The UK government has confirmed it is pressing ahead with a proposed ban on ransomware payments by public sector and critical national infrastructure (CNI) organizations.
This follows three-quarters of respondents showing support for the proposals during a public consultation that was launched in January 2025.
The ban is designed to better protect essential public services, such as hospitals, schools and transport, from ransomware attacks by making these targets less attractive to these cybercriminal groups.
Numerous UK public sector services have been impacted by ransomware in the past year, including local councils and hospitals. In May, NHS England urged its suppliers to commit to strong cybersecurity practices amid an “endemic” ransomware threat.
Businesses not covered by the ban will be required to notify the government of any intent to pay a ransom to attackers. The government will then offer advice and support to the victims, including informing them that making such a payment will risk breaking the law if the money is sent to sanctioned cybercriminal groups.
Security Minister Dan Jarvis commented: “Ransomware is a predatory crime that puts the public at risk, wrecks livelihoods and threatens the services we depend on. That’s why we’re determined to smash the cybercriminal business model and protect the services we all rely on as we deliver our Plan for Change.”
Read now: Mandatory Ransomware Payment Disclosure Begins in Australia
UK to Develop Mandatory Ransomware Reporting Regime
As part of the package of anti-ransomware measures, the UK government has also pledged to create a mandatory reporting regime for ransomware incidents.
The government said that strong support was expressed for such a system during the consultation.
Mandatory reporting aims to boost available intelligence on ransomware attacks for UK law enforcement agencies. This information can also be used to support international law enforcement operations targeting ransomware gangs.
Experts Express Skepticism for Proposals
Experts have highlighted concerns around the effectiveness of the government plans.
This includes the risk of creating a “two-tier system,” in which businesses and entities not covered by the ban are exposed to increased targeting.
Another is the risk of pushing ransomware attacks further underground, with victims who believe they have no alternative but to pay finding ways around the ban to make payments, such as using third-party intermediaries to handle payments.
Some organizations may also choose to mislabel ransomware attacks in order to avoid scrutiny or potential penalties.
Kev Breen, senior director of cyber threat intelligence at Immersive, warned: “A question we should consider with the new measurements: Is there a danger that this will push companies away from reporting? If the option is to recover quickly by paying, versus not being able to recover because you’re banned from doing so, the temptation may be to pay and simply not report it.”
Mark Jones, a partner in Payne Hicks Beach dispute resolution team, noted that a survey in Italy, where paying ransomware actors is already illegal, showed that 43% of organizations still admit to paying ransomware payments.
