The key UK ransomware statistics in one place — how many attacks the official sources actually count, how many victims pay the ransom and how much they hand over, what recovery costs, the biggest named UK incidents, and where the law on paying ransoms is heading, with the data period stated next to every figure.

Ransomware is the attack type the UK's own cyber agency calls the most pressing threat facing the country, and the one behind the most damaging British incidents of recent years — Capita, Advanced, M&S, Co-op and Jaguar Land Rover among them. The reliable numbers come from a short list of sources: the National Cyber Security Centre (NCSC) Annual Review, the government's Cyber Security Breaches Survey, the Information Commissioner's Office (ICO) incident dataset, Home Office policy papers, and named-methodology industry studies from Sophos and Databarracks.

This page brings those figures together. It is scoped to ransomware specifically — incident counts, payment behaviour, costs, case studies and the coming payment-ban legislation. Every figure carries its data period, and every source is linked in full at the end.

Key facts and figures

  • 204 nationally significant cyber incidents were handled by the NCSC in the year to September 2025 — up 130% from 89 the year before.
  • 1% of UK businesses experienced a ransomware attack in 2025/26, down from 3% in each of the two previous years.
  • 1,253 ransomware incidents were reported to the ICO in 2023 — roughly eight times the 158 reported in 2019.
  • 17% of UK organisations hit by ransomware paid the ransom in 2025, down from 44% in 2023.
  • 103% — UK victims that did pay handed over more than the initial demand on average, against a global average of 85%.
  • ~£2 million ($2.58m) — the average UK ransomware recovery cost in 2025, up from $2.07m the year before.
  • £270m–£440m — the estimated UK financial impact of the combined M&S/Co-op ransomware event of 2025.
  • £14 million — the ICO fine issued to Capita in October 2025 after a ransomware breach affecting 6.6 million people.

The headline measures at a glance:

MeasureLatest figureData periodTrend / detail
Nationally significant incidents handled by the NCSC204Year to September 2025Up 130% from 89 the year before — about four a week
UK businesses experiencing ransomware1%2025/26 survey (published April 2026)Down from 3% in 2024/25 and 2023/24
Ransomware incidents reported to the ICO1,2532023 calendar yearRoughly 8× the 158 reports of 2019
UK victims paying the ransom17%2025 (Databarracks, August 2025)Down from 27% in 2024 and 44% in 2023
Share of the demand handed over by UK payers103%2025 (Sophos)Global average 85%
Average UK ransomware recovery cost~£2m ($2.58m)2025 (Sophos)Up from $2.07m the year before
Estimated impact of the M&S/Co-op event£270m–£440mJune 2025 (Cyber Monitoring Centre)First live public Category 2 "systemic event" rating
Largest UK ransomware-related ICO fine£14m (Capita)October 20256.6 million people's data affected

These are the latest figures available as of July 2026, and this page is updated as new data lands — the Cyber Security Breaches Survey is published each spring, the NCSC Annual Review each autumn, and the ICO's incident dataset refreshes quarterly.

How many ransomware attacks happen in the UK each year?

The NCSC handled a record 204 nationally significant cyber incidents in the year to September 2025 — up 130% from 89 the year before, or roughly four every week. In the same Annual Review, published in October 2025, the agency named ransomware the most pressing cyber threat facing the UK, with M&S, Co-op and Jaguar Land Rover the headline victims of the year.

There is no single official count of every UK ransomware attack, so the honest answer comes from reading three official lenses together, each measuring a different slice of the problem:

  • The NCSC counts the incidents serious enough to need national-level support — the top of the pyramid. Its 204 nationally significant incidents in the year to September 2025 span all attack types, with ransomware singled out as the most pressing.
  • The ICO counts ransomware breaches that organisations report under UK GDPR. Reports rose from 158 in 2019 to 723 in 2021 and 1,253 in 2023 — roughly an eightfold increase in four years, according to analysis of the ICO's incident dataset by The Record.
  • The Cyber Security Breaches Survey measures prevalence across the whole economy: 1% of UK businesses experienced ransomware in the 12 months before the 2025/26 survey, published on 30 April 2026.

The ICO figures carry a second, less comfortable statistic. Of the 1,253 ransomware incidents reported to the regulator in 2023, only 87 — under 7% — were investigated, per the same analysis of the ICO data. Reporting a ransomware breach is a legal duty; regulatory follow-up on any individual report remains the exception.

Is ransomware in the UK rising or falling?

Both — and that paradox is the single most important thing to understand about the UK data. Survey prevalence is falling: 1% of UK businesses experienced ransomware in 2025/26, down from 3% in both 2024/25 and 2023/24, according to the Cyber Security Breaches Survey. Yet over almost the same window the NCSC's count of nationally significant incidents jumped 130% to a record 204, and ICO ransomware reports sit roughly eight times above their 2019 level.

The two directions are consistent because the measures capture different ends of the threat. The survey counts how many organisations of all sizes were hit at all; the NCSC and ICO series are dominated by the serious, large-organisation incidents. Fewer businesses overall are being hit, but the attacks that do land are more targeted, hit bigger organisations and their suppliers, and do far more damage — record severity on a falling base.

One group bucked the falling trend: ransomware cyber crimes against charities doubled, from under 0.5% in 2024/25 to 1% in 2025/26, the same survey found.

For context, ransomware remains a small slice of overall UK cyber crime — 43% of UK businesses (around 612,000) experienced a breach or attack of some kind in 2025/26, and UK businesses suffered roughly 5.19 million cyber crimes of all types in 12 months; our UK data breach statistics page covers those whole-economy figures in full, and our phishing statistics page covers the attack type that most often opens the door.

What percentage of UK ransomware victims pay the ransom?

Only 17% of UK organisations hit by ransomware paid the ransom in 2025 — down from 27% in 2024 and 44% in 2023, according to the Databarracks Data Health Check, a survey of 500 UK IT decision-makers published in August 2025. In three years, paying has gone from the most common response to a minority one: 57% of victims recovered from backups instead.

The refusal is increasingly a matter of written policy, not just judgement on the day. 24% of UK organisations now have a formal policy never to pay a ransom — double the 2023 figure, the same study found.

But there is a sting in the tail for the minority that do pay. UK organisations that paid handed over on average 103% of the initial ransom demand in 2025, against a global average of 85%, according to Sophos's State of Ransomware research. In other words, the average UK payer ends up paying slightly more than the criminals first asked for — while payers elsewhere typically negotiate the figure down. Whatever the reason, the UK numbers make one thing clear: those who pay rarely pay less.

How much does a ransomware attack cost a UK business?

The average UK ransomware recovery cost rose to around £2 million ($2.58m) in 2025, up from $2.07m the year before, according to Sophos's State of Ransomware 2025 (UK findings). There is better news inside the same dataset: 59% of UK victims fully recovered within a week in 2025, up from 38% a year earlier — organisations are getting materially faster at getting back on their feet, even as the bill rises.

On how attacks get in, exploited software vulnerabilities were the most common technical root cause of UK ransomware attacks, cited by 36% of affected businesses in the 2025 Sophos study — ahead of the compromised credentials and malicious email routes that dominate the popular imagination.

At the top end, the costs run far beyond any survey average. The Cyber Monitoring Centre — the independent UK body that categorises major cyber events for the insurance industry — classified the 2025 M&S and Co-op attacks as a single Category 2 "systemic event" with an estimated UK financial impact of £270 million to £440 million. It was the CMC's first live public categorisation of an ongoing event, and it put an insurance-grade price on what a single linked ransomware campaign can do to two household-name retailers.

Which UK ransomware attacks caused the most damage?

Four incidents define the modern UK ransomware record — two for the regulatory penalties they produced, and two for their sheer economic impact:

IncidentWhenWhat happenedImpactOutcome
CapitaMarch 2023Black Basta ransomware; the compromised device went unquarantined for 58 hours6.6 million people's data exposed£14m ICO fine (£8m Capita plc + £6m Capita Pension Solutions), 15 October 2025
Advanced Computer SoftwareAugust 2022LockBit ransomware, entering via a customer account without MFANHS 111 disrupted; 79,404 people's data exposed£3.07m ICO fine, March 2025
M&S and Co-opSpring 2025Linked ransomware attacks classified by the CMC as a single systemic eventWeeks of retail disruption across both groups£270m–£440m estimated UK impact (CMC, June 2025)
Jaguar Land Rover2025Cyber attack named by the NCSC as a headline incident of its reporting yearMajor production disruptionNo regulatory outcome announced to date

The Capita and Advanced penalties matter beyond their headline figures: both establish that UK organisations carry regulatory liability for ransomware attacks where their own controls fell short — an unquarantined device in one case, a single account without multi-factor authentication in the other. They appear here as case-study context; the full penalty ledger, calculation methodology and enforcement trends live on our GDPR fines and enforcement statistics page, and the 72-hour breach reporting duty they engage is covered in our data breach response guide.

Will it become illegal to pay a ransom in the UK?

For some organisations, yes — that is now stated government policy. On 22 July 2025 the Home Office published its response to the ransomware legislative consultation, confirming plans for a targeted ban on ransom payments by the public sector and critical national infrastructure — a proposal backed by 72% of consultation respondents. Alongside the ban, the government confirmed plans for a mandatory reporting regime requiring ransomware victims to report incidents within 72 hours.

Today, paying a ransom is not in itself a criminal offence for most UK businesses — though a payment that reaches a sanctioned group can breach financial sanctions law, which is a key reason victims take legal advice before engaging with attackers at all. The July 2025 response marks the shift from consultation to committed policy: the measures still need primary legislation, so the practical questions — exactly which bodies fall inside the ban, and what the reporting regime demands — will be settled when the bill is published and debated.

The policy logic leans directly on the payment statistics above. With only 17% of UK victims paying and a growing never-pay cohort, the government's bet is that removing the most reliable payers — public bodies and infrastructure operators — makes the UK a less profitable target altogether.

Frequently asked questions

How many ransomware attacks happen in the UK each year?

There is no single official count. The best triangulation: the NCSC handled 204 nationally significant cyber incidents of all types in the year to September 2025, with ransomware the most pressing threat; organisations reported 1,253 ransomware breaches to the ICO in 2023 (the latest full-year analysis); and 1% of UK businesses experienced ransomware in the 2025/26 Cyber Security Breaches Survey.

What percentage of UK ransomware victims pay the ransom?

17% in 2025, per the Databarracks Data Health Check — down from 27% in 2024 and 44% in 2023. Most victims (57%) now recover from backups, and 24% of UK organisations have a formal never-pay policy. Those that do pay hand over on average 103% of the original demand.

How much does a ransomware attack cost a UK business?

Around £2 million ($2.58m) on average in recovery costs in 2025, per Sophos's UK findings — up from $2.07m the year before. Systemic events run far higher: the Cyber Monitoring Centre estimated the combined M&S/Co-op event at £270m–£440m in UK financial impact.

Is it illegal to pay a ransomware ransom in the UK?

Not currently, for most private organisations — although paying a sanctioned group can breach financial sanctions law. That is changing: the Home Office confirmed in July 2025 that it will legislate for a targeted payment ban covering the public sector and critical national infrastructure, plus 72-hour mandatory incident reporting for victims.

How much did the M&S cyber attack cost?

The Cyber Monitoring Centre assessed the M&S and Co-op attacks as a single Category 2 systemic event with an estimated UK financial impact of £270 million to £440 million (June 2025) — its first live public categorisation of an ongoing cyber event.

What is the most common cause of UK ransomware attacks?

Exploited software vulnerabilities, cited by 36% of affected UK businesses as the technical root cause in Sophos's 2025 study. Phishing and stolen credentials remain major entry routes — our UK phishing statistics page covers that attack type in depth.

Sources & references

Ransomware gets in through everyday mistakes — a missed update, a weak password, a convincing email. Train your team to handle data safely and meet UK GDPR duties.

Explore the GDPR & Data Protection Course →
Mark McShane
Mark McShane
Health & Safety Training Specialist, Online CPD Academy

Mark writes about data protection, workplace compliance and accredited online training for GDPR & Data Protection Course, part of Online CPD Academy.