UK Government to ban public bodies from making ransomware payments

The UK Government is planning to ban public sector organisations from paying ransoms to cybercriminals, the security minister has confirmed.

Dan Jarvis unveiled the proposal as part of a set of measures to “smash the cybercriminal model” and make vital services a less attractive target for ransomware groups.    

Almost three-quarters of responses to a consultation backed the proposal to introduce a ban, the government said.

Ransomware is a type of malware used by cybercriminals to lock a victim out of their computer system, usually by encrypting data, until a ransom is paid.

The NHS, local council, and schools are among the organisation set to be blocked from caving into cash demands, while businesses not covered by the ban will be required to notify the government of any intent to pay a ransom.

The Home Office said these businesses would then receive advice and support from the government, “including notifying them if any such payment would risk breaking the law by sending money to sanctioned cybercriminal groups, many of whom are based in Russia”.

The new proposals follow on from a string of high-profile ransomware attacks across the UK. Earlier this year, a cyber campaign targeting major British retailers crippled M&S online services and led to cybercriminals seizing data belonging to all 6.5 million Co-op members.

And last month, an investigation found last year’s cyber hit on the King’s College Hospital NHS Foundation Trust was a contributory factor leading to a patient’s unexpected death.

North of the border, West Lothian Council has confirmed cybercriminals stole “personal and sensitive” data during a ransomware attack on its education network in May. 

Jarvis said: “Ransomware is a predatory crime that puts the public at risk, wrecks livelihoods and threatens the services we depend on. 

“That’s why we’re determined to smash the cybercriminal business model and protect the services we all rely on as we deliver our Plan for Change. 

“By working in partnership with industry to advance these measures, we are sending a clear signal that the UK is united in the fight against ransomware.”

The government is also planning to introduce mandatory reporting to help authorities “hunt down perpetrators and disrupt their activities”, the Home Office said.  

The National Cyber Security Centre’s director of national resilience Jonathon Ellison said: “These new measures help undermine the criminal ecosystem that is causing harm across our economy.

“Ransomware remains a serious and evolving threat, and organisations must not become complacent. All businesses should strengthen their defences using proven frameworks such as Cyber Essentials and our free Early Warning service, and be prepared to respond to incidents, recover quickly, and maintain continuity if the worst happens.”