UK Plan to Ban Ransomware Payments Moves Forward

The United Kingdom will move forward with its plan to ban all public sector bodies and critical national infrastructure from paying ransomware attackers. The intention is to make critical industries “unattractive targets for criminals” to reduce the frequency and impact of incidents in the country.

The ban, which would apply to NHS trusts, schools, local councils, and data centres, was first proposed in January. It then underwent several months of public consultation, culminating this week in an announcement that nearly three-quarters of respondents supported the proposal.

Expanding the scope of the existing ban

Currently, all government departments nationwide are prohibited from paying cybercriminals to decrypt data or prevent it from being leaked. This rule is designed to protect the services and infrastructure the British public relies on from financial and operational disruption.

The proposal aims to expand the list of institutions that are obligated to follow the ban, but Adam Blake, CEO of cyber firm ThreatSpike, thinks that the scope still may not be broad enough to protect public services.

“Entities like schools and hospitals rely heavily on non-public sector businesses, such as managed IT companies that could also be targeted, and they are very likely to pay to recover systems,” he told TechRepublic in an email. “People will likely try to work around the restrictions and if we want to see this policy work effectively then companies like MSPs also need to be restricted from making ransom payments.”

All businesses will be required to report ransomware attacks and disclose their intention to pay up

In addition to expanding the ban’s scope, the proposal would require businesses that are not covered to notify the government of any intent to pay a ransom. Authorities could then be advised on the legality of making such payments — as it is illegal to pay sanctioned criminal groups — and provide support throughout the process.

“Ransomware is a predatory crime that puts the public at risk, wrecks livelihoods and threatens the services we depend on,” Security Minister Dan Jarvis said in a statement. “By working in partnership with industry to advance these measures, we are sending a clear signal that the UK is united in the fight against ransomware.”

The proposed legislation would also mandate organisations to report ransomware attacks within 72 hours of becoming aware of them. These measures aim to keep law enforcement up-to-date on who is being targeted and how, thereby aiding their investigations into organised crime groups and the publication of advisories.

Banning ransomware payments could cause more issues than it solves

Banning ransomware payments carries risks. The health sector is classified as critical national infrastructure, so withholding ransomware payments could impact patient care. In June, authorities confirmed that the Synnovis attack led to the death of one patient because disruptions delayed a blood test result. Dozens more were harmed.

Ransomware bans can also increase the number of incidents. While some threat actors may be discouraged, others could escalate with more aggressive or personal threats, ransomware negotiators from Sygnia told TechRepublic. Some are driven by data theft or disruption for geopolitical reasons, not money, so the ban does not affect them.

In documentation outlining the UK’s ban proposal, the Home Office acknowledged the potential for the legislation to disproportionately impact small and micro-businesses “which cannot afford specialist ransomware insurance, or clean up specialists.” These businesses may struggle to recover from financial losses caused by operational disruption if they refuse to pay, face government penalties if they pay covertly, and encounter additional burdens from mandatory reporting requirements.

“A blanket decision to never pay ransom is a privilege that governments can afford,” Sygnia’s Guy Segal said. “But it is far less applicable in the business sector.”

In an email to TechRepublic, senior director of cyber threat intelligence at training provider Immersive Kev Breen said that companies refusing to pay a ransom could have wider negative consequences than simply damaging their business.

“Some organisations have paid ransom demands not to recover infrastructure,” he said, “but to prevent the public release of large volumes of personally identifiable information (PII) – where the damage to individuals could be far greater than a service being offline.”

UK faces surge in cyberattacks, pushes for reform

The UK has experienced a surge in high-profile hacking events over the past year, including ransomware incidents targeting the British Library, supermarkets Sainsbury’s, Morrisons, Co-op, and M&S, and pathology company Synnovis, which disrupted NHS operations. In December, the head of the UK’s National Cyber Security Centre warned that the country’s cyber risks are “widely underestimated.”

In response, the government is intensifying crackdown on cybercrime. A new rating system introduced in February classifies the severity of cyberattacks to provide businesses and policymakers with more precise insights into the impact of cyber threats. The Cyber Security and Resilience Bill, due to enter Parliament this year, aims to patch the holes in the country’s existing cyber regulations.

While ransomware is still a top concern, the proportion of businesses in the UK reporting cyber attacks and data breaches actually dropped in 2024 due to better cyber hygiene in small businesses.