Governments underestimate the impact of cybercrime at their peril. Yet historically, that’s exactly what they’ve done – making the mistake, as many boardrooms end up doing, of considering it a peripheral matter for the techies to sort out. In fact, ransomware is now a real threat to critical national infrastructure (CNI), costing the public sector potentially tens of millions per incident and putting lives at risk.
That’s why many security experts have cautiously welcomed Labour’s new plans to ban some ransomware payments and mandate incident reporting. However, the proposals are not a panacea, and may even lead to some unintended outcomes.
A problem worth tackling
By one estimate ransomware actors are set to have had their best year on record in 2024, with illicit crypto inflows reaching $460m in the first half of the year and likely to exceed $1bn by the end. In the UK, an attack on NHS supplier Synnovis in June caused chaos in the south-east and may end up costing far more than the current estimate of £33m. The threat to both public services and private enterprises looms large over 2025, as cybercriminals get better at using AI for social engineering, reconnaissance and more.
The previous government was accused by parliament of recklessly ignoring these challenges. An influential committee warned that its head-in-the-sand approach left the UK “exposed and unprepared” for a potentially catastrophic ransomware incident. That’s why the new administration is to be commended for its proposals, which would prohibit all public sector and CNI providers from making ransomware payments, expanding an existing ban on government departments. It would also introduce mandatory reporting, as outlined in the new Cyber Security and Resilience Bill, and a “ransomware payment prevention regime”. This would force any ransomware victim to liaise with the authorities before paying, in order to explore their options and block any payments to sanctioned entities.
To pay or not to pay?
These measures are entirely reasonable. Improved incident reporting and engagement would help law enforcers better understand the scale of the challenge and mitigate corporate risk by sharing decryption keys where possible. It would enable the government to design more effective public policy. Banning payments also removes a key incentive for criminals to strike.
Yet without a ban covering the private as well as the public sector, threat actors would likely gravitate to the former. The proposals also assume that breached organisations would comply with any ban. A ministry could never sneak out a multimillion-pound crypto-payment to cyber-extortionists, but smaller CNI firms may still be able to pay a smaller ransom by raising money privately or perhaps redirecting any payment from other budget items. The impact of an attack on their services might be such that they are compelled to act in such a way.
Unleashing threat actor innovation
If government-led ransomware payment bans became the norm in Western countries, we may see another outcome—a potential evolution in the business model itself. Threat actors are nothing if not agile. If they were unable to monetise ransomware, perhaps they would look to other options, such as “supply chain compromise-as-a-service”. From 2017’s NotPetya to the Kaseya campaign in 2021, threat actors have been compromising upstream MSPs, software providers and others to devastating effect over the years. If they can’t monetise ransomware, perhaps groups will muscle in on the initial access broker market and focus on compromising major supply chain players to offer a unique, scalable and repeatable source of new victims.
Other criminal “businesses” with potentially large returns that they may consider are stock market fraud, cryptocurrency fraud and business email compromise (BEC). Take the stock market. Ransomware actors could use their access to an enterprise network to collect all sorts of sensitive data, while at the same time shorting its stocks. When the time is right, they could leak that information, publicise the breach, or disrupt operations by deploying destructive malware. In all cases, the stock would drop immediately and the threat actors could make a fortune from their “short and distort” strategy.
Alternatively, a ransomware group could use its access to a corporate network to steal sensitive information, which can then be used to make BEC attempts more convincing. Given that BEC scams cost victims over $2.9bn in 2023 alone, it’s a particularly lucrative alternative, although the threat actors would need to adapt their social engineering skills accordingly. Another option is to break into the networks of cryptocurrency exchanges and try to steal cryptocurrency instead of deploying ransomware. It’s something that North Korean actors have done extremely effectively over recent years, making an estimated $1.3bn in 2024.
Switching things up
None of the above scenarios is inevitable. After all, there are many countries currently not considering a ban on ransomware payments, and in any case, private-sector firms in the UK are not covered by the government’s plans. That means, for the near future, ransomware groups have a steady supply of victims capable of paying up. However, if this policy becomes the direction of travel across Western nations, expect cybercriminals to do what they do best, and adjust.
Some may absorb other criminal groups to gain new skills. Others may be recruited by their respective governments. But as long as there are people prepared to do bad things online to make money, and states prepared to shelter them, law enforcers and network defenders need to be on their game.
Ultimately, as fruitless as the UK government’s plans may be, any attempt to discomfit those adversaries is better than none at all.
Jonathan Lee is Trend Micro’s UK Cybersecurity Director.
Read more: The North is ready to capitalise on the AI Opportunities Action Plan
