Government considering private and public sector ransom payment crackdown

Brings the entire public sector in line with government departments

The government is considering proposals to change how the public and private sector treat cybercriminals’ ransom demands.

The plans, which have been described as “the most significant intervention against ransomware by any national government to date,” will ban all public bodies – including the NHS, schools and councils – from making ransomware payments.

That would bring the entire public sector into parity, with government departments already banned from working with ransomware operators.

The ban will also apply to operators of critical national infrastructure, like the National Grid.

While the ban will not apply to private companies, a second proposal - the payment prevention regime - will require them to report any ransom payouts to the government. For its part, the government could block those payments if they are made to sanctioned entities.

Finally, a third proposal, a ransomware incident reporting regime, would require victims to report incidents within a set period.

Security minister Dan Jarvis said, “With an estimated $1 billion flowing to ransomware criminals globally in 2023, it is vital we act to protect national security.

“These proposals help us meet the scale of the ransomware threat, hitting these criminal networks in their wallets and cutting off the key financial pipeline they rely upon to operate.”

The proportion of global victims willing to pay ransomware operators has been falling for years - at less than a third in Q1 2024 – due to a confluence of factors. These include a sensible distrust of criminals’ promises; tighter cybersecurity; and increased regulatory pressure.

Outside of government departments it is not (yet) illegal to pay a ransom in the UK unless you know or suspect the payment is going to a terrorist organisation, but is strongly discouraged by cyber bodies like the NCSC.

Jamie MacColl, a research fellow at the Royal United Services Institute thinktank (which tends towards a pro-government stance, and has links to the state and military), called the proposals, “the most significant intervention against ransomware by any national government to date.”

However, he added, a selective payment ban may not work, as ransomware operators will simply hit any victim they can – regardless of their ability to pay.

Ali Vaziri, a partner in the Data, Privacy and Cyber practice at law firm Lewis Silkin, also noted that a ban may not have the intended effect.

“Not only are most commercially-incentivised threat actors notoriously indiscriminate when it comes to targets, but hostile states are also involved in ransomware operations – their very aim is to disrupt lives, so a payment ban will not make a difference to them.

“More importantly perhaps is the fact that the UK public is unlikely to be forgiving when critical services they rely on for their medical treatment and commute to the office, for example, are taken offline, with restoring operations taking much longer and costing much more than had a payment been made.”

The NHS and Transport for London were among the public sector organisations attacked last year.