Why UK ransomware victims stay silent, and what it costs the rest of us

· Carl Heaton · Security Commentary

On day one of an incident, before you know how bad it is, you face a decision most owner-managers dread. Do you tell anyone? Your systems are locked, a ransom note is on the screen, and the instinct is to keep it inside the building. Being named a ransomware victim feels like an admission that you got something wrong. So a lot of UK businesses choose silence, and that choice is more consequential than it looks.

New figures from the national Report Fraud service, run by the City of London Police and reported by Computer Weekly, show just how few victims speak up. Between April 2025 and March 2026, 323 organisations across the whole of the UK reported a ransomware attack. Over half of those, 175, were small and medium-sized businesses. The total reported financial loss across all 323 was £270,000.

That last number should stop you. A single mid-sized ransomware incident routinely costs more than £270,000 on its own once you count downtime, recovery, and lost trade. A figure that low across an entire year and an entire country does not describe a small problem. It describes a problem almost nobody is reporting.

The official picture is wrong, and that matters to you

The threat picture that everyone leans on is built from reports. Your insurer prices your premium against it. The National Cyber Security Centre (NCSC) shapes its guidance around it. Your sector body, your trade association, and the government's whole-of-society response all draw on the same well. When victims stay quiet, that well runs dry, and every decision downstream of it is made on bad data.

The reason for the silence is stigma. Jake Moore, global security advisor at the software firm ESET, put it plainly to Computer Weekly. "One of the biggest barriers to tackling ransomware is that so many organisations still feel they have to deal with it in silence," he said. "Falling victim has been seen as a weakness, with businesses fearing reputational damage or criticism if they admit to an attack." His point is that each unreported incident makes it harder for the police and for your peers to understand how these criminal groups actually operate.

That is the quiet cost of staying silent. The attackers reuse the same tactics across hundreds of victims. The few firms that have written openly about exactly what happened to them, Moore notes, have almost certainly stopped many later attacks from landing. Silence helps the attacker and starves the data that would protect the next business in your supply chain, which might be you.

You may have to report anyway

Set the stigma aside for a moment, because the choice is not always yours to make. If a ransomware attack involves personal data, which it almost always does once customer records, staff details, or payroll are touched, you have a legal duty under UK data protection law to tell the Information Commissioner's Office (ICO). The clock is short. You have 72 hours from becoming aware of a reportable breach to notify the regulator. That window starts during the worst week of your year, when you are least able to think clearly, which is exactly why the decision should not be made for the first time on the day.

Reporting is also heading in one direction. Government policy is moving towards mandatory ransomware reporting, partly to fix the very blind spot these figures expose. The direction of travel is clear: more obligation, not less. A business that has already worked out who it would tell will be ahead of the rule when it arrives.

Decide your reporting path before you need it

The mistake is treating reporting as something you work out in the moment. Make the calls in advance, write them into the incident plan, and the day-one decision is already made. Three destinations cover almost every case.

  • Action Fraud and the Report Fraud service. This is the route for reporting the crime itself. During a live incident you can call Report Fraud on 0300 123 2040, where a team is on hand to help while the attack is unfolding. Chief Superintendent Amanda Wolf, who heads the service, says the most effective defence is preparation, and that reporting promptly is part of it. Note the number now. You will not want to be searching for it mid-incident.
  • The Information Commissioner's Office. If personal data is involved, this is the 72-hour obligation. Knowing in advance what counts as reportable, and who in your business owns that call, turns a panicked judgement into a process.
  • The National Cyber Security Centre. Not a regulator, a source of support. The NCSC publishes practical guidance and a Cyber Action Toolkit for responding to ransomware, and reporting to it feeds the national picture that protects everyone else.

One more thing the official advice is firm on. Do not pay the ransom. Neither the NCSC nor law enforcement endorses paying, and there is no guarantee you get your data back. Paying also funds the next attack, often on a business much like yours.

How Steelwise can help

Working out who you would report to, what your data protection obligations actually are, and writing that into a plan you have tested is the kind of review we do with clients, before an incident rather than during one. Get in touch.

Further reading

← All filings