In brief: In an attempt to tackle the problem of hackers extorting money from them, the UK is considering banning public sector and critical infrastructure organizations from making ransomware payments. The government says stopping hospitals, councils, schools, and more from handing over the ransoms would “strike at the heart of the cybercriminal business model.”
The UK Home Office launched a consultation this week to protect hospitals, railways and public services from ransomware attacks. Expanding the existing ban on ransomware payments by government departments to include public sector bodies such as NHS trusts and critical national infrastructure is one of the proposals being considered.
Another proposal is a ransomware prevention regime that will increase the National Crime Agency’s (NCA) awareness of the attacks and demands. This will also provide victims with advice before they respond, and could block payments to sanctioned groups or foreign states – it is illegal to pay ransoms if the victim knows or suspects that the proceeds are going to a terrorist organisation.
The Home Office is also proposing mandatory reporting of ransomware incidents by private organizations.
The idea, of course, is that if a victim is unable to a pay a ransomware hacker for a decryption key or their stolen data, the criminals will have no incentive to target such organizations.
“With an estimated $1bn flowing to ransomware criminals globally in 2023, it is vital we act to protect national security,” said security minister, Dan Jarvis. “These proposals help us meet the scale of the ransomware threat, hitting these criminal networks in their wallets and cutting off the key financial pipeline they rely upon to operate.”
The proposal comes after a ransomware attack last year against pathology lab company Synnovis forced major London hospitals to cancel or delay their healthcare services and led to a breach of sensitive personal data. Over 800 planned operations and 700 outpatient appointments were rescheduled, and the restoration of full services took several months. Bloomberg reports that dozens of patients were caused harm as a direct result of the attack, resulting in long-term or permanent health damage in at least two cases.
The NCA managed 430 cyber incidents between September 2023 and August 2024, including 13 ransomware incidents that were deemed to be nationally significant and posed serious harm to essential services or the wider economy
The consultation ends in April 2025. There’s no guarantee that what’s being proposed will become law. Australia announced that it was considering a ban on ransomware payments in 2022, and while it did introduce a mandatory reporting obligation for businesses, there is still no blanket ban.
Despite a crackdown on groups such as LockBit, global ransomware attacks increased in 2024.
Masthead: Sebastiaan Stam