Ransomware payment prohibition for selected organizations in the UK, focusing on public sector bodies and critical infrastructure operators.
The UK government has announced a proposal to ban ransom payments in response to the escalating threat of ransomware attacks on public sector bodies and critical national infrastructure (CNI). This move is aimed at disrupting the business model of cybercriminals and making public services less attractive targets.
The proposed ban will apply to all public sector bodies, including the National Health Service (NHS), local councils, and schools, as well as operators of critical national infrastructure such as energy and data centers. The ban is a result of extensive consultation with stakeholders across the UK, which showed strong public backing for tougher action to tackle ransomware and protect vital services.
While the ban is under consideration, businesses not covered by it will be required to notify the government if they intend to pay a ransom. The government will offer advice and warn about potential legal consequences, especially if payments are made to sanctioned groups. A mandatory reporting system is also proposed, requiring victims to report key details within 72 hours of an attack and provide a more detailed analysis within 28 days. The government is considering penalties for noncompliance with the proposed regulations.
The proposal received significant support during a public consultation, with nearly three-quarters of respondents backing the ban. The consultation began in January 2025 and concluded with the announcement that the ban would move forward.
Ransomware is considered a major cybercrime threat in the UK, capable of disrupting essential services and costing billions of pounds. Recent data shows a decline in ransomware attacks globally, with a 35% decrease reported in the past year. However, the UK government emphasizes that paying a ransom does not guarantee the recovery of data or the prevention of future attacks.
This move by the UK government follows a similar stance taken by Singapore in January 2024, strongly discouraging anyone from paying a ransomware demand. The UK High Office and National Cyber Security Centre (NCSC) have proposed this ban as part of efforts to bolster national security and protect key services and businesses from disruption.
In a tragic incident, a ransomware attack was identified as one of the factors contributing to a patient's death in an NHS organization. A 158-year-old UK company was also forced to shut down following a ransomware attack, resulting in the loss of 700 jobs. These incidents underscore the need for strong action against ransomware attacks.
The UK government will provide advice on whether such a payment would violate sanctions on Russia, given the alleged links between some ransomware groups and Russian-based cybercriminals. This proposal marks a significant step towards protecting the UK's national security and critical infrastructure from the threat of ransomware attacks.
The UK government's proposed ban on ransom payments is designed to disrupt the business model of cybercriminals and protect vital services, particularly public sector bodies like the National Health Service (NHS), local councils, schools, and operators of critical national infrastructure such as energy and data centers. This policy-and-legislation initiative is a response to the escalating threat of ransomware attacks and follows similar stances in policy-and-legislation taken by other countries, including Singapore. The proposed ban is part of broader efforts to bolster cybersecurity, technology, and general-news strategies to combat ransomware threats and safeguard the UK's national security and critical infrastructure.
