The UK government has unveiled ambitious plans to prohibit public sector organizations and critical infrastructure operators from paying ransoms to cybercriminals. The proposal, announced by the Home Office, aims to weaken the financial incentives driving ransomware attacks.
Under the proposed legislation, organizations including schools, NHS trusts, and local councils would be barred from making payments to hackers who hold their computer systems hostage. The ban would also extend to critical infrastructure businesses in sectors like energy and communications.
The move comes in response to mounting cyber threats against UK institutions. In a recent incident, an attack on NHS pathology provider Synnovis resulted in a major data breach and disrupted medical services, with some patients suffering long-term health impacts.
According to Home Office data, the National Cyber Security Centre handled 430 cyber incidents in the year ending August 2024, including 13 major ransomware attacks. Many were attributed to Russia-affiliated criminal groups.
Security Minister Dan Jarvis highlighted the scale of the problem, noting that ransomware criminals collected an estimated $1 billion globally in 2023. The proposed measures aim to "hit these criminal networks in their wallets," he said.
The plan includes three key components:
- A targeted ban on ransom payments by public sector and critical infrastructure organizations
- Mandatory reporting requirements for ransomware incidents
- A new regime requiring organizations not covered by the ban to report intended ransom payments, which the government could block if made to sanctioned entities
While UK government departments already operate under a ransom payment ban, this proposal would substantially expand its scope. The Home Office consultation on these measures will run until April 2025.
The initiative follows similar international efforts to combat ransomware. In October 2023, over 40 countries joined a US-led alliance pledging not to pay ransoms to cybercriminals.
Industry experts have called this the most substantial government intervention against ransomware to date, though some question whether sector-specific bans will effectively deter opportunistic cybercriminals.