Ransomware payments prohibition for specific UK organizations, encompassing public sector entities and operators of critical national infrastructure.
The UK Government has proposed a targeted ban on ransomware payments for public sector bodies and operators of critical national infrastructure, such as the NHS, local councils, schools, and energy sectors [1][2][3][4]. This move is part of a broader strategy to combat ransomware, which has exposed vulnerabilities in public and private institutions, including flagship British retailers, essential supermarkets, and NHS hospitals [4].
The proposed ban aims to make ransomware attacks less profitable and critical public services less attractive targets [1][2]. It requires businesses planning to pay a ransom to notify the UK government for advice and support before making the payment [2][3][4]. The government will also provide guidance on whether a ransom payment would violate sanctions on Russia [2][3][4].
In addition to the ban, the UK government is also considering a mandatory reporting policy for ransomware attacks [3][4]. Victims would be required to submit reports with key incident details within 72 hours after an attack, followed by a more detailed report within 28 days [3][4].
These measures follow an extensive consultation with stakeholders across the UK, which showed strong public backing for tougher action to tackle ransomware and protect vital services [1]. The goal is to disrupt the cybercriminal business model and equip law enforcement with essential intelligence to hunt down perpetrators and disrupt their activities [1][2].
Security Minister Dan Jarvis has emphasized the government's commitment to "smash the cyber criminal business model" and work closely with industry partners to advance these measures [2][3][4]. As of late July 2025, these proposals are still under development following consultation feedback, and formal legislation or enforcement mechanisms have not been fully finalized or enacted yet [1].
Ransomware attacks have cost the UK billions of pounds, and one of the most notable incidents was the shutdown of a 158-year-old UK company, resulting in the loss of 700 jobs [4]. A ransomware attack was also identified as one of the factors contributing to a patient's death in an NHS organization [4].
The proposed measures are designed to make it more difficult for ransomware attacks to occur in the UK without risking law enforcement's ire [1][2]. The UK and Singapore previously discouraged paying ransomware demands in January 2024 [4]. However, the proposed ban on ransom payments does not guarantee the end of an incident or the removal of malicious software from systems [4]. It also does not guarantee the return of data [4].
In conclusion, the UK government is taking significant steps to combat ransomware by proposing a targeted ban on ransom payments for public sector bodies and critical infrastructure operators. These measures aim to protect vital services, disrupt the cybercriminal business model, and equip law enforcement with essential intelligence to hunt down perpetrators and disrupt their activities.
- The UK Government's proposed ban on ransomware payments is part of a broader policy-and-legislation effort aimed at combating ransomware and reducing the appeal of critical public services as targets for attacks.
- In the wake of ransomware attacks costing the UK billions and posing threats to essential services like hospitals and energy sectors, the government is also considering a mandatory reporting policy for ransomware incidents to gather more general-news data and empower law enforcement in their pursuit of cybercriminals.
