UK Proposes Expanded Ban on Public Sector Ransomware Payments
The UK is advancing plans to broaden a ban on ransomware payments, extending the prohibition to cover public sector bodies and operators of critical national infrastructure (CNI).
Expanded Ban Coverage
Proposed measures, stemming from a public consultation period (January 14 to April 8), would ban ransomware payments from:
- Government departments (expanding upon existing protections)
- Critically important sectors including energy, health services, and local councils
Additionally, a related regime requires businesses not under the ban—which includes most private sector entities—to report ransomware decisions to authorities before payment.
Enhanced Reporting Requirements
The proposals also contemplate:
- A mandatory threshold-based reporting system requiring attack victims to notify the UK government within 72 hours of an incident.
- A further obligation for in-depth analysis reports on significant attacks detailing “key operational information” to be submitted within 28 days.
Government’s Stance
“The Home Office is determined to smash the cyber criminal business model,” said UK Security Minister Dan Jarvis. “We aim to protect the services we all rely on, working in partnership with industry to advance these measures.”
Image Source: Dan Jarvis (Cointelegraph Screenshots)
Ransomware Context
Ransomware—malicious software affecting computers via encryption until payment is made—declined globally in 2024, although specific threat vectors like wallet compromise and phishing remain significant concerns.
Consultation Results Indicate Support for Ban
An analysis of 273 consultation responses revealed broad consensus:
- Approximately 75% of respondents supported a ban on ransomware payments specific to the public sector and CNI.
- Slightly more than one-fifth opposed such a ban.
- Interest in a wider economy-wide ban showed less enthusiasm—supporting an economy-wide ban stood at around 48%, while 52% disliked the idea.
- Threshold-based reporting enjoyed strong backing (63% supporter), contrasting with continued support for voluntary reporting systems (41%).
Penalty mechanisms were viewed as necessary by respondents, but concerns remain regarding their fairness and potential to inadvertently criminalize victims.
Urgent National Concern
Included in the 2024 National Cyber Security Centre Annual Review—which identified ransomware as “the most immediate and disruptive threat”—officials detailed recent impacts, including forced shutdowns: a 2024 Synnovis attack disrupted clinical services; an October 2023 British Library attack halted online services.
In international context, the US House recently proposed cutting funding for rules requiring public company cyber incident disclosure, while Australia has implemented mandatory ransomware reporting for many businesses.
Geopolitical Ransomware Crackdown
Elsewhere, the spotlight shines brightly. While legislation and enforcement against cyber threats often consolidates targets gradually, ransomware is disrupting governments and businesses alike. Recent developments signal a global effort to clamp down—especially concerning illicit transactions and attack consequences.
Controversial ransomware bans are cropping up around the world. The UK has pushed ahead with a ban that would stop public bodies and firms like water authorities from giving in to a demand.
