The UK government has proposed strict new regulations on the permissibility of ransomware payments by private companies and public sector organisations. Under the new provisions, a ransomware payment ban would be implemented among all public sector bodies, while any payments made by private firms would have to be officially sanctioned. Such proposals are among several under consideration by a Home Office-led public consultation on how best to protect British businesses from ransomware, which it claimed was a broad-based effort to cut off ransomware gangs from their source of income.
“Driving down cyber crime is central to this government’s missions to reduce crime, deliver growth and keep the British people safe,” said the UK’s Security Minister, Dan Jarvis. “These proposals help us meet the scale of the ransomware threat, hitting these criminal networks in their wallets and cutting off the key financial pipeline they rely upon to operate.”
A UK ransomware payments ban in the offing?
Recent years have seen public and private organisations in the UK proven especially vulnerable to extortion attempts by ransomware gangs, with the National Cyber Security Centre responding to 430 ‘cyber incidents’ between September 2023 and August 2024 — 13 of which, said the Home Office, “were deemed to be nationally significant and posed serious harm to essential services or the wider economy.”
An outright ban on ransomware payments by UK public sector bodies, it added, would bring organisations like the NHS and the National Grid in line with the rules governing appropriate responses to cyberattacks by government departments. The Home Office-led public consultation into how best to deal with ransomware nationally, meanwhile, would consider not only the appropriateness of a ransomware payments ban in government but also the framework for a mandatory reporting regime for ransomware incidents among private companies.
Private sector cybersecurity experts welcomed the UK government’s announcement, including Sophos’s director for incident response, Peter Mackenzie. Nevertheless, said Mackenzie, “the test of this ban will come when there is an attack that puts lives at risk and whether the government then makes an exception, which would undermine the ban and encourage further attacks. The ban doesn’t protect these organizations from ransomware attacks on their supply chain, which we have seen in recent years that have caused significant impact on public bodies like the NHS.”
Whitehall should also explore new ways to restrict the ability of companies to circumvent ransomware payment reporting obligations, said Darktrace’s global head of threat analysis, Toby Lewis. The government, argued Lewis, must be wary that it doesn’t inadvertently expand the income stream for ransomware extortionists or make certain firms more vulnerable.
“While a licensing scheme could disrupt criminal financing, it may risk inadvertently concentrating attacks on organisations most likely to receive payment permits, running the risk of making some critical sectors even bigger targets,” said Lewis. “The success of this intervention will depend on carefully balancing deterrence with protecting essential services.”
It is for this reason that a blanket ban on ransomware payments in the private sector has proven controversial globally. If a national prohibition were successfully implemented in the UK or the US, Aon managing director Tom Ricketts argued to Tech Monitor in November, threat actors would likely adapt fairly quickly. “If the US authorities could make a ban stick,” said Ricketts, “then the ransomware actors would potentially move on to other countries where they can get paid.”
Read more: The case for a ransomware payment ban
