The U.K. government has launched a formal consultation on new proposals to prohibit public sector organizations and critical infrastructure providers from paying ransoms to cybercriminals. This strategic move aims to dismantle the financial incentives that drive the global ransomware industry.
Targeting the Ransomware Business Model
The Home Office proposal outlines a “targeted ban” designed to cut off the revenue streams essential for criminal operations. Under these measures, public sector entities—including local councils, schools, and NHS trusts—would be legally barred from meeting hacker demands. The government asserts that by removing the possibility of payment, it can effectively strike at the heart of the cybercriminal business model.
The initiative expands beyond the public sector, proposing to make it a criminal offense for critical infrastructure organizations, such as those in energy and communications, to issue payments during a ransomware event. While U.K. government departments are already restricted from paying ransomware gangs, this would formalize and extend the prohibition across vital national services.
Response to Rising Cyber Threats
The legislative push follows a series of devastating cyberattacks on the U.K. public sector. Last year, the NHS declared a “critical” incident after an attack on pathology lab provider Synnovis. The breach resulted in widespread operational disruption, including the cancellation of surgeries and the diversion of emergency patients.
Recent data highlighted by Bloomberg reveals that the Synnovis attack directly impacted patient health, with at least two cases resulting in long-term or permanent damage. Security Minister Dan Jarvis emphasized the urgency of the situation, noting that with approximately $1 billion flowing to ransomware criminals globally in 2023, cutting off their financial pipeline is a national security imperative.
New Reporting and Oversight Requirements
In addition to the payment ban, the government is introducing a mandatory reporting regime for all ransomware incidents. Organizations not covered by the ban will still be required to report attacks to the state. Furthermore, the government intends to implement a program to block payments to sanctioned entities, providing authorities with the power to intervene directly in financial transactions involving known criminal groups.
The Scale of the Challenge
Official data from the Home Office indicates that the U.K.’s National Cyber Security Center managed 430 cyber incidents in the year ending August 2024. Of these, 13 were classified as “nationally significant” ransomware attacks, largely attributed to Russia-affiliated criminal gangs. These groups continue to pose an immediate threat to the nation’s core infrastructure.
The National Crime Agency has intensified its efforts against these actors, recently unmasking an alleged affiliate of the prolific LockBit ransomware group in October 2024. LockBit remains a primary concern, having previously been linked to high-profile attacks on NHS IT vendors like Advanced.
The current consultation period is scheduled to conclude in April 2025. While the U.K. has not yet confirmed when these measures will be introduced to Parliament, the proposal aligns with broader international efforts; in October 2023, a U.S.-led coalition of over 40 countries pledged to refuse ransom payments in an attempt to starve hackers of their income.