U.K. public sector and critical infrastructure organizations could be banned from making ransom payments under new proposals from the U.K. government.
The U.K.’s Home Office launched a consultation on Tuesday that proposes a “targeted ban” on ransomware payments. Under the proposal, public sector bodies — including local councils, schools, and NHS trusts — would be banned from making payments to ransomware hackers, which the government says would “strike at the heart of the cybercriminal business model.”
This government proposal comes after a wave of cyberattacks targeting the U.K. public sector. The NHS last year declared a “critical” incident following a cyberattack on pathology lab provider Synnovis, which led to a massive data breach of sensitive patient data and months of disruption, including canceled operations and the diversion of emergency patients. According to new data seen by Bloomberg, the cyberattack on Synnovis resulted in harm to dozens of patients, leading to long-term or permanent damage to their health in at least two cases.
The newly outlined U.K. government proposals would also make it a criminal offense for critical infrastructure organizations, such as businesses in the energy and communications sectors, to make ransom payments in the event of a ransomware attack. U.K. government departments are already banned from paying ransomware gangs.
The U.K. proposals also detail a new mandatory reporting regime for ransomware incidents, which would require that cyberattack victims who are not covered by the ban report the incident to the government. Another proposal suggests a program aimed at preventing the payment of ransoms to sanctioned entities, which the government will have the power to block.
Security minister Dan Jarvis said: “With an estimated $1 billion flowing to ransomware criminals globally in 2023, it is vital we act to protect national security as a key foundation upon which this government’s Plan for Change is built.
“These proposals help us meet the scale of the ransomware threat, hitting these criminal networks in their wallets and cutting off the key financial pipeline they rely upon to operate,” said Jarvis.
According to data shared by the Home Office on Tuesday, the U.K.’s National Cyber Security Center managed 430 cyber incidents over the year ending August 2024, including 13 “nationally significant” ransomware incidents. These were carried out “largely by Russia-affiliated criminal gangs,” the Home Office said, which continue to pose an “immediate and disruptive threat” to the U.K.’s critical national infrastructure.
The U.K.’s National Crime Agency took action against one of these gangs in October 2024, unmasking an alleged affiliate of the prolific Russia-linked LockBit ransomware group. LockBit was linked to an earlier cyberattack on NHS IT vendor Advanced.
The U.K. did not say if it plans to bring the measure before lawmakers in Parliament. The Home Office’s consultation is set to end in April 2025.
In the United States, the federal government has long urged against paying ransom demands but has stopped short of imposing an outright national ban on ransom payments. However, in October 2023, a U.S.-led alliance of more than 40 countries vowed as governments not to pay ransoms to cybercriminals in a bid to starve the hackers from their source of income.
