U.K. Government Proposes Ban on Ransom Payments to Cybercriminals
The U.K. government is taking a bold step to combat cybercrime by considering a new regulation that would prohibit public sector and critical infrastructure organizations from making ransom payments. This proposal, initiated by the U.K.’s Home Office, aims to disrupt the business model of cybercriminals who rely on ransom payments as a primary source of income.
Targeted Ban on Ransom Payments
The proposed “targeted ban” would specifically apply to public sector entities such as local councils, schools, and NHS trusts. The government believes that banning these payments will effectively “strike at the heart of the cybercriminal business model” and reduce the incentive for hackers to target these organizations.
Impact of Cyberattacks on Public Sector
This proposal follows a series of damaging cyberattacks on the U.K.’s public sector. For instance, last year, the NHS declared a “critical” incident after a cyberattack on Synnovis, a pathology lab provider. This attack resulted in a significant data breach that affected patient data, leading to months of disruption and harm to dozens of patients. In at least two cases, the harm was long-term or permanent.
Extending the Ban to Critical Infrastructure
The proposal also extends to critical infrastructure sectors, such as energy and communications, making it a criminal offense for these organizations to make ransom payments. This move aims to protect vital sectors from becoming lucrative targets for cybercriminals.
“With an estimated $1 billion flowing to ransomware criminals globally in 2023, it is vital we act to protect national security as a key foundation upon which this government’s Plan for Change is built,” said Security Minister Dan Jarvis.
{Security Minister Dan Jarvis}
Mandatory Reporting and Sanctions on Ransom Payments
The proposals include introducing a mandatory reporting regime for ransomware incidents. Organizations not covered by the ban would need to report any incidents to the government. Additionally, there is a suggestion for a program that would prevent payments to sanctioned entities, with the government having the authority to block such transactions.
A Broader International Context
While the U.K. considers these measures, it’s worth noting that similar actions are taking place internationally. In October 2023, over 40 countries vowed not to pay ransoms as part of an initiative led by the United States. This collective stance aims to cut off financial resources from cybercriminal networks globally.
Looking Ahead
The Home Office’s consultation on these proposals is set to conclude in April 2025. It remains unclear if these measures will be presented before Parliament for legislative approval. As cybersecurity threats continue to evolve, governments worldwide are seeking effective strategies to mitigate risks and protect their critical infrastructure from cybercriminals.
