The UK government has proposed a new proposal to ban the public sector and critical infrastructure organizations from paying ransom to ransomware hackers. The move is aimed at combating the core business model of cyber criminals, curbing the growing number of cyber attacks, and addressing factors that endanger the entire society.
Proposal Content
The UK government recently proposed a new plan to ban the public sector and critical infrastructure organizations from paying ransom to ransomware hackers. The UK Home Office has launched a public consultation proposing a “targeted ban” on ransomware ransoms, prohibiting public sector institutions (such as local councils, schools and NHS trusts) from paying ransoms, a move aimed at combating the core business model of cyber criminals and curbing the growing number of cyber attacks. According to the proposal, public sector institutions including local councils, schools and National Health Service (NHS) trusts will be banned from paying ransom to ransomware hackers. The government said the measure would “strike straight at the heart of the cyber criminal business model.”
In addition to banning the payment of ransoms, the proposal also plans to criminalize the payment of ransoms by critical infrastructure organizations (such as energy and communications companies). At the same time, the UK also plans to establish a mandatory ransomware incident reporting system, requiring victims of cyberattacks not subject to the ban to report the incident to the government. In addition, the government will have the power to prevent ransom payments to sanctioned entities to prevent funds from flowing to improper channels.
Background and Motivation
The proposal was made against the backdrop of a series of cyberattacks on the UK public sector in recent times. Last year, pathology laboratory service provider Synnovis suffered a cyberattack that resulted in a large amount of sensitive patient data being leaked and caused months of chaos, including the cancellation of surgeries and the transfer of emergency patients. The NHS was therefore declared to be in a “critical” state. Synnovis’ cyberattack harmed dozens of patients, causing long-term or permanent health damage to patients in at least two cases.
Under the new proposal, critical infrastructure organizations such as energy and communications will also be considered criminal acts for paying ransoms when they are attacked by ransomware. Currently, UK government departments are prohibited from paying ransoms to ransomware gangs.
In addition, the proposal also details a new mandatory ransomware incident reporting system, requiring victims of cyberattacks not covered by the ban to report the incidents to the government. Another proposal proposes a scheme to prevent ransom payments to sanctioned entities, with the UK government having the power to block such payments.
Public Consultation
Before the proposals are implemented, they are expected to require further adjustments and possibly new laws. Public consultation is a feature of the UK legislative process. It is held when policy ideas are being developed so that everyone affected by the proposals has the opportunity to give the government their views. Once the public consultation is finalised, it usually takes up to 12 weeks for the government to publish its response and then make amendments or new legislation to address the problem.
Even if the proposals cannot be implemented immediately, they mark a significant step forward in the response by governments around the world to the ransomware crisis. The UK is a collaborative leader in policy development at the Anti-Ransomware Initiative, an international multilateral forum with 49 member states. Other member states may follow the UK’s lead.
Network Security Status
UK Security Minister Dan Jarvis said: “The global flow of money to ransomware criminals is estimated at $1 billion in 2023. We must take action to protect national security, which is a key foundation of the government’s “Change Plan”. He added: “These proposals help us deal with the scale of the ransomware threat, crack down on the economic sources of these criminal networks, and cut off the key funding chain on which they rely for operation.”
According to the UK Home Office data, in the year ending August 2024, the UK National Cyber Security Center handled 430 cyber incidents, including 13 ransomware incidents of “national significance”, mainly carried out by criminal gangs associated with Russia, posing a threat to the UK’s critical infrastructure. In October 2024, the UK National Crime Agency took action against the LockBit ransomware gang, which was linked to the cyber attack on NHS IT supplier Advanced.
The UK has not yet made it clear whether the measure will be submitted to Parliament for review, and the Home Office consultation will end in April 2025. In the United States, although it has long urged not to pay ransoms, no national ban has been implemented. In October 2023, a coalition of more than 40 countries led by the United States pledged that as governments, they would not pay ransoms to cyber criminals in order to cut off hackers’ sources of income.
