UK Proposals Under Consideration Could Ban Ransomware Payments for Public Sector, Strengthen Reporting Requirements

by | Jan 20, 2025

By and large, the governments of the world’s major economies have restricted major national-level agencies from making ransomware payments but have stopped short of anything else. That could change sometime this year in the UK, if a proposal under consideration ends up being adopted. The new rules would have the public sector be entirely forbidden from making payments, to include hard-hit NHS medical care providers and local councils.

The proposal is one of several being considered as part of a 12-week consultation that will run until April 8. Other rules that might be adopted include forbidding private critical infrastructure companies from making ransomware payments, and requiring government review of any payments made to state-backed foreign hacking teams or sanctioned entities.

UK discussions follow raids on public sector, particularly NHS

There is a general trend of increased interest in the public sector, both by profit-seeking criminals and state-backed threats looking to worm their way into critical infrastructure. The UK has experienced this in a number of ways recently, including disruptions to Royal Mail service and Bristol Airport screen outages. But the major motivator in this case seems to have been a rash of attacks on NHS facilities, some of which have seriously disrupted patient care and exposed a lot of sensitive data.

In the case of ransomware, it’s nearly always a profit-seeking criminal. Only a limited amount of state-backed hacking teams have deployed it, primarily North Korea’s revenue-generating units and the occasional independent contractor working for the Chinese government. But ransomware payments are sometimes earmarked for funding terrorism, and are going to sanctioned entities.

Profit-minded criminals generally do not care where the money comes from, and the public sector is increasingly seen as a “squishy” target that has more and more problems with IT programs the lower on the totem pole you go. Health care is additionally seen as an industry that cannot afford to allow extended downtime due to the possibility of patient harm.

All of this leads back to the longtime debate about whether or not ransomware payments should be made illegal. Governments have generally been permissive about this, at least with more regional offices and private companies, as smaller organizations face an existential threat from a sudden attack and may have no real choice but to play ball and hope the attackers keep their word about unlocking files. If the UK passes the strictest of the Home Office proposals under consideration, it would be the first major economy to extend bans on payments this far.

New reporting requirements for ransomware payments also under consideration

It remains unclear which, if any, of the proposals will survive the deliberations over the next three months. It may emerge that only the reporting requirements for ransomware payments will be changed. That is something that would go beyond the public sector, however, requiring any victim in the country to report if the payment is going to a suspected state-backed hacker or a sanctioned entity.

In terms of predicting what will happen, there have been mixed signals from the primary players in the UK government. The UK National Cyber Security Centre (NCSC) has long maintained a policy of discouraging but allowing payments outside of the national government, but recent statements by its CEO seem to indicate that the agency would be on board with adopting the stricter public sector standards. The Institute for Security and Technology’s Ransomware Task Force seems to remain in opposition, sticking by its longtime assertion that smaller organizations cannot reasonably be expected to prevent or recover from ransomware attacks and could be destroyed if forced to refuse a payment.

Recent Posts

How can we help?

11 + 9 =

× How can I help you?