Ransomware: UK to ban public sector from paying out

The UK is set to ban public sector bodies and operators of critical national infrastructure (CNI), including the NHS, local councils and schools, from paying ransom demands.

It follows a public consultation on ransomware proposals, which saw nearly three quarters of respondents show support for the proposal.

Under the proposals, businesses not covered by the ban would be required to notify the government of any intent to pay a ransom. The government could then provide those businesses with advice and support, including notifying them if any such payment would risk breaking the law by sending money to sanctioned cybercriminal groups, many of whom are based in Russia, it said.

Mandatory reporting is also being developed, which would equip law enforcement with intelligence to hunt down perpetrators. Consultation responses reportedly showed strong support for a new mandatory reporting regime to better protect British organisations and industry.

“Ransomware is a predatory crime that puts the public at risk, wrecks livelihoods and threatens the services we depend on. That’s why we’re determined to smash the cybercriminal business model and protect the services we all rely on as we deliver our Plan for Change,” said security minister Dan Jarvis.

In addition to the proposed new measures, the government is urging urge organisations to strengthen their ability to maintain operations in the event of a successful ransomware attack. This includes having offline backups, tested plans to operate without IT for an extended period, and a well-rehearsed strategy for restoring systems from backups.

Cyber criminals have not only cost the nation billions of pounds but in some cases have brought essential services to a standstill.   

One NHS organisation recently identifying a ransomware attack as one of the factors that contributed to a patient’s death.

The British Library was also the victim of a ransomware attack in October 2023.

“The attack destroyed our technology infrastructure and continues to impact our users, however, as a public body, we did not engage with the attackers or pay the ransom. Instead, we are committed to sharing our experiences to help protect other institutions affected by cyber-crime and build collective resilience for the future,” said British Library chief executive Rebecca Lawrence.