UK Ransomware forecasts - the rising risk and the need for more transparency
Illustration by James Daw
The Swift forecasters were asked to predict the likely number of ransomware attacks on UK organisations in the coming months, including whether artificial intelligence would make such attacks easier to carry out, and whether any critical infrastructure would be significantly affected.
The focus of the forecasts was on ransomware attacks reported to the UK’s ‘National Cyber Security Centre (NCSC)’ and the potential change and impact of such attacks. Given the NCSC reporting period runs from 1st September to the 30th August each year, the forecasts sought to predict the 2025 NCSC annual report results which will cover September 1st 2024 - August 30th 2025.
Key takeaways:
The forecasters expect there to be a modest increase in the number of ransomware attacks reported to the National Cyber Security Centre this year.
They thought a major incident which brings down critical national infrastructure for seven days or more before August 30th 2025 was unlikely.
They thought the increase in AI capabilities over the next few months would not considerably increase the risk of ransomware attacks.
However, the challenge and ambiguity in how ransomware attacks are reported and published, along with limited baseline data on such attacks means that the forecasts have considerable ranges of uncertainty, highlighting the complexity of predicting cyber attacks in the UK.
Modest increase in the number of ransomware attacks in UK
Central estimate: 341 (80% confidence interval 276-431)
“Ransomware” is a form of malware, or computer virus, which hackers use to attack organisations’ systems or data, and prevents those organisations from gaining access to those systems, often by encrypting files, which the hackers will only decrypt in return for a ransom. Alternatively, the attack might steal sensitive data and then the hackers threaten to release it unless the ransom is paid.
In a recent report, Britain's National Cyber Security Centre called ransomware attacks “the most immediate and disruptive threat to our critical national infrastructure,” and said they are on the rise. The forecasters were asked whether that trend would continue.
This was not an easy forecast to make, one pointed out. “Base rate data on this question is lacking,” they said. Absolute figures are not reported before 2022-23, although there are statements about relative increases. Taking those reports at face value, they said, it seems likely that reports have gone up ninefold between 2019 and 2021, but that that likely stabilized after 2022: The NCSC says it received 297 reports between September 1st 2022 and August 30th 2023, and 317 between September 1st 2023 and August 30th 2024.
Given that trend, that forecaster said, “my baseline case here is that things stay pretty similar,” a forecast largely supported by the others. But they raised two main factors which could influence future trends: technology, and geopolitics.
A proportion of ransomware attacks on the UK are carried out by foreign state actors. The NCSC mentions Russia, China, Iran and the Democratic People’s Republic of Korea as the main culprits. In February 2024, a China-backed group, Volt Typhoon, targeted US infrastructure, and another likely attempted to access British MPs’ emails in 2021. And the NCSC said “UK firms are almost certainly being targeted by IT workers from the DPRK – disguised as freelance third-country IT staff – to generate revenue for the DPRK regime.”
One forecaster was sceptical of geopolitics’ input. “It seems non-obvious that the Russian invasion of Ukraine coincided with a significant increase,” they said, noting the apparent stabilisation of numbers around 2022. “It therefore seems non-obvious that an end to the war, or an escalation, would have a significant effect too.” The forecaster suggested that “more traditional cybercriminals” likely play a larger role than states, which “are a relatively small proportion of overall attacks.” But the NCSC report did not offer a breakdown of attacks by state vs private actors, so that is impossible to know.
Improvements in technology, and specifically the rapid growth of artificial intelligence, are a more likely driver of future increases, the forecasters thought. One noted an interview late last year with Amazon’s chief cybersecurity officer saying that the number of cyber attacks — of all kinds, not just ransomware – across the internet went up from roughly 100 million a day early in the year to around 750 million a day by November. That increase was, he said, “without a doubt” driven by improvements in generative AI’s ability to write code and phishing emails, which has “provided access to those who previously didn’t have software-development engineers to do these things.”
One of the other forecasters agreed: “I think increased AI capabilities will add to the numbers, and in general, I think the improved AI will benefit offense more than it benefits defense.”
The overall picture was one in which the most likely outcome was business as usual or a slight increase, but with a significant chance of rapid growth: two forecasters noted that the right tail of their distribution was fatter than the left tail. “I wouldn't expect growth to vastly exceed geometric growth,” one said. “So, my 50th percentile forecast is for 350 attacks. But I don't rule out substantially faster growth thanks to AI, or stagnation if other methods of cyberattack take off more.”
An AI model exceeding 30% on Cybench is within reach
Estimate: 39% (range 20% to 55%)
As mentioned above, the forecasters thought the most likely driver of a significant increase in attacks was the growth of artificial intelligence.
Cybench tests AI models in a series of “capture-the-flag” trials, where they have to try to retrieve a specific piece of data from a server. As it stands, the best-performing AI is OpenAI’s o3-mini, which has succeeded in 22.5% of tasks without human guidance.
Should any AI achieve 30% by August 2025, it might imply a significant improvement in their cyberattack capabilities.
“My forecast is high just because things seem to be happening a bit faster than we expect,” one forecaster (estimate 50%) said, “and also because China is opaque.” Another noted that given there are only 40 tasks, and getting from 22.5% to 30% would only involve getting three more right. “This can even happen by pure chance,” they observed.
Crucially, several noted that the Cybench leaderboard does not appear to be updated regularly. That could mean that this question might well resolve negatively even if enough actual progress has been made. One forecaster said they thought it 95% likely that models capable of passing that score would be developed by August 2025, but only 45% on the question as stated, “because I'm very unsure they will make more updates.”
“Number of ransomware attacks reported to the NCSC” - conditional on ‘A model achieves or exceeds 30% of solved tasks on Cybench's unguided benchmark before August 30th 2025.’
Central estimate: 353 (80% confidence interval 286-446)
The forecasters thought that in a universe in which AI models passed the Cybench benchmark, there would be somewhat more ransomware attacks than in a universe in which they did not. But they felt the difference would be modest.
“I'd increase my forecast number slightly,” one said. “But not by much.” In large part, that was because there’s not much time for it to make a difference: “A model could reach 30% on August 25, and there wouldn't be much time for that to matter.” And two-thirds of the year from 1 September 2024 to 30 August 2025 is already over: “Even if a more capable model were available tomorrow, there's only so much time left. And a more capable model will not be available tomorrow.” Several others agreed with this point.
Another noted that the irregular updating of the Cybench leaderboard lowers the predictive value of this condition: “This mostly tells me how motivated to update the leaderboard the Cybench paper authors were.”
A small chance of a significant attack - but data gaps obscure the picture
Estimate: 13% (range 4% to 25%)
In the UK, the sectors designated “critical national infrastructure” are chemicals; civil nuclear; communications; defence; emergency services; energy; finance; food; government; health; space; transport; and water.
The forecasters noted that attacks of comparable magnitude have happened before: The 2017 WannaCry ransomware forced at least 80 NHS hospital trusts to cancel or divert services over a week, resulting in 19,000 lost appointments. Attacks also hit a police forensics service in 2019, a defence training scheme in 2021, an NHS communications platform in 2022, a Royal Mail system in 2023, and an NHS lab testing system in 2024.
The forecasters disputed whether all of those six would resolve the question positively: one forecaster argued that only four would count. “That would give a rough base rate of 0.5 such events per year,” they noted, but the question only has four months to resolve, meaning a roughly 17% chance. “I don't have any reason to expect the rate at which such events occur to decrease or increase substantially over the forecast period - they're quite rare, and data are sparse - so I'll go with 17%.” Another forecaster assumed all six attacks counted, and came up with a base rate of 22.8%.
Others felt this was much too high, because a seven-day outage is very long and only very high-profile cases would be reported.
A critical challenge identified when forecasting this question was the inconsistent and limited information around what exact organisations would be defined as an CNI and how downtime is reported. This highlights a key gap in the sector, where better transparency could assist with more accurate predictions and provide greater awareness of cyber security risks. “With the NCSC 2024 not mentioning any numbers for ‘downtime’ or ‘outage’, what is the resolution source?”, one forecaster asked. Further, they argued that “ it's completely unclear how many organizations are designated to be CNI.”
More attacks, more money paid out?
Forecasters were asked this question in three forms: baseline, conditional on there being fewer than 317 ransomware attacks in 2025, and conditional on there being more than 317 attacks in 2025.
Baseline estimate: £976,000 (80% confidence interval: £649,000 to £1,600,000)
The forecasters noted a lot of uncertainty in this question. Average ransomware payouts seem to be extremely volatile: one noted that the average payout in the UK in 2024 (£870,000) was barely half that of 2023 (£1.5 million), while globally the average nearly doubled between 2022 and 2023. There is also a shortage of widely available data.
They were also unsure what to expect from increasing numbers of attacks. “My naive expectation would be that more attacks means a lower average payout,” one said, because it would presumably mean that attackers were not only targeting large organisations, and smaller organisations would be less able to pay large sums. “But in reality, it appears that attacks have increased, and so too has average ransomware payments.” As a result, “I would expect more attacks to coincide with a modest increase in average payments.”
Others stuck to the idea that more attacks would correlate with lower payments, especially if AI facilitates attacks, both because less sophisticated attackers might demand smaller payouts, and because “going after ‘little fish’ becomes more interesting and viable.”
Most of the forecasters agreed that the number of attacks would correlate only slightly with the average payout.
Another noted that because there are only a relatively small number of attacks a year, each one can have a large effect on the average payout: “It would only take one very large payment to push this average up.”
Conclusions
The forecasts presented here paint a picture that is cautiously reassuring and thought-provoking for organisations and cybersecurity professionals. While the central estimate points to a modest rise in ransomware attacks reported to the UK's National Cyber Security Centre – 341, up slightly from last year’s 317–- forecasters do not foresee a dramatic surge or a crippling event targeting critical national infrastructure in the near term. Encouragingly, they also suggest that recent advances in artificial intelligence are unlikely to substantially increase ransomware risk, in particular given the short current forecast window (until August 2025).
But there remain reasons to be concerned. The uncertainty surrounding these forecasts, driven by limited or unclear reporting, gaps in historical data, and the unpredictable pace of AI development, should give decision-makers pause. Additionally, while AI may not cause an immediate explosion in attack volume, its trajectory is upward.
As several forecasters noted, the “right tail” of risk is worryingly fat: although catastrophic events are unlikely, they remain possible. Additionally, while AI may not trigger an immediate explosion in attack volume, its trajectory is clearly upward. A single, severe ransomware incident could dramatically skew both the number of attacks and the financial impact, as highlighted by the wide confidence intervals around average payouts - ranging from £649,000 to over £1.6 million. And while the estimated probability of a week-long outage in critical infrastructure over the next four months stands at just 13%, the scale of disruption such an event could cause remains significant.
Ultimately, this report underscores just how complex and uncertain the cyber threat landscape remains. It reveals a system that is finely balanced, where small shifts in technology, geopolitics, or reporting practices could have outsized consequences. For cybersecurity professionals, risk managers, and policymakers alike, these forecasts offer more than just numbers: they illustrate the importance of vigilance in the face of uncertainty, and the value of better data, clearer reporting, and deeper situational awareness in preparing for what might lie ahead.
