police (cheshire.police.uk) June 29, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

RansomwareUKCity of London PoliceNCSCSMECybercrimePolicy

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.