Businesses will be required to notify the government of any intent to pay a cyber ransom, the UK Government says. Public sector bodies and operators of critical national infrastructure, including the NHS, local government and schools, would be banned from paying ransom demands.
Home Office Security Minister Dan Jarvis said: “Ransomware is a predatory crime that puts the public at risk, wrecks livelihoods and threatens the services we depend on. That’s why we’re determined to smash the cyber criminal business model and protect the services we all rely on as we deliver our Plan for Change. By working in partnership with industry to advance these measures, we are sending a clear signal that the UK is united in the fight against ransomware.”
The government points to recent attacks on retailers such as the Cooperative, besides NHS hospitals and the British Library (pictured). At the UK official National Cyber Security Centre (NCSC) Director of National Resilience Jonathon Ellison said: “These new measures help undermine the criminal ecosystem that is causing harm across our economy. Ransomware remains a serious and evolving threat, and organisations must not become complacent. All businesses should strengthen their defences using proven frameworks such as Cyber Essentials and our free Early Warning service, and be prepared to respond to incidents, recover quickly, and maintain continuity if the worst happens.”
This arises from the Home Office consultation from January to April on proposals to introduce legislation to counter ransomware, described by the Government as ‘the most significant cyber national security threat facing the UK’. The consultation found mostly support for its proposed ‘targeted ban on ransomware payments for CNI [critical national infrastructure] owners and operators and the public sector, including local government’. The requirement to notify the authorities is in the name of aiding law enforcement with intelligence.
Comments
Kev Breen, senior director of cyber threat intelligence at Immersive, raised the question of a danger that this will push companies away from reporting. He said: “If the option is to recover quickly by paying, versus not being able to recover because you’re banned from doing so, the temptation may be to pay and simply not report it. We’ve already seen ransomware groups delay publishing the names of impacted organisations, only doing so later in the process to apply more pressure. There are concerns that ransomware groups may respond to payment bans with more brutal and destructive tactics.
“There are many moral considerations here. While it’s always easy to say “never pay,” the reality is far murkier. Some organisations have paid ransom demands not to recover infrastructure, but to prevent the public release of large volumes of personally identifiable information (PII) – where the damage to individuals could be far greater than a service being offline.
“We can draw some parallels with hostage negotiations and ransom payouts. Some organisations have specific insurance policies and processes in place, including support from governments or other nations, to facilitate ransom payments. This also doesn’t address the underlying issue: cybersecurity is expensive. Both people and technology are becoming more costly, and cybersecurity teams are often viewed as loss-makers. They don’t generate revenue – only costs. It’s easy to overlook the hidden savings they provide in the event of an incident.”
At the market analysis firm Forrester, principal analyst Allie Mellen said: “While banning organisations from providing ransomware payouts sounds good in theory, it is a disaster in practice. If an organisation is paying a ransom, it is because they have no other option, not because they want to. While it’s unfortunate that ransomware payouts happen, the better effort should be spent on supporting organisations in protecting against these kind of attacks. We absolutely recommend discouraging paying the ransom, but to ban it outright is unrealistic and detrimental to the organisations they look to protect.”
Arda Büyükkaya, Senior Cyber Threat Intelligence Analyst at EclecticIQ welcomed Government-led coordination on ransomware disruption. “As attackers evolve their tactics and exploit vulnerabilities across sectors, timely intelligence-sharing becomes critical to mounting an effective defence. Encouraging businesses to report incidents more consistently will help build a stronger national threat intelligence picture something that’s important as these attacks grow more frequent and become sophisticated.
“That said, it’s equally important that the government provides clear guidelines and support frameworks that reassure organisations. Many victims still hesitate to come forward due to concerns around reputational damage, legal exposure, or regulatory fallout. Without mechanisms that protect and support victims, underreporting will remain a barrier to national cyber resilience.”
And Matt Cooke, Cybersecurity Strategist at Proofpoint, said: “Ultimately, what we’ve got is cybercrime, which is fuelled by money. Whilst that money is readily available, cybercrime will continue in the same way as every other crime on the street. That’s why the government’s new plan to ban ransomware payments for our critical services and public bodies is such a vital step. The big challenge, though, is that ransomware generally starts with a person in an organisation being targeted. It wouldn’t be hard for someone to find your email address and target you. So we need to tackle that challenge on two fronts: making it harder for attackers to get in, and ensuring ransomware payments dry up.”
Photo by Mark Rowe: British Library entrance gate, St Pancras. For more about the British Library cyber attack, visit https://www.bl.uk/about/cyber-attack.
