The 2025 UK threat landscape: Ransomware, data extortion & supply-chain attacks

In 2025, the UK's threat landscape witnessed an abundance of phishing, ransomware, and data extortion incidents among businesses. Ransomware attacks on major organizations, including Marks & Spencer, highlighted how attackers increasingly combined encryption with threats to publish stolen data, amplifying both operational and reputational impact. This pattern was further reflected in the cyberattack that forced the shutdown of Jaguar Land Rover’s UK manufacturing, vividly illustrating the interconnected nature of modern supply chains. The incident not only halted production but also strained smaller suppliers and exposed how a successful breach in a major enterprise could cascade outward, affecting tens of thousands of workplaces. Together, these incidents reinforce the importance of enterprise CISOs driving resilient third-party risk management while strengthening their incident response posture.

An overview of the 2025 UK threat landscape

According to the Cyber Security Breaches Survey 2025, approximately 612,000 businesses and 61,000 charities experienced a breach or cyberattack. The impact was notably more pronounced among larger organizations, with 67% of medium-sized businesses and 74% of large enterprises reporting incidents. Ransomware remained a persistent threat, impacting an estimated 19,000 businesses during the year. While 63% of the victim organizations heeded the advice of the Counter Ransomware Initiative (CRI) not to pay the ransom, those that did faced significant financial consequences. According to IBM, the average cost of an extortion or ransomware attack (especially when disclosed by an attacker) was $5.08 million.

The following are some of the major attacks in the UK in 2025:

1) Marks & Spencer (M&S) ransomware attack

When it occurred: April 2025, during Easter weekend

Attack type: Ransomware (DragonForce) and data extortion

Impact: M&S suspended online orders and several automated retail operations for weeks, resulting in an estimated £300 million in lost operating profit and prolonged customer disruption.

Data compromised: Customer personal data, including names, dates of birth, addresses, phone numbers, and purchase histories.

Threat actors: The Scattered Spider cybercrime group

Attack vector: Service desk social engineering, credential compromise, and MFA bypass techniques.

Targeted assets: Active Directory, VMware ESXi hosts, and systems supporting payment processing and customer services.

Duration: Approximately four months, with online ordering restored by mid-August 2025.

To learn more about this attack, read: Marks & Spencer ransomware attack: Cybersecurity lessons for the retail sector.

2) Jaguar Land Rover supply chain cyberattack

When it occurred: August 2025, with impacts extending into October

Attack type: Supply chain-related cyberattack (allegedly consistent with ransomware) that forced shutdowns of production and IT systems across global operations.

Impact: Multiple UK manufacturing plants were forced to halt production, triggering supply shortages and affecting thousands of suppliers and tens of thousands of workers. The broader economic impact was estimated to be £1.9 billion.

Data compromised: While initial statements said there was no confirmed customer data theft, reports indicated some employee and contractor data might have been impacted.

Threat actors: Scattered Lapsus$ Hunters

Attack vector: Suspected compromise of enterprise IT systems with downstream impact on operational and manufacturing environments.

Duration: Five to six weeks of major disruption, with longer-term supply chain recovery.

3) Kido Nursery ransomware attack

When it occurred: September 2025.

Attack type: Ransomware and data extortion

Impact: Sensitive data belonging to almost 8,000 children and staff was stolen, leading to widespread concern, regulatory scrutiny, and law enforcement involvement.

Data compromised: Children’s names, photos, home addresses, and family contact details were accessed and partially posted online as proof.

Threat actors: The Radiant ransomware group

Attack vector: Network compromise followed by data exfiltration consistent with a double-extortion ransomware model.

Duration: Data exposure and extortion activity persisted for several weeks, with arrests being made on Oct. 7, 2025 amidst ongoing investigation.

What is the impact of ransomware on supply chains?

Ransomware comes with huge costs, both to the victim organization and its customers. Apart from the direct costs to the organization arising from the downtime (and ransom payment, if any), recovery costs, compliance and contractual penalties, and costs to rebuild its reputation and customer trust—its customers are also subjected to double or triple extortion techniques to avoid their data being leaked or sold.

A single compromised organization can disrupt multiple downstream and upstream entities, especially when shared platforms or just-in-time processes are affected. The attack on Synnovis is a prime example of this. Synnovis, a pathology supplier for several NHS Trusts in the UK, fell victim to a ransomware attack that impacted an astounding number of outpatient appointments (10,152) and elective procedures (1,710). This resulted in a massive backlog that took months to resolve. Qilin, the threat actors responsible for this attack, exploited vulnerabilities in the supplier's IT systems, encrypted files, and leaked approximately 380GB of data. The stolen personal data included names, NHS numbers, test codes, date of birth, and test results.

How to build supply chain resilience against ransomware?

The UK and Singapore jointly developed new guidance to help organizations tackle ransomware attacks targeting supply chains, improve cyber hygiene, and operational resilience. Launched at the global summit of the CRI, the guidance comes at a critical time, as threat actors increasingly disrupt supply chains to maximize economic and operational impact. Moreover, the UK signed the United Nations Convention against Cybercrime, with the goal of reducing the risk of cyberthreats to protect its citizens and national interests.

Here's a summary of the four steps mentioned in the new guidance to build supply chain resilience:

1) Understand the importance of supply chain security (why)

• Modern organizations rely heavily on interconnected digital supply chains, which increases their exposure to cyber risk.
• This growing interdependence makes supply chains an attractive target for attackers seeking widespread disruption.
• Strengthening supply chain security helps prevent operational downtime, protect sensitive data, and reduce systemic risk.
• Embedding cybersecurity expectations into contracts lowers vulnerabilities across interconnected organizations and critical infrastructure.

2) Identify key supply chain partners and access levels (who)

• Maintain an inventory of suppliers based on the sensitivity of the data, systems, or services they access.
• Assess suppliers based on:
  • Cybersecurity maturity and baseline hygiene practices
  • History of security incidents or breaches
  • Use of subcontractors or third parties
  • Incident response and recovery readiness
  • Insurance coverage
• Map supplier access to networks and privileged systems to improve visibility, containment, and recovery during security incidents.

3) Define and implement a supply chain security strategy (what)

1. Apply a risk-based approach to supplier selection
   • Select suppliers whose security controls align with the risk level of the services they provide.
   • Enforce stricter requirements for high-risk activities and baseline hygiene standards for lower-risk engagements.
2. Establish minimum cyber hygiene requirements
   • Ensure suppliers implement foundational security controls, including:
     • Network segmentation and protection
     • Secure system configuration
     • Regular patching and software updates
     • Strong user access controls, including MFA
     • Malware protection measures
   • Require secure and isolated backups to support effective recovery following an incident.
3. Communicate security expectations clearly
   • Define and communicate minimum standards for ransomware prevention, detection, and recovery.
4. Build security into contracting processes
   • Include contractual provisions for:
     • Resilience against common ransomware attack vectors
     • Right-to-audit clauses
     • Timely incident notification requirements
     • Penalties for non-compliance with security obligations
5. Gain assurance and manage residual risk
   • Validate supplier security measures through independent audits, certifications, or third-party assessments.
   • Encourage the adoption of cyber insurance as a risk management measure, while reinforcing that insurance does not replace strong cybersecurity practices.

4) Review and continuously improve the approach

• Regularly reassess supply chain security to keep pace with evolving ransomware tactics and threat landscapes.
• Conduct joint incident reviews, response exercises, and threat information sharing with suppliers.
• Update contracts, policies, and controls based on lessons learned and emerging risks.
• Consider forming sector-specific supplier cybersecurity forums to strengthen coordination and collective resilience.

Ransomware prevention and detection using SIEM

SIEM solutions collect logs from hundreds of log sources, analyses them to identify IoCs, and prevents cyberattacks with automated incident response actions.

To prevent and detect ransomware, SIEM solutions:

• Integrate with dark web monitoring solutions to identify compromised credentials and supply chain breaches.
• Integrate with threat intelligence platforms to flag malicious IPs.
• Correlate authentication events, file activity, privilege changes, and network behaviour, to identify early warning signs such as lateral movement, unauthorized file access, or privilege escalation attempts.
• Leverage UEBA capabilities to identify anomalous users and entities, and provide contextual intelligence.
• Integrate with SOAR solutions to create and execute workflows and playbook responses to mitigate ransomware.
• Provides timeline of events, and enables root cause analysis and forensic investigations.

Related solutions