British Companies Are Losing the Fight Against Ransomware: What Gives?

By Phil Muncaster • 2 September 2025

Just before the Easter bank holiday weekend, Marks & Spencer was plunged into one of the worst ransomware breaches the country has seen in recent years. Other big-name retailers like the Co-op soon followed. The total financial impact for these two incidents alone is estimated at up to £440m.

Yet the truth is that the majority of ransomware doesn’t target high-profile organisations like these. Instead, threat actors go after larger numbers of smaller companies, many of which don’t have the resources or know-how to defend themselves adequately. As new research shows, this is costing them dear. With new cybersecurity legislation on the way, building resilience should be an urgent priority.

Paying Through the Nose

The UK has long been a top target for ransomware actors, thanks to its relative wealth and highly digitalised economy. But there’s a world of difference between being breached by ransomware and having data stolen and/or encrypted. Better cyber hygiene and improved detection and response can both work to significantly mitigate the impact. Unfortunately, this appears not to be happening, according to a Sophos study.

The security vendor polled over 200 IT and cybersecurity leaders in the UK as part of a broader study covering the responses of 3400 ransomware victims. The State of Ransomware in the UK 2025 reveals that a staggering 70% of UK victims had their data encrypted, much higher than the global average of 50%, and the 46% figure reported by UK victims in 2024.

By both measures, this is concerning. It appears to show that fewer ransomware victims have the insight they need into their IT environment to understand that they’ve been hit. The difference between the Co-op and M&S was that the former invested in incident response capabilities, which flagged suspected intrusion, and enabled it to pull the plug on its systems before they could be encrypted. The impact of the resulting breach was subsequently less severe.

Perhaps as a result, UK victims felt they had no choice but to pay their extortionist, 103% of the ransom demand on average, which is way higher than the global average of 85%. That matters even more because the median UK ransom demand was $5.4m (£3.9m) last year – that’s more than double the $2.5m (£1.9m) reported in the previous survey. Some 89% of ransom demands were for $1m+, up from 71% in 2024.

“My experience suggests the rate of encryption is very closely coupled with how quickly an attack is detected, and often whether external incident response help was engaged early enough in the attack,” Sophos global field CISO, Chester Wisniewski, tells ISMS.online. “Organisations with 24/7 monitoring and EDR/XDR tools typically have more success at stopping attacks in progress. Too often, victims only detect the attack when they get the ransom note, which is far too late.”

Where Are They Going Wrong?

Exploited vulnerabilities (36%), malicious emails (20%) and compromised credentials (19%) were the top causes of initial access among ransomware victims polled by Sophos. To tackle these and other threats, the security vendor recommends a four-point plan:

Prevention: Reduce the most common technical and operational causes of an attack by building resilience.

Protection: Defend the most common entry points for ransomware actors, such as endpoints including servers. Dedicated anti-ransomware tools will help to block and roll back malicious encryption.

Detection and response: Stop and contain an attack as quickly as possible before it has time to cause any major damage. Organisations unable to do this in-house can use managed detection and response (MDR).

Forward planning: Put an incident response plan in place to streamline recovery from an attack. Regular off-site and offline backups will also accelerate recovery.

“Cybercriminals run highly efficient enterprises; they’re looking for minimal output, maximum cash, so double bolting your digital doors acts as a sizable deterrent,” argues Lauren Wilson, field CTO at Splunk. “But it’s not enough to just prevent – you have to be able to detect, respond and recover in order to truly mitigate the wider impact of ransomware.”

Time to Align

UK IT and security leaders may need to revisit their ransomware resilience plans in light of incoming legislation. The new Cyber Security and Resilience Bill is set to ban ransom payments for government and critical infrastructure (CNI) providers. It will bring new organisations (like MSPs) into scope. And it will also likely mandate faster and more comprehensive incident reporting, third-party risk management and stronger supply chain security. It might impose larger fines and will certainly hand more power to industry regulators. It also seeks to align closer with NIS 2, ISO 27001, ISO 27002 and other security standards and frameworks.

This is a great opportunity for those already working on ISO 27001 to get ahead of these incoming requirements and bolster their cyber resilience in a cost- and time-effective manner. Wilson tells ISMS.online that such standards are “engineered to raise cyber maturity in a way that benefits everyone”.

She adds: “One thing that standards such as NIST or ISO 27001 have in common is helping organisations focus on getting the basics right. Access control, regular patching, using multifactor authentication, and training for all employees. Whilst easier said than done, focusing on these ‘basics’ can go a long way to defeating a high percentage of cyber-attacks.”

Sophos’ Wisniewski agrees with the value of best practice standards.

“The vast majority of attacks are preventable by having basic controls deployed consistently across the estate,” he argues. “Our latest Active Adversary report shows that most ransomware cases begin with either stolen credentials or unpatched vulnerabilities, both of which are covered by compliance frameworks.”

However, compliance can’t be addressed in isolation, Wilson concludes.

“It must be viewed as part of a holistic cybersecurity strategy that encompasses people, process and technology,” she concludes. “Organisations need to be investing in resilience. That means understanding risk, building defences and ensuring that if operations are taken offline, downtime is minimised.”

Phil Muncaster

Phil Muncaster has been an IT journalist for 20 years. He started out as a reporter on enterprise IT title IT Week in 2005 and progressed to the role of News Editor before leaving to pursue a freelance career. Since then, Phil has written for titles including The Register, where he worked as Asia correspondent whilst based in Hong Kong for over two years, MIT Technology Review, SC Magazine, Infosecurity Magazine and others.

Is the Government’s Cyber Action Plan Fit for Purpose?

It’s not often the government admits it was wrong. Yet at the start of the year, we were treated to a rare mea culpa: a recognition that a previous...

Phil Muncaster

Cyber security 3 February 2026

WEF Report: Fraud Is Now CEOs’ Biggest Cyber Concern, but It’s Not the Only One

Five years is a long time in cybersecurity. Yet that’s how long the World Economic Forum (WEF) has been polling CEOs for its Global Cybersecurity O...

Phil Muncaster

Cyber security 27 January 2026

Privacy Matters: What Compliance Teams Can Expect in 2026

January 28 is Global Privacy Day – an occasion to celebrate the right to data privacy and protection that many of us take for granted today. It was...

Phil Muncaster