Uk To Ban Ransomware Payments By Public Sector Organizations

The UK government is proposing to “ban” public sector organizations and critical national infrastructure from paying criminal operators behind ransomware attacks, under new measures outlined today.

This means the NHS, local councils and schools – all of which have been in the crosshairs of various miscreants in recent years – will no longer be able to negotiate with the scumbags that lock up their systems and extort them. Almost three quarters of respondents to a government consultation backed this, we’re told.

UK threatens £100K-a-day fines under new cyber bill

READ MORE

The idea is to make the public sector and CNI (which includes utilities and datacenters these days) less attractive targets for financially motivated attackers. The exact timeframe for implementing the proposals was not confirmed today.

“Ransomware is a predatory crime that puts the public at risk, wrecks livelihoods and threatens the services we depend on,” said Security Minister Dan Jarvis in a statement. “That’s why we’re determined to smash the cyber criminal business model and protect the services we all rely on as we deliver our Plan for Change.”

This is part of the latest crackdown by the UK government on cybercrime: the Cyber Resilience Bill is expected to enter Parliament this year, designed to bolster NIS 2018 regulations. The Bill will give regulators more extensive enforcement powers, help the administration react more nimbly to emerging threats and expand the types of organization in scope of the legislation, including datacenters and MSPs.

Under the law, the government will have the power to order regulated entities to implement specific security improvements. A failure to download patches to address widely exploited vulnerabilities could lead to daily fines of £100,000 or 10 percent of turnover should a digital break-in occur.

“These new measures help undermine the criminal ecosystem that is causing harm across our economy,” said Jonathan Ellison, NCSC director of national resilience.

Ransomware criminals have disrupted numerous local councils over the past few years, crippling services for days or weeks on end, they’ve also created havoc at schools, and contributed to a death in the NHS as well as upending schedules for countless medical procedures.

The Plan for Change proposals means commercial enterprises not covered by the ban on ransomware payments will still need to notify government of any intent to pay ransoms. These businesses will then be told they risk breaking the law by sending money to “sanctioned cyber criminal groups, many of whom are based in Russia,” the government said in a statement.

Mandatory reporting is another aspect under formation, intended to equip enforcement agencies with intelligence to catch the crews masterminding campaigns.

High-profile victims of cyber attacks in the private sector in 2025 included insurance giants, airlines, and well-known UK retail brands such as Marks & Spencer, Harrods, Co-op.

Government advice is to prepare for the worst-case scenario, should it materialize, by maintaining offline backups, developing tried and tested plans to work without IT “for an extended period” and a “well-rehearsed strategy for restoring systems from backups.”

Kev Breen, senior director of cyber threat intelligence at Immersive Labs, said of the government’s measures today: “If the option is to recover quickly by paying, versus not being able to recover because you’re banned from doing so, the temptation may be to pay and simply not report it.

“There are many moral considerations here. While it’s always easy to say ‘never pay,’ the reality is far murkier. Some organizations have paid ransom demands not to recover infrastructure, but to prevent the public release of large volumes of personally identifiable information (PII) – where the damage to individuals could be far greater than a service being offline.” ®

Original Source