Under attack right now?

Disconnect affected systems from the network - pull cables, disable Wi-Fi
Do NOT turn off computers - preserves forensic evidence
Do NOT pay the ransom - payment does not guarantee recovery
Report immediately to Report Fraud (0300 123 2040) or Police Scotland (101)
Report to NCSC at report.ncsc.gov.uk for technical guidance

Ransomware encrypts your files and demands payment for their return. It is the most acute cyber threat facing UK businesses - the NCSC responds to 35-40 incidents per week, with 71% targeting small businesses.

Speed matters. The first hours determine whether you can recover your business.

NCSC cyber threat statistics 2025

Current statistics on cyber attacks targeting UK organisations from NCSC Annual Review 2025.

The UK is experiencing record cyber threats. The National Cyber Security Centre (NCSC) states: "The question is no longer if your organisation will face a cyber incident, but when."

NCSC CEO Richard Horne's warning: "Cyber criminals will target organisations of all sizes, operating in any sector."

Nationally significant attacks (year to September 2025): 204 attacks (up from 89 previous year)
Nationally significant attacks per week: 4 per week
Increase in highly significant incidents: 50% increase
Proportion of attacks classified as nationally significant: 48% (record high)
Ransomware incidents per week: 35-40 incidents per week (up from 20-25 in 2024)
Ransomware classification: Most acute cyber threat to UK organisations (NCSC)
Small businesses targeted by ransomware: 71% of ransomware attacks
Average ransomware downtime: 21 days
Average ransom demand: £100,000-£500,000 (varies widely)
Suspicious emails reported to SERS: 10.9 million in past year
Successful attacks beginning with phishing: Over 90%
People using easy-to-guess credentials: 19%
Businesses reviewing supplier cyber risk: Only 14% in last 12 months

1. Contain the attack immediately

Stop ransomware spreading to more systems. Every minute of delay means more encrypted files.

1

Disconnect affected computers from the network

Unplug ethernet cables and disable Wi-Fi on systems showing ransomware signs (ransom message, encrypted files, unusual file extensions). Do NOT turn computers off - this preserves evidence.
2

Disconnect shared drives and cloud storage

Network drives, NAS devices, and cloud sync services (OneDrive, Dropbox) are prime targets. Disconnect them immediately.
3

Isolate backup systems

Disconnect backup storage from the network immediately. Many ransomware variants target backups to prevent recovery.
4

Alert IT support and warn staff

Contact IT immediately. Tell all staff to stop using computers until given the all-clear.

2. Assess and report

Identify what is affected and report to the relevant authorities.

1

Document affected systems

Check each computer and server for ransom notes, files with unusual extensions (.locked, .encrypted), or files that will not open.
2

Check whether backups are intact

Test backups using a clean computer - do NOT connect backup drives to potentially infected systems.
3

Identify the ransomware variant

The ransom note often identifies the strain. Check nomoreransom.org for free decryption tools.
4

Preserve evidence

Photograph ransom messages. Keep logs of what happened and when. Do not delete files.

Cyber incident reporting contacts and procedures

Who to report cyber incidents to, including Action Fraud, ICO, NCSC, and geographic variations for Scotland.

Different cyber incidents require reporting to different authorities. All UK organisations should know their reporting obligations and have key contacts readily available.

Cyber crime reporting (England, Wales, NI): Report Fraud (formerly Action Fraud) - reportfraud.police.uk or 0300 123 2040
Cyber crime reporting (Scotland): Police Scotland via 101 (Scotland has not signed up to Report Fraud process)
Report Fraud phone hours: Monday-Friday 8am-8pm (24/7 for organisations under live attack)
Report Fraud from abroad: +44 300 123 2040
Data breach reporting (all UK): ICO at ico.org.uk/for-organisations/report-a-breach (within 72 hours if risk to individuals)
ICO helpline: 0303 123 1113 (Monday-Friday 9am-5pm)
Phishing email reporting: NCSC Suspicious Email Reporting Service (SERS) - forward to report@phishing.gov.uk
NCSC Cyber Incident Response (CIR) Scheme: Industry assurance scheme - all UK organisations should use CIR Assured Service Provider when dealing with cyber incidents
NHS organisations (NIS OES in England): Report to NHS England within 72 hours for incidents with adverse effect on security or significant impact on service continuity
Financial services firms: Report to FCA/PRA as per firm's notification procedures
Operators of Essential Services: Report to sector regulator within 72 hours
Digital service providers: Report to ICO within 72 hours if substantial impact
Under active cyber attack (need help): NCSC at ncsc.gov.uk and CIR provider immediately
What Report Fraud cannot do: Not investigative body, cannot guarantee police investigation or advise on report contents
Why report even if not investigated: Builds intelligence picture, identifies patterns, informs national policing priorities

Report data breaches to the ICO

Ransomware encrypting personal data is a breach under UK GDPR. You may need to notify the ICO within 72 hours.

ICO data breach notification requirements (72-hour rule)

Two-tier notification requirements under UK GDPR, including the 72-hour rule for reporting to ICO and requirements for notifying affected individuals.

Under UK GDPR, organisations must report personal data breaches to the Information Commissioner's Office (ICO) within 72 hours if the breach is likely to result in a risk to individuals' rights and freedoms. A two-tier system applies:

Risk to individuals: Report to ICO within 72 hours
High risk to individuals: Report to ICO within 72 hours AND notify affected individuals without undue delay

The clock starts when you become aware of the breach, not when it originally happened or when you complete full investigation.

ICO reporting timeline: Within 72 hours of becoming aware of the breach
Threshold for ICO reporting: Breach likely to result in risk to rights and freedoms of individuals
Threshold for individual notification: Breach likely to result in high risk to rights and freedoms of individuals
Individual notification timeline: Without undue delay
When clock starts: When you become aware of the breach (sufficient evidence to believe incident occurred and meets threshold)
How to count 72 hours: Count hours, not working days (weekends and bank holidays count)
If you miss 72 hours: Still must report, must provide reasons for delay
Phased reporting permitted: Yes - initial report within 72 hours with available information, updates without undue delay
ICO reporting method: Online tool at ico.org.uk/for-organisations/report-a-breach
Exceptions to individual notification: Data encrypted/unintelligible, measures taken to eliminate high risk, or disproportionate effort (use public communication instead)
Record keeping requirement: Document all breaches whether or not reported to ICO (UK GDPR Article 33(5))
Recommended record retention: At least 3 years (aligns with ICO investigation timeframes)

3. Recovery options

In order of preference:

Option A: Restore from backups (preferred)

Verify backups are clean before restoring
Rebuild systems from scratch - ransomware may have left backdoors
Patch systems before reconnecting to the network

Option B: Use a free decryption tool

Check nomoreransom.org - a legitimate project providing free tools for many ransomware families
Do not pay for tools from unknown sources - many are scams

Option C: Rebuild without data recovery

Wipe systems and reinstall. Rebuild data from paper records and other sources
Painful but sometimes faster than waiting for decryption

4. The ransom payment decision

The NCSC and law enforcement strongly advise against paying. Understand the risks:

No guarantee of recovery: Criminals may not provide working keys or may demand more
Funds crime: Payment finances future attacks
Makes you a target: Paying organisations are often attacked again
May be illegal: Paying groups on UK sanctions lists is a criminal offence
Data may still be sold: Attackers often copy data before encrypting

Sanctions risk

Many ransomware groups are linked to sanctioned entities. Before any payment, check the UK sanctions list and seek legal advice.

NCSC position: Payment does not guarantee recovery and funds further attacks. If considering payment as a last resort, seek professional legal and technical advice first.

5. Recovery and prevention

After the crisis, focus on safe recovery and preventing recurrence.

1

Rebuild properly

Ensure systems are clean. Change all passwords. Enable multi-factor authentication. Apply all security updates before reconnecting.
2

Monitor for reinfection

Watch for unusual activity. Attackers may have established persistent access.
3

Conduct post-incident review

How did they get in? What failed? Document lessons and implement improvements.
4

Strengthen backups

Implement offline or immutable backups. Test restoration regularly.

Professional & Financial Services Requirement

Financial services firms

FCA/PRA-regulated firms must notify regulators of material cyber incidents. Follow your operational resilience procedures.

FCA operational resilience guidance

Healthcare & Social Care Requirement

NHS organisations

Notify NHS England and your Caldicott Guardian. NIS-designated organisations must report within 72 hours.

NHS Data Security and Protection Toolkit

6. Getting help

Consider professional support if you lack IT security expertise, the attack affects critical systems, or you need help with evidence preservation.

The NCSC maintains a list of Cyber Incident Response (CIR) Assured Service Providers - vetted companies for incident response. Your cyber insurance may also provide incident response services.

Before an attack happens

If reading this guide proactively:

Implement offline or immutable backups and test restoration
Enable multi-factor authentication for remote access and admin accounts
Keep systems patched - apply updates within 14 days
Train staff on phishing (90% of attacks start this way)
Create an incident response plan

Respond to a ransomware attack

Cyber security requirements for UK businesses

Report a cyber incident

Cyber security basics for small businesses

Tech Sector Compliance Overview

NHS Data Security and Protection Toolkit compliance

1. Contain the attack immediately

Disconnect affected computers from the network

Disconnect shared drives and cloud storage

Isolate backup systems

Alert IT support and warn staff

2. Assess and report

Document affected systems

Check whether backups are intact

Identify the ransomware variant

Preserve evidence

Report data breaches to the ICO

3. Recovery options

Option A: Restore from backups (preferred)

Option B: Use a free decryption tool

Option C: Rebuild without data recovery

4. The ransom payment decision

Sanctions risk

5. Recovery and prevention

Rebuild properly

Monitor for reinfection

Conduct post-incident review

Strengthen backups

Financial services firms

NHS organisations

6. Getting help

Before an attack happens

Official guidance and reporting

Related guides in Compliance & Legal

1. Contain the attack immediately

Disconnect affected computers from the network

Disconnect shared drives and cloud storage

Isolate backup systems

Alert IT support and warn staff

2. Assess and report

Document affected systems

Check whether backups are intact

Identify the ransomware variant

Preserve evidence

Report data breaches to the ICO

3. Recovery options

Option A: Restore from backups (preferred)

Option B: Use a free decryption tool

Option C: Rebuild without data recovery

4. The ransom payment decision

Sanctions risk

5. Recovery and prevention

Rebuild properly

Monitor for reinfection

Conduct post-incident review

Strengthen backups

Financial services firms

NHS organisations

6. Getting help

Before an attack happens

Official guidance and reporting