UK to ban ransom payments by public bodies
Jonathon Ellison, director of national resilience at the National Cyber Security Centre, said ransomware “remains a serious and evolving threat, and organisations must not become complacent”.
He said: “These new measures help undermine the criminal ecosystem that is causing harm across our economy.
“All businesses should strengthen their defences using proven frameworks such as Cyber Essentials and our free Early Warning service, and be prepared to respond to incidents, recover quickly, and maintain continuity if the worst happens.”
Nearly three-quarters of consultation responses backed the proposal, which would prohibit public sector bodies and operators of critical national infrastructure – including the NHS, local councils and schools – from paying ransom demands.
Industry estimates suggest ransomware gangs received more than US$1bn (£741m) globally from victims in 2023.
However, Alan Woodward, a computer security expert at the Surrey Centre for Cyber Security, noted that UK public authorities are not known to pay.
He said the new measures appear designed to make the UK’s position clearer to cybercriminal groups, including well-known offenders such as LockBit and Evil Corp.
Woodward said: “Some of the criminals may not know this and so communicating this could be valuable in that hackers will read that there is no point in attacking.
“I am not sure it will change anything in practice, but it puts everyone on notice so there can be no confusion.”
Businesses not covered by the ban would be required to notify the government if they intend to pay a ransom.
The Home Office said it could then offer advice, including alerts if any payment risks breaching the law by funding sanctioned cybercriminal groups, many of which are based in Russia.
Jarvis said: “By working in partnership with industry to advance these measures, we are sending a clear signal that the UK is united in the fight against ransomware.”
He added that the aim was to “smash the cybercriminal business model”.
Consultation documents stated: “This type of crime only works if the potential victims are willing to pay the ransom that the gangs demand.
“Academic research suggests that criminals operating in this area will assess the level of ransom they can set, and the profit they will expect to make, against the probability that the victim will pay.”
