UK moves to ban public sector organizations from making ransom payments
The British government announced plans to prohibit public sector organizations and critical infrastructure operators from paying ransoms to cybercriminals, marking a significant shift in the nation’s approach to combating ransomware attacks that have disrupted essential services and cost the economy millions of pounds annually.
The proposed measures would prevent the National Health Service, local councils, schools and other public bodies from making payments to criminal groups, while requiring private businesses to notify authorities before paying any ransom demands. The government said the restrictions aim to undermine the business model that drives ransomware operations.
The measures also include plans for mandatory reporting requirements designed to provide law enforcement with intelligence to track perpetrators and disrupt their activities.
Ransomware attacks have affected a broad range of British institutions, from major retailers like Marks & Spencer to NHS hospitals and cultural institutions including the British Library, which suffered a devastating attack in October 2023 that destroyed its technology infrastructure.
The library continues to experience operational impacts more than a year after the initial breach. As a public body, it chose not to engage with attackers or pay the demanded ransom. The health service has faced particular scrutiny over ransomware incidents, with one NHS organization recently identifying such an attack as a contributing factor in a patient’s death.
UK Security Minister Dan Jarvis characterized ransomware as “a predatory crime that puts the public at risk,” while emphasizing the government’s intention to “smash the cyber criminal business model.”
“By working in partnership with industry to advance these measures, we are sending a clear signal that the UK is united in the fight against ransomware,” he said in a release.
The country’s National Cyber Security Centre emphasized that the new measures complement rather than replace the need for robust defensive practices. Organizations are still expected to maintain offline backups, develop continuity plans and strengthen their overall cybersecurity posture using established frameworks.
Implementation details and enforcement mechanisms for the proposed measures have not been fully detailed. The government indicated the new rules form part of a broader “Plan for Change” addressing cyber threats, suggesting additional announcements may follow as the policy framework develops.
The effectiveness of payment restrictions in deterring ransomware attacks remains a subject of debate among cybersecurity experts. Some argue that removing the profit motive will reduce criminal interest in targets, while others caution that attackers may simply shift tactics toward data theft and extortion rather than system encryption.
