In January 2025, the UK government proposed ban on public sector and critical infrastructure organizations from making ransomware payments.
The move aims to reduce financial incentives for attackers, making public bodies and critical infrastructure less appealing targets – but are policy makers viewing a ransomware ban too simplistically?
Some agree such a policy is an important and significant step in combating cybercrime while others have unpacked the string of loopholes and issues relating to the ban, particularly if it were to ever be extended to the private sector.
Responses and Criticisms to the Proposal
The proposal of this new policy has received mixed reactions.
Supporters welcome the policy change, arguing that ransom payments incentivize cybercriminal activity and both encourage and finance further crime.
Critics caution that the ban could be largely ineffective and result in unintended commercial consequences. In addition, it could encourage criminals to diversify their attacks back towards individuals, rather than businesses.
Cybersecurity is a multifaceted issue. It is important for industry experts and policymakers to carefully consider the knock-on impacts of any potential measures to address security risks, before implementation.
Financial Impact on Businesses and Insurance Providers
Businesses experiencing ransomware may encounter scenarios where essential services are disrupted and the path to recovery is not clear. In such cases, they often reach out to their insurance provider – which often handle ransom payments – or their government support organizations, such as the National Cyber Security Council (NCSC).
What happens, however, when the option of paying a ransom is removed?
Often, it’s the insurance firms who push for payment as it's the cheapest way to manage the situation. With the ban in place, insurance firms may be required to support more expensive routes to recovery, fundamentally impacting cyber insurance markets and leading to a rise in insurance premiums.
Questions Around Government Support
Businesses unable to pay their way to recovery may face longer downtime, with bigger financial implications. In this situation, how will the government support them? Will the government step in to support businesses that suffer from prolonged disruptions?
If that disruption means the firm will be unable to sustain themselves, will they be allowed to fail? Similarly, if an organization is responsible for providing life-saving or critical public services, does the government bear some responsibility in ensuring operational continuity? Many of these questions remain unanswered.
Loopholes and Their Consequences
Prior to any ban, the topic of ransomware payments is already a difficult dilemma for Chief Information Security Officers (CISOs) and business leaders.
We’ve seen CISOs hesitant to sign up to a blanket non-payment policy, fearing that in extreme circumstances, paying a ransom may be the only way to save their company. This need for flexibility would drive certain firms to seek out loopholes in any restrictions.
Faced with an outright ban on ransomware payments, some businesses seeking to restore essential services quickly might explore ways to navigate around the ban.
For example, corporations operating internationally may use foreign bank accounts or third-party intermediaries to handle payments indirectly. These ‘overseas’ payments would be beyond the visibility of the UK regulators but would be just as effective for the criminals.
Such techniques would obviously decrease the effectiveness of the ban and create an unfair playing field for more compliant businesses.
Another significant concern is the impact on information sharing. If businesses are legally stopped from making ransomware payments, they may choose to mislabel such attacks, or avoid reporting ransomware incidents altogether to avoid scrutiny or potential penalties, allowing them the flexibility to recover as they wish.
This could have severe consequences for cybersecurity intelligence. Reduced reporting means a lack of visibility into attack patterns, techniques and emerging threats, which could inadvertently benefit cybercriminals in the long run.
Bypassing the ban, however, does not come without risk. Secretly paying a ransom may lead to a black market where attackers threaten to expose victims who pay in secret.
Organizations could face extortion not just for data access but also over the payment. This complexity could lead firms into worse financial situations, all in their attempts to restore their service in the most effective manner.
A rigid stance against payment may be ideal in theory, but in practice, organizations would be likely to clamor for the flexibility to respond to complex and evolving cyber threats as they see fit, to manage the needs of their customers and sustain their business.
A Possible Shift in Cybercriminal Tactics
One further potential consequence of the ban could be to shift attackers focus away from companies, and towards individuals, particularly high-profile business leaders, or politicians, who would sit outside of the regulation.
This shift in tactic could result in a new wave of ransomware attacks targeting personal devices and data, which could be just as damaging and challenging to manage.
The Need for a Pragmatic Approach
While the intent behind a ransomware ban is clear, removing this option completely is a complex task with many drawbacks and risks. It’s evident we need a pragmatic path forward that can balance the risk while also embracing the flexibility that firms will need.
One proposal is that the bill should strongly dissuade firms and their insurers from paying ransomware demands but provide a controlled path for payment in exceptional circumstances.
Reporting ransomware attacks to an appropriate authority, even if no payment is made, should be mandatory. This will allow for comprehensive tracking and analysis of such incidents, contributing to a better understanding of the threat landscape.
If a firm wished to pay a ransom, this could be permitted but only with the express approval of the UK government. This would keep track of the payments and provide oversight on regular victims who would benefit from resilience improvements.
Instead of putting organizations in a position where they have to choose between violating the policy or risk their business failing, the emphasis should be on identifying and reporting cyber threats, supported with flexible policies and a clear government mandate around reporting protocol.
Organizations must also prioritize preparing their people. Staff should be given awareness training and education on a regular basis to keep up with ever emerging threats. This will ensure businesses can mitigate risk, and ensure that when an attack happens, they can respond appropriately to minimize impact.
Conclusion
The government's proposed ban on ransomware payments by public sector and critical infrastructure is a proactive measure aimed at curbing the financial motivations behind cyber-attacks.
However, it presents significant challenges that must be addressed first. By providing the necessary support, guidance and training, organizations can be better prepared to respond to the ongoing threat of ransomware.