Schools, the NHS and local councils will be banned from making ransomware payments under government proposals to tackle hackers.
In a crackdown on such cyber-attacks, operators of critical national infrastructure will be barred from bowing to demands when criminal gangs hold IT systems hostage.
Payouts by private companies will have to be reported to the government and could be blocked if they are made to sanctioned groups or foreign states. Reporting ransomware attacks will also be made mandatory if the proposals become law.
The plans, described by one expert as “the most significant intervention against ransomware by any national government to date”, will bring other public bodies into line with government departments, which are already banned from making payments.
The Home Office consultation proposes a “targeted” ban that will bar all public sector bodies from making ransomware payments. Councils, schools and NHS trusts are among the many UK victims of ransomware attacks, where attackers encrypt a victim’s computer systems and extract data files. The assailants then demand a “ransom” payment, typically in cryptocurrency, to unlock the computers and return the data.
The ban will also apply to critical national infrastructure such as energy and transport networks. Government departments are already banned from paying ransomware gangs, who earned a record $1.1bn worldwide in 2023. Most operate from Russia or former Soviet states.
The security minister, Dan Jarvis, said: “With an estimated $1bn flowing to ransomware criminals globally in 2023, it is vital we act to protect national security.
“These proposals help us meet the scale of the ransomware threat, hitting these criminal networks in their wallets and cutting off the key financial pipeline they rely upon to operate.”
The proposals’ rationale is to make public sector and infrastructure organisations less appealing as targets for ransomware gangs.
They also include a new payment prevention regime, where victims not covered by the ban will be required to report their intention to pay to the government. The payment will then be assessed, and the government which will have the power to block it.
Paying ransomware gangs is discouraged by UK authorities but it is not illegal, depending on who is being paid. The country’s data watchdog and National Cyber Security Centre clarified in 2022 that they did not encourage the payment of ransoms though they were not usually unlawful. It is illegal, however, to pay a ransom if you know or suspect that the proceeds are going to a terrorist organisation.
The third proposal is for a ransomware incident reporting regime which will require victims to report the incident within a mandatory period.
Jamie MacColl, a research fellow at the Royal United Services Institute, a defence and security thinktank, described the proposals as the “most significant intervention” by a government against ransomware gangs. He said requiring the reporting of attacks and of any intention to pay could disrupt criminals.
“The proposal to mandate reporting of ransomware incidents is sensible and will improve law enforcement’s ability to disrupt criminals,” he said. “By shining a light on organisations that pay, it may also cause some victims to think twice about paying a ransom.”
He added, however, that a selective payment ban might not work because ransomware outfits tend to be opportunistic and are not discerning enough to avoid specific sectors.