UK floats ransomware payout ban for public sector

A total ban on ransomware payments across the public sector might actually happen after the UK government opened a consultation on how to combat the trend of criminals locking up whole systems and taxpayers footing the bill.

The consultation will consider views on extending the ransom payment ban from central government departments to all public services including hospitals, schools, local authorities, and state-operated transport networks.

Announced today, the 12-week consultation will run from January 14 to April 8 and explore three proposals, the first of which is the total payment ban for the public sector and critical national infrastructure (CNI) organizations.

The overarching notion is to make the prospect of targeting these sectors undesirable for financially motivated criminals. It would also involve mandatory reporting of incidents to support law enforcement and intelligence agencies.

Secondly, "a ransomware payment prevention regime," as the Home Office is calling it, would take the first proposal even further. This idea assumes that a public sector payment ban would be implemented, and then additionally require that any organizations and businesses not covered by an existing ban seek the government's approval before they pay the ransom. It would be something of a ransomware payment "license," which may or may not be issued depending on the nature of the incident.

A pan-industry approach would also see the nation's crime-fighting forces empowered with additional data to inform ongoing investigations and operations, although the consultation will also consider whether the rules would only apply to attacks that meet a certain threshold.

The third and much weaker approach proposes to implement a mandatory reporting law for ransomware incidents. (So no ban.) This would provide the UK's cyber-crime fighters with as much data as possible to better inform their investigations, (and potentially their disruption efforts à la LockBit,) but is certainly not as powerful as the other ideas on the table.

Like the second proposal, the consultation will consider whether the rule will be for all organizations and individuals or be based on an attack meeting a specific threshold.

"Driving down cybercrime is central to this government's missions to reduce crime, deliver growth, and keep the British people safe," security minister Dan Jarvis said in a statement.

"With an estimated $1 billion flowing to ransomware criminals globally in 2023, it is vital we act to protect national security as a key foundation upon which this Government's Plan for Change is built.

"These proposals help us meet the scale of the ransomware threat, hitting these criminal networks in their wallets and cutting off the key financial pipeline they rely upon to operate.

"Today marks the beginning of a vital step forward to protect the UK economy and keep businesses and jobs safe."

As part of its first Cyber Security Act, Australia introduced mandatory incident reporting rules in November 2024 requiring organizations to report ransomware attacks, provided they meet the revenue threshold. This was set at AU$3 million ($1.845 million), which captures approximately 6.56 percent of Australian businesses, according to the country's Cyber and Infrastructure Security Centre.

Given the UK's close political and economic ties to Australia, a similar threshold or percentage of British organizations may be considered if the rule were to be mirrored.

No major economy has taken steps toward banning ransom payments on quite the scale as that being described in some of the UK's proposals today. It would be a monumental moment for cyber policy should they be passed and implemented.

The UK's NCSC appears to be onside with the consultation too, with new CEO Richard Horne saying: "This consultation marks a vital step in our efforts to protect the UK from the crippling effects of ransomware attacks and the associated economic and societal costs.

"Organizations of all sizes need to build their defenses against cyber attacks such as ransomware, and our website contains a wealth of advice tailored to different organizations. In addition, using proven frameworks like Cyber Essentials, and free services like NCSC's Early Warning, will help to strengthen their overall security posture.

"And organizations across the country need to strengthen their ability to continue operations in the face of the disruption caused by successful ransomware attacks. This isn't just about having backups in place: Organizations need to make sure they have tested plans to continue their operations in the extended absence of IT should an attack be successful, and have a tested plan to rebuild their systems from backups."

Time to debate… again

So, for 12 weeks, UK policymakers and cybersecurity experts will once again debate the effectiveness of potential approaches to disrupting ransomware.

The pros and cons of both sides of the ransomware payment ban debate have been well told by now. Both camps have fierce proponents fighting their corner, although most agree some sort of middle ground will likely be best. The issue is largely driven by what compromises are and aren't acceptable.

• Ransomware crew abuses AWS native encryption, sets data-destruct timer for 7 days
• Drug addiction treatment service admits attackers stole sensitive patient data
• Database tables of student, teacher info stolen from PowerSchool in cyberattack
• Atos denies Space Bears' ransomware claims – with a 'but'

Ciaran Martin, the founding CEO of the UK's NCSC, famously opined last year in national news that ransom payments should be banned, with the resulting debate quickly reaching fever pitch.

He argued that many of the arguments against the ban were "terrible," closing the short piece by saying simply: "We have to find a way of making a ransom payments ban work."

Opponents argue that a ban would bring various unintended negative consequences that would worsen the way ransomware is handled. Arguments include victims possibly pursuing other illicit means to compensate ransomware operators or recover their data, which in turn may discourage their engagement with law enforcement. 

The standpoint is one that's adopted even at the highest levels, such as the Institute for Security and Technology's Ransomware Task Force. 

One of the co-chairs on that task force, security expert Jen Ellis, said in an online debate on the matter, hosted by the Royal United Services Institute (RUSI) last year, that the idea that policymakers can simply force organizations to become resilient to ransomware is "great" but "completely disconnected from reality."

She said it's not a case of organizations being too lazy to meet resilience standards, but instead there are "a million and one incentives that operate in the wrong direction." Examples of these include affordability, technical awareness, and maturity.

Another related factor is that criticism has been leveled at the cyber insurance industry for making ransom payments easier, providing organizations with access to liquidity for doing so.

Ellis and Jamie McColl, research fellow at RUSI, both also pointed out that, at the time, a small number of US states had banned government departments from paying ransoms with little to no impact on attack frequency.

Although banning ransom payments may seem like the easy, one-click solution to ransomware – cutting the crims off where it hurts – ushering in that change won't be an easy feat for the UK government should it choose to go ahead with this.

Nevertheless, the UK's cyber situation worsens with each year. The NCSC's most recent annual review revealed the number of security threats that reached the agency's maximum severity threshold tripled compared to 2023.

The number of nationally significant incidents and cases of ransomware also rose year on year, suggesting the current approaches to combating the crime aren't cutting it. ®