United Kingdom To Ban Public Sector Ransomware Payments

The United Kingdom’s government is planning to prohibit public sector and critical infrastructure organizations from paying ransoms following ransomware attacks, while private companies will have to notify authorities if they intend to meet ransom demands.

Announced by Home Office security minister Dan Jarvis on Tuesday, the policy aims to send a clear message to global cybercriminals that the UK is united against ransomware. This follows major ransomware attacks on the British Library in 2023 and NHS hospitals in London last summer.

According to the government, nearly three-quarters of respondents to a recent consultation supported the move.

• Local councils
• Schools
• The publicly funded National Health Service (NHS)

Ransomware gangs reportedly extorted over $1bn globally in 2023.

“Ransomware is estimated to cost the UK economy millions of pounds each year,” the UK government stated.

Recent high-profile attacks have demonstrated the severe operational, financial, and even life-threatening risks posed by ransomware.

The goal of the ban is to undermine the business model of cybercriminals and reduce the appeal of targeting vital public services.

Alan Woodward, a cybersecurity expert at the Surrey Centre for Cyber Security, noted that UK public authorities rarely pay ransoms anyway. He said the new policy seems intended to send a clear signal to hacker groups like LockBit and Evil Corp:

“Some criminals may not realise this, so communicating it could deter attacks. It won’t change much in practice, but it removes any doubt.”

Under the proposed measures, businesses not covered by the ban would:

• Be required to notify the government if they intend to pay a ransom
• Seek guidance to ensure payments do not violate laws, especially those related to sanctions on cybercriminal groups, many based in Russia

A mandatory reporting system is also being created to:

• Provide law enforcement with essential information to investigate attacks
• Support victims of ransomware incidents

The announcement follows a public consultation in January proposing:

• A ban on ransomware payments for public sector and critical infrastructure
• Mandatory reporting of ransomware incidents

Both the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) consider ransomware the greatest cybercrime threat and a national security risk.

In recent years, several high-profile ransomware attacks have impacted UK organizations:

• NHS and British Library: Both previously targeted by ransomware groups
• Marks & Spencer (M&S): In April, M&S suffered a breach involving a DragonForce encryptor on VMware ESXi hosts, forcing the retailer to halt online orders and disrupting operations across 1,400 stores
• Co-op: Confirmed data theft affecting current and former members
• Harrods: Restricted internet access to some sites after a network breach attempt

Security Minister Dan Jarvis said:  

“We’re determined to smash the cyber criminal business model and protect the services we all rely on as we deliver our Plan for Change. By working in partnership with industry to advance these measures, we are sending a clear signal that the UK is united in the fight against ransomware.”

Ransomware is a predatory crime that puts the public at risk, wrecks livelihoods and threatens the services we depend on. 

In addition to the proposed new measures, the government continues to urge organisations across the country to strengthen their ability to maintain operations in the event of a successful ransomware attack. This includes having offline backups, tested plans to operate without IT for an extended period, and a well-rehearsed strategy for restoring systems from backups. 

Cyber criminals have not only cost the nation billions of pounds but in some cases have brought essential services to a standstill.   

The devastating consequences are not just financial but can put lives in danger, with an NHS organisation recently identifying a ransomware attack as one of the factors that contributed to a patient’s death.

These attacks have brutally exposed the alarming vulnerability at the core of our public and private institutions, from flagship British retailers and essential supermarkets including the Co-op to NHS hospitals.  

British Library Chief Executive Rebecca Lawrence said:

The British Library, which holds one of the world’s most significant collections of human knowledge, was the victim of a devastating ransomware attack in October 2023.

NCSC Director of National Resilience Jonathon Ellison said:

These new measures help undermine the criminal ecosystem that is causing harm across our economy.

Co-op CEO Shirine Khoury-Haq said:

We know first-hand the damage and disruption cyber-attacks cause to businesses and communities. That’s why we welcome the government’s focus on Cyber Crime.

These robust proposals are part of the government’s Plan for Change to defend businesses, services, and infrastructure against cyber threats to better protect the public.

Read the ransomware ban consultation proposal HERE