The UK government is pushing forward with a ban on ransomware payments for public sector bodies and operators of critical national infrastructure, according to proposals released Tuesday following a public consultation. The move extends an existing ban on government departments to include entities such as energy companies, the health service, and local councils.
The proposals aim to disrupt the business model of cybercriminals by removing financial incentives for ransomware attacks. UK Security Minister Dan Jarvis emphasized the importance of protecting vital services and collaborating with industry partners to advance the initiative.
In addition to the payment ban, the government is considering a prevention regime that would require businesses not covered by the ban to report any intent to pay a ransom. Another key element is a mandatory reporting system: victims would need to report key details of an attack within 72 hours and submit a comprehensive analysis within 28 days.
The Home Office launched a public consultation from January 14 to April 8, receiving 273 responses—57% from organizations, 39% from individuals, and 4% from others. Nearly 75% supported the targeted ban, though opinions on a broader economy-wide ban were divided.
A threshold-based reporting system received strong backing, with 63% in favor, while only 41% supported maintaining the current voluntary system. Concerns emerged over penalizing victims, especially around whether penalties should be criminal or civil. The Home Office said it will further explore suitable and proportionate consequences.
Ransomware remains a top cyber threat, as highlighted in the UK’s 2024 National Cyber Security Centre Annual Review. Recent attacks have had severe impacts, including a June 2024 breach at Synnovis that disrupted elective medical procedures, and an October 2023 incident at the British Library that caused ongoing outages.
Globally, similar measures are under consideration. Australia recently enacted laws requiring ransomware demand reporting, while U.S. lawmakers are debating budget limits tied to cybersecurity enforcement. The UK’s proposed regulations mark a firm stance against ransomware as threats to national infrastructure escalate.
