Research and analysis

Knowledge and perceptions of the UK public on ransomware against businesses

Published 13 January 2025

© Crown copyright 2025

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/public-knowledge-and-perceptions-on-ransomware-against-businesses/knowledge-and-perceptions-of-the-uk-public-on-ransomware-against-businesses

Acknowledgements

Ipsos UK delivered this nationally representative survey on ransomware. The Home Office Analysis and Insight Unit commissioned the research and prepared this summary report, based on the data collected by Ipsos.

We would like to thank the following individuals for their support in delivering this:

From the Home Office: Abigail Skraga, Abraham Sweiry, Iona Woodbridge, Carolyn Budd and Victoria Smith.

From Ipsos: Hannah Shrimpton and Zara Johnson-Ireland.

Executive summary

The Home Office commissioned Ipsos UK to deliver a nationally representative survey of 2,108 members of the UK public (aged 16 and over) about their awareness and experience of ransomware, perception of the threat of ransomware within the UK, and attitudes towards UK businesses reporting attacks and paying ransoms.

The survey indicated that a small minority of individuals had direct experience of ransomware and a good knowledge or understanding about ransomware. However, most had at least heard of ransomware.

The majority of the public were concerned about ransomware and despite having little certainty on whether businesses are doing enough to protect themselves, or if it is easy to do so, they had some relatively strong views on the actions that businesses should take in preparation and response to a ransomware attack.

Notably, most of the public believed that businesses should report a ransomware attack, irrespective of reputational damage, consequences to the business or their ability to resolve an incident by themselves. The majority also believed that businesses should invest in cyber insurance to cover the cost of a potential ransomware attack, though we cannot determine the extent to which the public understood what cyber insurance entails.

There was much uncertainty regarding public attitude towards paying ransoms. The level of support for businesses making a ransom payment varied depending on the scenario tested, suggesting that attitudes towards payment may be affected by the reason for paying a ransom, as well as the size and sector of the attacked business.

Throughout the whole survey, perceptions and attitudes also somewhat depended on respondent characteristics, including their awareness of ransomware and demographic characteristics. Notably, those with greater awareness of ransomware were significantly more likely to believe businesses should always report incidents, that it is easy for businesses to protect themselves, and that all businesses should have cyber insurance to protect against ransomware. They were also significantly more likely to disagree with the view that businesses do enough to protect themselves.

1. Introduction

Home Office Analysis and Insight (HOAI) commissioned Ipsos UK in 2024 to conduct a nationally representative quantitative survey[footnote 1] with the UK public to assess awareness and experience of ransomware, perception of the threat of ransomware within the UK, and attitudes towards UK businesses reporting attacks and paying ransoms.

Key findings from this survey are presented in this report, focusing on:

  1. Awareness and experience of ransomware.
  2. Perception of ransomware as a threat.
  3. Attitudes towards protecting against ransomware attacks.
  4. Attitudes towards businesses reporting ransomware attacks.
  5. Attitudes towards businesses paying ransom demands.
  6. Factors affecting perceptions and attitudes.

2. Methodology

Participants were recruited via the Ipsos UK Knowledge Panel, which is composed of a nationally representative sample of over 25,000 individuals within the UK based on random-address sampling. It includes members of digitally excluded households, with Ipsos providing technology for the purpose of completing surveys. Panellists are incentivised for their participation in Knowledge Panel research[footnote 2].

Panellists were recruited via a random probability, unclustered address-based sampling method. This means that every household in Great Britain had a known chance of being selected to join the panel. As a random probability survey panel, the Knowledge Panel did not use a quota approach when conducting the survey. Instead, invited samples were divided into non-overlapping, smaller groups (called strata) based on shared characteristics, to account for any profile skews within the panel. The data was then weighted to match the profile of the population of Great Britain.

The survey was completed by 2,108 members of the UK public between 4 and 10 January 2024. Respondents were aged 16 and above. Boosters were not used to target underrepresented demographic groups. However, the survey collected various demographic variables for each respondent, enabling data to be broken down beyond the population level.

Respondents were asked 12 questions about their awareness and experience of ransomware, their perceptions on the threat of ransomware, and whether businesses should report and pay in the instance of a ransomware attack.

To understand public attitude across topic areas, the survey asked respondents to rate their concern and agreement with various statements. Concern was assessed on a 4-point scale (‘not at all concerned’, ‘not very concerned’, ‘fairly concerned’ and ‘very concerned’); findings in this summary are reported using aggregated scores of concern, with the former 2 equating to ‘not concerned’ and the latter 2 equating to ‘concerned’. Agreement was assessed on a 5-point scale (‘neither agree nor disagree’, ‘tend to agree’, ‘strongly agree’, ‘tend to disagree’ and ‘strongly disagree’). Findings in this summary are reported using aggregated scores for agreement and disagreement (that is, combining the number of ‘tend to’ and ‘strongly’ responses). These categories are also reflected in graphs throughout.

3. Key findings

3.1 Awareness and experience of ransomware

The majority of the public reported that they had at least heard of ransomware (76%). However, approximately only one-in-10 had experience of ransomware, either directly or indirectly (12%).

Only around a quarter (23%) of the public reported they had never heard of ransomware.

Respondents most commonly reported knowing a little about ransomware (32%), while just over a quarter (27%) reported knowing a great deal or a fair amount. Only 5% said they knew a great deal. However, we cannot determine whether this self-reported awareness reflects actual awareness from this survey.

Figure 1 shows that 3% of the public had direct experience of ransomware, reporting that they themselves had experienced a ransomware attack. Respondents also reported indirect experience of ransomware; where the organisation where they work or an organisation they are a customer of had experienced a ransomware attack (5% and 5% respectively).

Figure 1: Public experience with ransomware attacks[footnote 3]

Grey section indicates the breakdown of those who reported experiencing ransomware attacks.

Base: All UK adults (n=2,108), age 16 and over

Those who reported having experience of ransomware were significantly more likely to report knowing a great deal or fair amount about ransomware (52%) compared with those who had no experience of ransomware (24%). However, we cannot determine whether experience leads to increased knowledge from this research.

Those who owned or were employed by a large business were significantly more likely to have experience of ransomware (18%) than those who owned or were employed by a micro-sized (10%) or small-sized business (10%)[footnote 4].

3.2 Perception of ransomware as a threat

Most of the public are concerned about the possibility of ransomware occurring in the UK, including against UK-based businesses.

74% of the public were concerned about the possibility of ransomware occurring in the UK. However, a greater proportion of the public were concerned about the possibility of other crimes occurring, including serious violent crime (88%), fraud (84%) and corruption in the government (81%).

The public was most concerned about the possibility of a ransomware attack occurring against national infrastructure (84%) and UK government agencies (79%). Slightly less of the public (72%) reported concern about the possibility of a ransomware attack occurring against UK-based businesses specifically, though still a majority. Figure 2 shows levels of concern for ransomware across a range of sectors.

Figure 2: Public concern about the possibility of a ransomware attack, by sector[footnote 5]

Base: All UK adults (n=2,108), age 16 and over

The public believe the seriousness of the impact of a ransomware attack depends on the nature of one’s relationship to the attacked business.

Respondents were asked to consider the extent to which a ransomware attack against a large UK business would seriously or not seriously impact various groups. Approximately two-thirds of the public believed that a ransomware attack against a large UK business would be very serious for the business owner or shareholders (69%) and customers (66%). However, only 2-in-5 (40%) believed that an attack would be very serious for members of the general public.

3.3 Attitudes towards protecting against ransomware attacks

There is no clear public consensus on whether most businesses do enough to protect themselves from a ransomware attack, nor whether it is easy for businesses to do this.

Figure 3 shows that the public are generally uncertain about whether businesses do enough to protect themselves from a ransomware attack and whether it is easy for them to do so. Approximately half of the public neither agreed nor disagreed or reported not knowing, indicating a high degree of uncertainty about the topic.

For those that did respond with some certainty, slightly more participants disagreed than agreed with these statements. Around one-third of the public disagreed that most businesses do enough to protect themselves from a ransomware attack (33%), and that it is easy for business to do this (35%).

Figure 3: Public perceptions on how businesses protect themselves from a ransomware attack

Base: All UK adults (n=2,108), age 16 and over

The majority of respondents believed businesses should have cyber insurance to cover the cost of a potential ransomware attack (73%).

Approximately 3-in-5 (61%) disagreed that a business is the only one to blame if they experience a ransomware attack, acknowledging the role of other actors, whereas just one-in-10 (11%) agreed.

However, nearly three-quarters (73%) believed that all businesses should have cyber insurance to cover the cost of a potential ransomware attack, placing responsibility on the business. However, the survey did not define cyber insurance, so respondents might not fully understand what this entails and what it covers.

3.4 Attitudes towards businesses reporting ransomware attacks

Most respondents believed that businesses should always report a ransomware attack to law enforcement and relevant authorities, regardless of circumstance or consequence.

Around 9-in-10 (89%) believed that a business should always report a ransomware attack to law enforcement and relevant authorities.

When a specific reporting scenario or potential consequence of reporting was detailed, a slightly smaller proportion of the public believed that a business should report a ransomware attack compared with when no details were given. Approximately 4-in-5 (81%) believed that there is a need to, and businesses should report a ransomware attack, even if the business is capable of resolving it on their own. Similarly, 81% believed businesses should report even if it means they receive a fine or penalty. Figure 4 shows the proportion of public agreement and disagreement with all statements tested in the survey around business reporting behaviours.

Figure 4: Proportions of agreement and disagreement with statements about businesses reporting a ransomware attack to law enforcement

Base: All UK adults (n=2,108), age 16 and over

The majority of the public also believe that a business should report their ransomware victimisation to the public (78%).

Approximately 4-in-5 (78%) believed that a business should tell the public when they have experienced a ransomware attack, even if it causes them reputational damage.

Significantly less people agreed that a business should report a ransomware attack to the public (78%) than those who agreed that a business should report a ransomware attack to law enforcement and relevant authorities (89%).

3.5 Attitudes towards businesses paying ransom demands

Overall, the public tended to disagree with the concept of a business paying a ransom demand. However, attitudes were not as strong as those towards reporting.

A selection of different payment scenarios were presented to respondents in the survey[footnote 6]. Responses varied according to the specific circumstance.

In most scenarios presented, a higher proportion of individuals believed that a business should not pay a ransom demand. For example, 50% disagreed that a business should pay a ransom if they thought it would reduce the financial loss of the business, compared to 12% who agreed. However, this was not true of all scenarios (see figure 5 below).

There was a high degree of uncertainty regarding payment in the different scenarios. Across all scenarios, many respondents reported either not knowing whether a business should pay (ranging between 6% and 9%) or neither agreeing or disagreeing (ranging between 22% and 33%).

Public attitude towards payment may depend on the potential reason for paying a ransom or the potential outcomes of the ransomware incident.

Four hypothetical scenarios regarding whether a business should/should not pay the ransom were presented to respondents. Respondents were asked to rate their agreement/disagreement with whether the business should/should not pay, with each specific scenario in mind.

The public appeared to be more likely to object to the payment of a ransom if the reasoning for payment related to the recovery or cost to the business, compared with protecting employees. Half (50%) of the public disagreed with the concept of a business paying a ransom, even if they thought it would reduce the financial loss the business suffers, or even if the business could not recover through other methods (47%).

In other scenarios, there was less disagreement with the payment of ransoms. Just under 2-in-5 believed that a business should not pay a ransom, even if they felt it would prevent customer or employee data being leaked (39%), or that it would allow them to remain in business and their employees to remain employed (36%). Figure 5 presents these findings.

Figure 5: Proportions of public agreement and disagreement with hypothetical statements about whether businesses should or should not pay a ransom

Base: All UK adults (n=2,108), age 16 and over

Public attitude towards payment may also depend on the characteristics of the attacked business.

Three hypothetical scenarios regarding a business’s decision to pay/not pay a ransom were presented to respondents. Respondents were asked to rate their agreement/disagreement with the business’s decision to pay/not pay, with each specific scenario in mind. These questions were designed to test participant attitudes where decisions had already been made by the business, as opposed to moralistic statements about whether businesses should or should not, providing additional insight to the above section.

Participants seemed to be uncertain about a large energy company choosing to pay a ransom. Unlike all other scenarios, equal proportions of the public (35%) disagreed and agreed with the decision of a large energy company to pay a ransom. This may be due to specific views around the energy sector; however, we cannot assess this from the findings of this survey, and future research would need to assess ransom payments in the context of other sectors.

Full scenarios presented to respondents are listed in order of those appearing on Figure 6:

A large energy company experiences a serous ransomware attack and has to shut down. This causes immediate operational disruptions that affect the national power supply to the UK. The company decides to pay the ransom to try to regain access to their operations and limit disruption.

A small business with 10 employees is attacked. The damage is extensive and they do not have access to backups of the data they have lost. They believe they will go bankrupt if they don’t get access to their data and systems back. The business decides to pay the ransom to try to regain access to their data and systems.

A large business with 600 employees is attacked by ransomware and private data about their employees and customers is stolen. The business will eventually be able to recover access to their systems, but will have to shut down in the short term while they do so, causing disruption to customers. The business owners are worried the stolen data about their employees and customers could be leaked online if they don’t pay. However, the business ultimately decides not to pay the ransom. They instead rely on their own backups for systems and hope the attackers do not leak the data publicly.

Figure 6: Proportions of public agreement and disagreement with the decision of various businesses to pay or not pay a ransom

Base: All UK adults (n=2,108), age 16 and over

Beyond the specific scenarios presented above, the public also had strong views on the potential consequences of a business paying a ransom.

Just more than one-in-10 (12%) believed that a business would likely get their files or data back if they paid a ransom.

Nearly 7-in-10 (68%) believed that it is wrong for a business to pay a ransom because that ransom could be used by attackers to fund more criminal activities.

3.6 Factors affecting public perceptions and attitudes

Public perceptions of ransomware as a threat differed according to age and levels of awareness of ransomware.

Concern about ransomware appeared to increase with age; those aged 16 to 24 were significantly less likely to report feeling concerned (47%) than all older age groups. However, this is true for most other crime types asked about in this survey, potentially reflecting a wider trend, rather than being specific to ransomware.

Those who reported they had ‘never heard of’ ransomware were significantly less likely to report feeling concerned about the possibility of an attack against a UK business (60%) compared to those who reported knowing ‘just a little/having heard of, know nothing about’ ransomware (74%), and those who reported knowing ‘a great deal/fair amount’ about ransomware (77%).

Attitudes towards measures businesses should adopt to protect themselves varied depending on employment status and levels of awareness of ransomware.

Self-employed respondents were significantly less likely to believe that all businesses should have cyber insurance to cover the cost of a potential ransomware attack (58%), compared with employed respondents (74%) and those who were not employed (75%).

Those who reported knowing a great deal or fair amount about ransomware were significantly more likely to believe that it is easy for a business to protect themselves against ransomware (37%) compared with those who reported any other awareness level (13% to 17%).

Those who reported knowing a great deal or fair amount about ransomware were significantly more likely to disagree that most businesses do enough to achieve this (42%) compared with any other awareness level (between 22% and 33%).

Those who reported knowing a great deal or fair amount about ransomware were significantly more likely to believe that all businesses should have cyber insurance to cover the cost of a potential ransomware attack (77%) compared with those who reported having never heard of ransomware (69%). Figure 7 presents these findings.

Figure 7: Proportions of agreement and disagreement based on awareness of ransomware

Base: All UK adults (n=2,108), age 16 and over

Attitudes towards reporting a ransomware attack varied depending on age and levels of awareness of ransomware.

Across all scenarios, older respondents were generally more likely to believe that businesses should report than younger respondents. However, there was not always a linear increase between each age group. Older respondents (65 and over) were significantly more likely to believe that a business should always report a ransomware attack to law enforcement and relevant authorities compared to middle-aged and younger respondents (16 to 64). Figure 8 demonstrates this finding.

Figure 8: Proportions of agreement that businesses should always report a ransomware attack across different age groups

Base: All UK adults (n=2,108), age 16 and over

Across all reporting scenarios tested, those who had some awareness of ransomware were significantly more likely to believe that businesses should report to law enforcement and authorities (84% to 93%), compared with those who had never heard of ransomware (70% to 83%).

Attitudes towards payment of ransoms differed depending on awareness of ransomware.

Having awareness of ransomware did not appear to affect attitudes towards paying ransoms in all scenarios, however:

Those who reported knowing a great deal or fair amount about ransomware were significantly more likely to disagree with paying a ransom to prevent the leaking of customer/employee data (44%), compared with those who had never heard of ransomware (34%).

Those who reported knowing a great deal or fair amount were also more likely to disagree with a business making a ransomware payment to reduce financial loss (55%), compared with those who had never heard of ransomware (44%).

  1. As public attitudes were collected through a quantitative survey, it is not possible to draw insights regarding why respondents think the way they do. 

  2. This survey formed part of an omnibus of surveys within the Knowledge Panel. Panellists receive points for each survey completed, which can be exchanged for vouchers for a variety of retailers once a threshold is met. The incentive panellists receive is determined by the combination of surveys they complete and amongst other things, survey complexity and topic. 

  3. Due to rounding, the breakdown categories of those 12% who had experienced a ransomware attack add up to slightly more than 12%. 

  4. Within this research, business sizes were defined as follows: Micro (1 to 9 employees), Small (10 to 49 employees), Medium (50 to 249 employees), Large (250+ employees). 

  5. Only UK-based sectors were assessed as part of this survey, due to their direct relevance to any potential UK legislation addressing ransomware. It may be that the UK public would be affected by, and demonstrate concern about, a possible ransomware attack against a non-UK business, if the infrastructure was global. It may be beneficial for future research to assess this. 

  6. Attitudes were tested through 2 methods: 1) agreement with fictional decisions which had already been actioned by a business, to pay or not pay a ransom; and 2) agreement with statements which referred to whether a business hypothetically should or should not pay a ransom. 

Back to top