UK Government Moves to Ban Ransomware Payments

The UK government has announced plans to prohibit public institutions and operators of critical infrastructure from making ransom payments following ransomware attacks. This decision comes after a public consultation revealed that nearly 75% of participants support the initiative. The government aims to target the underlying business model of ransomware attacks and deter such entities from becoming attractive targets.

This ban will specifically apply to public bodies such as the National Health Service, local authorities, and educational institutions. Private companies not covered by this ban will be required to notify the government prior to making any ransom payments, particularly if those payments could violate sanctions, especially in cases involving Russian ransomware groups. Additionally, the government is preparing to implement reporting requirements that will assist law enforcement in taking action against those responsible for creating and distributing ransomware.

In its announcement, the government also urged organizations across the nation to enhance their cybersecurity measures. Recommendations include maintaining offline backups, preparing for extended operations without IT support, and practicing data recovery from backups regularly. Cybercrime, particularly through ransomware attacks, has caused billions in damages and poses significant risks to human lives. Recent reports highlighted a distressing case where a cyberattack directly contributed to a fatality due to delays in patient care.

According to research from blockchain analysis firm Chainalysis, ransom payments decreased significantly in 2024. The decline has been attributed to law enforcement measures, improved international cooperation, and a rise in the refusal to pay ransoms. The UK government is keen to continue this trend. Another contributing factor to the decline in ransom payments is the unreliable nature of criminal actors, as victims have often found that paying the ransom does not guarantee the return of their data. A study conducted last year concluded that a ban on such payments had not previously demonstrated a significant impact.