In a move to combat cybercrime, the UK government has announced a ban on ransomware payments by all public sector organizations and operators of critical national infrastructure, known as the UK ransomware payment ban. Security Minister Dan Jarvis says the initiative will “smash the cyber criminal business model.”
Source: Dan Jarvis
The proposed ransomware payments ban, following a months-long public consultation, extends existing restrictions that already prohibit central government departments from paying ransoms. Only, it will now extend to a range of public bodies, including the National Health Service (NHS), local councils, and infrastructure sectors such as energy and transport.
This policy is part of the UK’s ongoing efforts to address issues related to the UK ransomware payments ban and improve cybersecurity.
Ransomware is a malicious software that locks users out of computer systems until a payment, often in cryptocurrency, is made. The new ban is a part of the wider strategy to curtail the impact of ransomware.
In addition to the payment ban, the Home Office is proposing a new prevention and reporting regime. This would require organizations not covered by the ban to notify authorities if they intend to pay a ransom.
A new mandatory threshold-based reporting system is also under consideration. Under the plan, victims would be obligated to submit an initial incident report within 72 hours, followed by a detailed post-incident analysis within 28 days.
“The Home Office is determined to dismantle the ransomware economy and protect the vital services that people depend on,” Jarvis added.
“We will continue to work closely with industry to implement these measures effectively.”
How did the UK Public React to the Public Consultation on Ransomware Payments?
The new ban on ransomware payments is a result of a public consultation held between January 14 and April 8, during which 273 responses were received. Of those, 57% came from organizations, 39% from individuals, and 4% from other entities.
A significant majority nearing 75% supported the targeted ban on ransomware payments for public sector entities. However, only around 50% supported extending such a ban economy wide.
The proposed reporting regime drew 63% support, while 41% of respondents said the current voluntary system should be retained.
One area of contention was the question of penalties for victims who violate the proposed measures. While most respondents agreed that penalties were necessary, there was division over their nature.
Concerns were raised about the risk of criminalizing victims, with debate centering on whether sanctions should be civil or criminal in nature.
In response, the Home Office stated it would “continue to explore the most appropriate and proportionate penalties.”
The proposals follow warnings from the National Cyber Security Centre (NCSC), which in its 2024 Annual Review described ransomware as the “most immediate and disruptive threat” facing the UK. The impact of ransomware has already been felt across vital institutions.
A June 2024 attack on Synnovis, a medical testing provider, led to delayed surgeries and cancelled appointments. Similarly, an October 2023 attack compromised the British Library’s digital infrastructure.
As the UK moves to formalize its new cyber policy framework, further details including the implementation timeline and final penalty structures are expected to emerge in the coming months.
