The UK government plans to ban public bodies from paying ransoms to hackers, while private companies must inform authorities if they intend to meet ransom demands.
The measures were announced on Tuesday by home office security minister Dan Jarvis and are intended to signal to cybercriminals that the UK is united in its stance against ransomware – malicious software that locks data until a payment is made.
The plan follows major ransomware attacks on the British Library in 2023 and NHS hospitals in London last summer.
Jonathon Ellison, director of national resilience at the National Cyber Security Centre, said ransomware “remains a serious and evolving threat, and organisations must not become complacent”.
He said: “These new measures help undermine the criminal ecosystem that is causing harm across our economy.
“All businesses should strengthen their defences using proven frameworks such as Cyber Essentials and our free Early Warning service, and be prepared to respond to incidents, recover quickly, and maintain continuity if the worst happens.”
Nearly three-quarters of consultation responses backed the proposal, which would prohibit public sector bodies and operators of critical national infrastructure – including the NHS, local councils and schools – from paying ransom demands.
Industry estimates suggest ransomware gangs received more than US$1bn (£741m) globally from victims in 2023.
However, Alan Woodward, a computer security expert at the Surrey Centre for Cyber Security, noted that UK public authorities are not known to pay.
He said the new measures appear designed to make the UK’s position clearer to cybercriminal groups, including well-known offenders such as LockBit and Evil Corp.
Woodward said: “Some of the criminals may not know this and so communicating this could be valuable in that hackers will read that there is no point in attacking.
“I am not sure it will change anything in practice, but it puts everyone on notice so there can be no confusion.”
Businesses not covered by the ban would be required to notify the government if they intend to pay a ransom.
The Home Office said it could then offer advice, including alerts if any payment risks breaching the law by funding sanctioned cybercriminal groups, many of which are based in Russia.
Jarvis said: “By working in partnership with industry to advance these measures, we are sending a clear signal that the UK is united in the fight against ransomware.”
He added that the aim was to “smash the cybercriminal business model”.
Consultation documents stated: “This type of crime only works if the potential victims are willing to pay the ransom that the gangs demand.
“Academic research suggests that criminals operating in this area will assess the level of ransom they can set, and the profit they will expect to make, against the probability that the victim will pay.”
