UK public bodies to be banned from making payments to ransomware gangs
"These new measures help undermine the criminal ecosystem that is causing harm across our economy."
The UK government has announced that public organisations and critical services will be banned from paying money to ransomware gangs.
In a move designed to make Britain's public sector less attractive to digital extortionists, hospitals, businesses and other key services will be prevented from bowing to criminal demands and handing over money.
Ransomware is estimated to cost the UK economy millions of pounds each year, the government said (which sounds like something of an underestimation), with recent attacks "highlighting the severe operational, financial, and even life-threatening risks."
Dan Jarvis, Security Minister, said: "Ransomware is a predatory crime that puts the public at risk, wrecks livelihoods and threatens the services we depend on.
"That’s why we’re determined to smash the cyber criminal business model and protect the services we all rely on as we deliver our Plan for Change.
"By working in partnership with industry to advance these measures, we are sending a clear signal that the UK is united in the fight against ransomware."
Consulting on the ransomware crisis
The new rules were introduced following a consultation in which almost three-quarters of respondents supported the public sector ransom band.
It's hoped the prohibition will "target the business model that fuels cyber criminals’ activities and makes the vital services the public rely on a less attractive target for ransomware groups."
Businesses also faced new rules and will be required to tell the government if they intend to pay a ransom, whereupon they will be warned if a payment could end up breaking the law by sending money to sanctioned criminal threat actors such as those known to work from Russia.
Mandatory reporting measures are also under development, aimed at providing law enforcement with critical intelligence to track offenders, disrupt their operations, and improve support for victims. Consultation feedback showed strong backing for a new mandatory reporting regime to strengthen protection for UK organisations and industry.
READ MORE: UK critical national infrastructure ransomware payment ban risks creating an "underground economy"
Jonathon Ellison, NCSC Director of National Resilience, said: "These new measures help undermine the criminal ecosystem that is causing harm across our economy. Ransomware remains a serious and evolving threat, and organisations must not become complacent.
"All businesses should strengthen their defences using proven frameworks such as Cyber Essentials and our free Early Warning service, and be prepared to respond to incidents, recover quickly, and maintain continuity if the worst happens."
The government also urged organisations across the country to focus on developing the resilience which will enable them to maintain operations after a ransomware attack. This includes ensuring offline backups are available and restoring them is "well-rehearsed", as well as setting plans to operate without IT for an extended period
Ransomware is starting to have consequences that are more than financial, with the NHS recently revealing that an attack contributed to a patient’s death.
Ransomware victims speak out
The British Library was one of the most famous victims of ransomware. British Library Chief Executive Rebecca Lawrence said: "The British Library, which holds one of the world’s most significant collections of human knowledge, was the victim of a devastating ransomware attack in October 2023.
"The attack destroyed our technology infrastructure and continues to impact our users, however, as a public body, we did not engage with the attackers or pay the ransom. Instead, we are committed to sharing our experiences to help protect other institutions affected by cybercrime and build collective resilience for the future."
READ MORE: Ransomware crisis escalates to "unprecedented" new heights
The Co-Op was also targeted during a blitz on the High Street, as hackers "smelt blood in the water".
Shirine Khoury-Haq, CEO, added: "We know first-hand the damage and disruption cyber-attacks cause to businesses and communities. That’s why we welcome the government’s focus on Cyber Crime.
"What matters most is learning, building resilience, and supporting each other to prevent future harm. This is a step in the right direction for building a safer digital future."
Westminster vs ransomware gangs
Will the measures be enough to protect British businesses? That depends on the choices organisations take, said Jamie Moles, Senior Technical Manager at NDR provider ExtraHop.
"This is a bold move by the UK government, but implementation will be everything," he warned. "Organisations that haven’t already bolstered their cyber defenses will be susceptible to significant downtime if attacked by a ransomware group with no way to pay the problem away. This goes even deeper for public service organisations, like health services or critical infrastructure, which could have catastrophic consequences if impacted by threats like ransomware.
"The onus remains on organisations to take the needed measures to protect themselves from this increasingly sophisticated threat, including unparalleled visibility into the network to detect ransomware before any lateral movement or data exfiltration occurs."
