UK to Ban Ransomware Payments in Public Sector

Potential Ban on Ransom Payments in the U.K.

New proposals from the U.K. government are considering prohibiting public sector entities and organizations vital to national infrastructure from making payments to those responsible for ransomware attacks.

Consultation on a “Targeted Ban”

The U.K.’s Home Office initiated a consultation on Tuesday outlining a “targeted ban” on ransomware payments. This measure would prevent public sector organizations – encompassing local councils, educational institutions, and NHS trusts – from complying with ransom demands.

The government believes this action will directly undermine the cybercriminal business model by removing a key source of revenue.

Recent Cyberattacks and Their Impact

This proposal follows a recent surge in cyberattacks targeting U.K. public services. Last year, the NHS declared a “critical” incident after a cyberattack on Synnovis, a pathology lab provider.

This attack resulted in a significant data breach of sensitive patient information and caused months of disruption, including the cancellation of scheduled surgeries and the redirection of emergency medical cases.

Data obtained by Bloomberg indicates the Synnovis cyberattack led to adverse health outcomes for numerous patients, with at least two cases resulting in long-term or permanent health damage.

Expanding the Ban to Critical Infrastructure

The U.K. government’s proposals extend beyond the public sector. It would also establish a criminal offense for critical infrastructure organizations – including those in the energy and communications industries – to remit ransom payments following a ransomware attack.

Currently, U.K. government departments are already prohibited from paying ransomware groups.

Mandatory Reporting and Sanctions Enforcement

The proposals also introduce a new mandatory reporting requirement for ransomware incidents. Victims not covered by the ban would be obligated to report attacks to the government.

Furthermore, a program is suggested to prevent ransom payments to sanctioned entities, granting the government the authority to block such transactions.

Government Statements on the Threat

Security minister Dan Jarvis emphasized the scale of the problem, stating that approximately $1 billion was channeled to ransomware criminals globally in 2023.

Jarvis added: “It is vital we act to protect national security… hitting these criminal networks in their wallets and cutting off the key financial pipeline they rely upon to operate.”

Statistics on Cyber Incidents

According to data released by the Home Office on Tuesday, the U.K.’s National Cyber Security Center handled 430 cyber incidents between September 2023 and August 2024.

This included 13 incidents classified as “nationally significant” ransomware attacks, primarily attributed to criminal groups with ties to Russia, who continue to represent an “immediate and disruptive threat” to the U.K.’s critical national infrastructure.

Recent Law Enforcement Actions

In October 2024, the U.K.’s National Crime Agency took action against a Russia-linked ransomware group, identifying an alleged affiliate of the LockBit organization.

LockBit had previously been connected to a cyberattack targeting NHS IT vendor Advanced.

Next Steps and International Context

The U.K. has not yet indicated whether it will present this measure to Parliament. The Home Office’s consultation period is scheduled to conclude in April 2025.

While the U.S. federal government has consistently discouraged paying ransom demands, it has not implemented a nationwide ban. However, a U.S.-led coalition of over 40 countries pledged in October 2023 to refrain from paying ransoms to cybercriminals, aiming to disrupt their financial resources.