Summary
- Report Fraud says 323 organisations reported ransomware attacks between April 2025 and March 2026.
- More than half of the reports came from SMEs, with manufacturing, scientific and technical services, and education among listed sectors.
- The figures point to underreporting, weak financial visibility, and uneven resilience across smaller UK organisations.
Report Fraud says 323 UK organisations reported ransomware attacks between April 2025 and March 2026, with small and medium-sized enterprises accounting for more than half of the known cases.
The figures were published as part of a campaign warning organisations not to pay ransoms and to report attacks quickly. Of the 323 reported attacks, 175 came from SMEs. Where a sector was listed, manufacturing accounted for 42 reports, scientific and technical services for 21, and education for 19.
Reported financial losses totalled around £270,000, a 50% increase compared with the previous year. Report Fraud cautions that the real figure is likely to be higher because organisations often underreport losses. The caveat is central to the value of the data: ransomware reporting gives a useful signal, but not a complete measure of national exposure.
The gap between reported incidents and actual harm remains a persistent UK problem. Organisations may avoid reporting because they fear reputational damage, customer concern, regulatory scrutiny, insurance complications, or questions over whether a ransom payment could create compliance or legal issues. Smaller organisations may also lack the internal capacity to preserve evidence, quantify losses, or navigate reporting during an active incident.
The figures show ransomware affecting businesses of ordinary size, not only large public companies or critical infrastructure operators. They also show why official data can understate both frequency and cost. Direct ransom payments are only one part of loss. Downtime, lost orders, recovery work, forensic support, legal advice, customer communication, overtime, replacement systems, and insurance excesses can produce a much larger operational bill.
SME exposure is especially important because many smaller companies sit inside larger supply chains, provide specialist services to regulated organisations, or hold customer data, design files, payroll records, and operational systems that larger customers depend on. An attack on a small supplier can become a continuity issue for a larger buyer, even when the victim is not itself regulated as critical infrastructure.
The sector spread also deserves attention. Manufacturing ransomware incidents can interrupt production, logistics, and supplier commitments. Scientific and technical services may hold intellectual property, engineering data, research material, and client files. Education is exposed through identity data, safeguarding records, finance systems, and disruption to teaching, examinations, or student services.
Report Fraud’s campaign gives practical advice: maintain regular backups, use strong access controls, keep systems updated, and follow National Cyber Security Centre guidance. Those controls are well established, but implementation remains uneven. Ransomware still succeeds through exposed remote access, weak credentials, unpatched systems, poor segmentation, inadequate monitoring, and recovery plans that have not been tested.
Resilience depends on decisions made before the incident. Organisations need to know which systems are critical, how backups are protected, who has privileged access, how suppliers connect, what cyber insurance requires, when legal and regulatory notifications are triggered, and who has authority to make decisions during disruption.
The figures do not show a complete picture of UK ransomware. They show the visible edge of a larger problem: more than 300 organisations reported attacks in a year, while others may have absorbed incidents privately, misclassified them, or never reported at all. That leaves government, regulators, insurers, and larger buyers with an incomplete map of where operational risk is accumulating.





