Ransomware payments prohibited for certain UK entities: Focus on public sector entities and operators of essential national infrastructure.
The UK government is taking a decisive step towards combating the growing threat of ransomware attacks by implementing a targeted ban on ransom payments for public sector bodies and operators of critical national infrastructure. This initiative, which follows a public consultation, is aimed at reducing the attractiveness of these organizations as ransomware targets and limiting the operational and financial impact of such attacks.
The proposed ban extends beyond government departments to cover all public sector bodies and critical infrastructure operators in sectors like energy, health services, education, and local government. Key details of the proposal include mandatory, threshold-based reporting regimes, creation of preventive measures, and a focus on disrupting the cybercriminal business model.
Victims will be required to notify the government within 72 hours of an attack and provide detailed analysis within 28 days, even if ransom payments are not banned for all organizations. Businesses not subject to the ban will also be required to report when they intend to pay ransoms, aiming to disrupt the cybercriminal business model.
The ban is currently in the policy development stages, with the government set to advance these measures in partnership with industry stakeholders. However, some experts have raised concerns that the scope might still be insufficient, as related private sector entities, such as managed IT service providers, may still fall outside the ban and could potentially undermine its effectiveness.
The ban comes in response to a series of high-profile ransomware attacks that have caused essential services to come to a standstill in the UK. One such incident resulted in the forced shutdown of a 158-year-old UK company, leading to the loss of 700 jobs.
The National Health Service, local councils, and schools are among the bodies prohibited from making ransom payments. The government and the National Cyber Security Centre (NCSC) emphasize that the purpose is to protect key services and businesses from disruption and strike against the cybercriminals' business model.
In addition to the ban, a mandatory reporting policy for ransomware attacks is in the works to equip law enforcement with essential intelligence. The UK government will also provide advice and support to businesses planning to pay a ransom, including information about potential sanctions on Russia.
The Home Office and NCSC have announced these proposals, stating that they would lead the way in tackling ransomware and would be backed by strong public support. This stance was reaffirmed in January 2024, when the UK and Singapore jointly stated that they strongly discourage anyone from paying a ransomware demand.
In summary, the UK government is actively progressing a targeted ban on ransomware payments for the public sector and critical infrastructure. Complementary reporting and prevention measures are planned to enhance the response to ransomware threats. The ban is set to be formalized into law but is yet to be fully enacted and operationalized as of late July 2025.
- The UK government's policy-and-legislation move to ban ransom payments for public sector bodies and critical infrastructure operators is a decisive step in the technology arena, aimed at countering the growing cybersecurity threat from ransomware attacks.
- This ban, extending to sectors like energy, health services, education, and local government, also involves mandatory reporting regimes, creation of preventive measures, and a focus on disrupting the cybercriminal business model, targeting general-news and crime-and-justice issues.
- As the ban progresses through policy development stages, with the government working in partnership with industry stakeholders, it's important to address concerns that related private sector entities, such as managed IT service providers, may fall outside the ban and could potentially undermine its effectiveness, raising questions in the realm of politics and policy-and-legislation.
