The United Kingdom government is contemplating a comprehensive ban on ransom payments in response to ransomware attacks targeting the public sector. On January 14, a 12-week consultation commenced to deliberate on three primary approaches to address this issue.
The first proposal advocates for a complete prohibition on ransom payments by government institutions and critical infrastructure entities. This measure aims to diminish the appeal of these targets to cybercriminals and significantly reduce their revenue streams.
The second approach suggests stricter oversight: in addition to banning payments for public sector organizations, private entities and companies outside this category would be required to obtain government approval before making any payments. This would introduce a system of “ransom licenses,” granted only in exceptional circumstances.
The third option is less radical, requiring mandatory reporting of ransomware incidents to authorities without enforcing a ban on payments. While this would provide law enforcement with more data for investigations, it is unlikely to deter criminal motivations substantially.
UK Security Minister Dan Jarvis emphasized that combating cybercrime is a core priority for the government to safeguard citizens and protect the national economy. He noted that ransomware groups amassed approximately $1 billion in 2023, necessitating urgent action.
The National Cyber Security Centre (NCSC) supports the initiative. Its new director, Richard Horne, stressed that organizations of all sizes must bolster their defenses, adopt proven solutions, and rigorously test their recovery plans for potential attacks.
International precedents are also being considered. In Australia, mandatory ransomware reporting regulations have been implemented for organizations meeting certain revenue thresholds. The UK could adapt this approach by establishing similar criteria for companies.
Opponents of the ban argue that such measures could lead to unintended consequences. Some victims may attempt to bypass the prohibition by concealing attacks from authorities, complicating investigations. Additionally, critics point out that many companies are insufficiently prepared to prevent such attacks.
Nevertheless, the frequency of cyber incidents in the UK is rising. According to the NCSC, the number of attacks reaching the highest severity level tripled last year, underscoring the pressing need for new strategies.
