The UK government has proposed banning public sector and critical infrastructure organizations from making ransomware payments.
The proposed payment ban been included in a Home Office-led consultation published on January 14. It focuses on protecting hospitals, schools, railways and other essential public services from the growing ransomware threat.
The Home Office said that expanding an existing ban on ransomware payments by government departments would help make critical services unattractive targets for ransomware.
The creation of a mandatory reporting regime for ransomware incidents has also been proposed. This regime would aim to boost available intelligence on ransomware attacks for UK law enforcement agencies.
Information gathered from the mandatory reporting would be used to support international law enforcement operations targeting ransomware gangs, such as Operation Cronos which disrupted the LockBit ransomware group in 2024.
Additionally, the consultation will explore the implementation of a ransomware payment prevention regime, which would offer victims guidance on how to respond in the event of an incident. It would also help block payments to known criminal groups and sanctioned entities.
This service will also serve to increase the National Crime Agency (NCA)’s awareness of live attacks and criminal ransom demands.
The measures are designed to disrupt ransomware actors’ financial models and gather intelligence to help law enforcement target their operations.
UK Security Minister, Dan Jarvis, commented: “With an estimated $1bn flowing to ransomware criminals globally in 2023, it is vital we act to protect national security as a key foundation upon which this Government’s Plan for Change is built.”
He added: “These proposals help us meet the scale of the ransomware threat, hitting these criminal networks in their wallets and cutting off the key financial pipeline they rely upon to operate. Today marks the beginning of a vital step forward to protect the UK economy and keep businesses and jobs safe.”
The consultation will run for 12 weeks, ending on April 8.
The proposals follow guidance issued by the Counter Ransomware Initiative in October 2024, which encourages organizations to consider other options before making ransomware payments to cybercriminals.
Ban on Ransomware Payments a Complex Issue
The issue of banning organizations from making ransomware payments is a controversial one in the cybersecurity industry. Experts have highlighted the potential unintended consequences of implementing such bans, such as putting businesses in a position of either going out of business or paying the ransom illegally.
While blanket bans have been considered by other governments including Australia, they have shied away from implementing them to date.
Ed MacNair, CEO of Censornet, highlighted how a ban on public sector and critical infrastructure firms making ransomware payments could result in a two-tier society, where private companies are placed at higher risk, including SME businesses which have limited cybersecurity resources.
“The concept of banning ransom payments in the public sector seems logical on one level, but it will not stop cyber-attacks. It will however disrupt the cybercrime equilibrium, creating a whole new dynamic that could put UK businesses at risk. And it could see cyber-attackers temporarily increase efforts targeting private businesses,” MacNair warned.
There are also doubts on whether banning payments will truly disincentivize ransomware actors.
Ali Vaziri, Partner at law firm Lewis Silkin, noted that most commercially incentivized threat actors are indiscriminate when it comes to their targets. Additionally, state-sponsored ransomware attacks are primarily designed to cause disruptions, meaning a ban on payments will not make a difference to their aims.
Vaziri added: “More importantly perhaps is the fact that the UK public is unlikely to be forgiving when critical services they rely on for their medical treatment and commute to the office, for example, are taken offline, with restoring operations taking much longer and costing much more than had a payment been made.”
Responding to Rising Ransomware Attacks on UK Public Services
The proposals have been issued in response to numerous recent high-profile ransomware attacks impacting public services in the UK which have disrupted essential services, resulted in damaging data leaks and led to severe economy costs severely.
For example, the attack on the Royal Mail in early 2023 was estimated to cost the service £10m in remediation and revenue decline.
In June 2024, a ransomware attack on pathology services provider Synnovis resulted in the cancellation of thousands of operations and appointments in hospitals in South East England.
In November, Alder Hey Children’s NHS Foundation Trust confirmed that cybercriminals gained unlawful access to data from three healthcare organizations located in Liverpool, UK. The INC Ransom group claimed it had obtained large-scale data from patient records, donor reports and procurement data for 2018-2024 from the Trust.
The UK government revealed that the National Cyber Security Centre (NCSC) managed 430 cyber incidents between September 2023 and August 2024. This included 13 ransomware incidents which were deemed to be nationally significant and posed serious harm to essential services or the wider economy.
The NCSC’s 2024 Annual Review identified ransomware attacks as the most immediate and disruptive threat to the UK’s critical national infrastructure. These attacks are carried out largely by Russian affiliated criminal gangs, the report noted.