The UK Government is considering banning public sector bodies from making ransomware payments as part of efforts to strengthen national defences against cyberattacks.
Under the proposed measures, schools, the NHS and local councils would join government departments in being prohibited from paying ransoms to hackers who seize control of IT systems. The ban would also cover critical national infrastructure, including energy and transport networks.
Private companies would face stricter oversight, with ransom payments required to be reported to the government. Payments could also be blocked if they are directed to sanctioned groups or hostile foreign states.
Experts have described the proposals as ‘the most significant intervention against ransomware by any national government to date.’ The measures aim to reduce the incentive for ransomware gangs to target UK organisations.
Ransomware gangs, which encrypt victims’ systems and steal data before demanding cryptocurrency payments, earned US$1.1 billion globally in 2023, with many operating from Russia and former Soviet states.
Currently, UK authorities discourage ransom payments but do not prohibit them unless the funds are suspected to support terrorism. In 2022, the National Cyber Security Centre and the Information Commissioner’s Office clarified that while such payments are not encouraged, they are generally not illegal.
These new proposals represent a significant shift toward a more proactive and preventative stance on ransomware.
Industry experts have been reacting to the news:
Dr. Darren Williams, CEO and Founder of Blackfog, said: “Ransomware gangs, like most criminals, are highly motivated by profit and tend to gravitate towards targets that are more likely to pay up. But paying up often doesn’t pay off. At the end of the day, you are negotiating with criminals who are unlikely to uphold their end of the deal, and in many cases they go further than leaking stolen data by targeting the same victim a short time later.
“Organisations in the public sector are often a soft target for attacks due to insufficient cybersecurity budgets and a reliance on antiquated technologies. There is no doubt that a ban on ransom payments would make ransomware less appealing to criminals, but firms need to get their house in order first by ensuring they have effective modern security solutions in place to defend against attacks.”
Tom Kidwell, Co-founder of Ecliptic Dynamics, said: “This is a case of legislation catching up with real world developments. Existing laws being used to enforce a crime that wasn’t in existence when the original legislation was created. If you suffer a ransomware attack, and personal data isn’t affected by the ransomware do you have to report the incident as a breach? If so, organisations could, although I wouldn’t agree with this, potentially argue it’s not a breach which requires reporting to the ICO – this is the grey area which currently exists.
“Legally you cannot send funds to sanctioned individuals or organisations. The UK Government is sanctioning cybercriminals and organisations, and in some cases these entities may already be on a list, such as a sanctioned country. So the grey area here is, it’s not ‘illegal’ to make a ransomware payment, but it is illegal to send funds to designated sanctioned entities. The problem is that, in reality, most people have no idea who the real people behind a ransomware attack are, so how do you know if the attack group is on one of these sanctioned lists?
“This is a positive step if it comes in and would remove the ambiguity on what is legally required around a ransomware attack.
“Will it really make a difference though? It depends on the attack vector. If a ransomware attack is targeted at a specific organisation, such as the NHS, it might put attackers off knowing they won’t get paid. However, if the attack vector is indiscriminate, with attackers just firing out phishing emails to as many organisations as they can, then they are unlikely to sanitise the target list to remove public sector orgs in the UK.
“The solution is to prevent these attacks before they happen. Prepare and don’t get caught by a ransomware attack in the first place. Minimise your attack surface, educate your staff, plan for the worst and invest in cybersecurity solutions and processes.”
Andy Ward, SVP International at Absolute Security, said: “The main security goal of any organisation is to maintain uptime for as long as possible, ensuring that systems remain online and functional even in the face of a cyberattack. Banning ransomware payments requires security teams to double down on cyber- resilience, building infrastructure that can withstand major ransomware attacks, recover IT systems swiftly and remain operational in the face of adversity.
“48% of organisations were hit by a ransomware attack over the past year, according to our research, so it’s clear that anyone can be a target for these malicious attacks. In recent years, the government and NCSC have increasingly prioritised cyber-resilience as a core pillar of UK cybersecurity and a move such as banning ransomware payments would require them to further increase investment and guidance.”
“The volume and sophistication of ransomware threats are showing no signs of slowing down, and public sector bodies, especially, are major targets due to the large quantities of sensitive data they handle, so the UK must use this as the launchpad for the next stage of its cyber-resilience strategy.”