UK considering mandatory reporting for ransomware attacks

Plan also includes a complete ban on ransom payments from organisations running critical infrastructure

UK considering mandatory reporting for ransomware attacks

Image:
UK considering mandatory reporting for ransomware attacks

The government is planning a major shift in its fight against ransomware attacks, proposing a policy that mandates the reporting of all ransomware incidents and requires victims to obtain a license before making any ransom payments.

As reported by the Recorded Future, the plan will be included in a public consultation next month.

Officials believe the true scope of ransomware problem is underreported, as many victims keep attacks secret. Both the National Cyber Security Centre (NCSC) and the Information Commissioner's Office (ICO) have previously expressed concerns about this trend.

In March, Ciaran Martin, founding CEO of the NCSC, renewed calls for a ban on ransom payments to hackers, likening the practice to financing terrorist activities.

In an opinion piece, Martin underscored the urgency of implementing such a ban to curtail the flourishing $20 billion criminal ransomware industry. He said rewarding criminality only serves to incentivise further attacks.

According to Recorded Future, the proposed mandatory reporting would require all victims of ransomware attacks, including businesses and individuals, to notify the government. Additionally, the plan includes a complete ban on ransom payments by organisations that manage critical national infrastructure.

However, the success of the initiative could depend on a functional replacement for Action Fraud the UK's current cybercrime reporting platform. The replacement service, being built by outsourcer Capita has experienced delays - perhaps unsurprisingly.

Another key element of the proposed policy is the licensing regime for ransom payments. While details are still being developed, the goal is to provide a regulated framework for these payments. This could deter victims from making hasty decisions and potentially reveal alternative solutions.

Critics, however, worry that the application process might hinder recovery efforts, exacerbating the damage caused by an attack.

Sarah Armstrong-Smith, Microsoft Chief Security Officer Advisor, is concerned that banning ransomware payments targets the wrong end of the process of cyberattacks and potentially constitutes a form of victim blaming. Speaking at the launch of Blue Voyant's new SOC last month she said:

"The problem is it chastises the victim. We're putting more pressure back onto the victim as opposed to what we're doing with the perpetrators. What are we doing to help law enforcement? What are we doing to actually go after and dismantle the criminal infrastructure? How do we stop them being able to go across jurisdictions and carry out money laundering? We need more emphasis there and to look at it more holistically as opposed to chastising victims."

The proposals are in the early stages and will undergo public consultation before becoming law. This consultation will allow businesses, cybersecurity experts, and other stakeholders to voice their opinions.

Although the timeline for implementation is uncertain (and the announcement yesterday by the Prime Minister that a general election will take place on 4th July makes it even more so) the move represents a significant advancement for the UK, a co-leader of the Counter Ransomware Initiative (CRI).

Last year, the members of CRI pledged to never pay cybercriminal ransoms and to collectively work toward disrupting their financial systems.

The countries made the agreement at a summit in Washington, D.C. in November, where they finalised a set of policies intended to cripple the ransomware payments market.

The CRI's key components include sharing data on ransomware perpetrators and techniques, and establishing a "blacklist" of information about digital wallets used to facilitate ransomware payments. The initiative also aims for swift action to shut down threats stemming from inside an ally's borders.

The goal of these measures is to reduce member governments' vulnerability as potential targets, by eliminating the economic incentive for ransomware attacks.

A UK government spokesperson said that addressing ransomware issue was a key priority for the government.

The announcement follows previous criticisms of the UK's handling of ransomware. A parliamentary report last year highlighted a "high risk" of a "catastrophic" attack due to perceived shortcomings in the Home Office's response.

Data from the ICO revealed a record number of ransomware-related data breaches by UK organisations in 2023, underscoring the growing urgency for action.

There have been increasing calls to boost funding for efforts to disrupt ransomware gangs. The government spokesperson pointed to the recent takedown of ransomware group LockBit as evidence of the UK's proactive approach.

"The UK is also strengthening the global response to ransomware, securing an unprecedented international agreement to denounce payments," the spokesperson said.

"We will continue to work with our international partners, law enforcement agencies and industry on this vital issue."