Critical infrastructure companies, local governments, schools and publicly funded entities like the NHS may soon be prevented from making ransomware payments under UK law.
The government proposal follows a six-month consultation period that began in January. Restrictions on ransomware payments have become common for government agencies around the world, but it is still fairly rare to see them extended to the public sector or local levels of government. The new UK rules would additionally require all business types that are not impacted to notify the government when they intend to make a ransomware payment and may be required to seek guidance on the possibility of the payment violating sanctions on cybercriminal groups.
UK adopts harder line on ransomware payments amidst string of high-profile breaches
The proposal follows assessments by both the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) that ransomware is a national security threat and is the leading cybercrime threat that the country faces. This was in part spurred by a string of high-profile and damaging breaches going back to 2022, including NHS, the Royal Mail and more recently a collection of the country’s biggest retailers.
It also follows a consultation period that stretched through the first half of the year. A commentary period running from 14 January to 8 April solicited input from the general public on its proposals for handling ransomware payments. The proposals have been touted as an effort to “smash the business model” of ransomware, and the government says that about 75% of the responses during the commentary period were positive.
The government is advising impacted organizations that they should ensure that their backups are robust and that they have tested plans in place for restoring operations in the event of a ransomware attack. They should also have “worst-case” contingency plans in place for scenarios in which IT is unable to function for an extended period; NHS has already experienced this with prior attacks that forced staff to revert to pen-and-paper record-keeping for a time, as have numerous other patient care facilities around the world.
The government has a point about ransomware not only presenting a risk to national security, but also to life and limb. A report that was published last month tied a 2024 ransomware attack on the King’s College Hospital NHS Foundation Trust directly to at least one loss of life, in which “unexpected” disruption of services (in this case blood test results) was found to have contributed to a patient’s otherwise potentially preventable death.
Ransomware payment rules just one part of tougher cybercrime approach
The new ransomware payment proposal is just one part of a package of new regulations slated to soon go into effect in the UK, mostly centered on the Cyber Resilience Bill. First announced about a year ago, the bill is now expected to enter Parliament sometime this year. It updates and strengthens existing NIS 2018 regulations, expanding them to apply to additional types of digital services and supply chain service providers. It would also expand ICO’s regulatory capabilities to give it more direct enforcement powers and would put a greater variety of entities under its direct watch.
The UK has experienced a long chain of major attacks that has informed this legislative push. The genesis of much of this was likely the 2022 attack on the NHS by the LockBit ransomware group, which caused extended service outages (one of the “pen and paper” periods mentioned before) and exposed the personal information of over 80,000 people. That incident was traced to a third party software provider that was initially fined £6 million for failure to adequately keep up cybersecurity standards, later reduced to £3 million due to cooperation. 2023 saw ransomware hit the British library, with the attacker demanding a ransom payment of 20 bitcoin; refusal to pay resulted in the dumping of 600 GB of stolen internal data. This too was traced to a compromise of a third-party contractor believed to not have been using multifactor authentication. An outage caused by a ransomware attack on the Royal Mail last year limited the ability to access certain types of mail services for an extended period. And just a couple of months ago, major UK retailers like Marks & Spencer and Co-op were caught up in a ransomware and data theft campaign conducted by the notorious Scattered Spider group.
In between these incidents, other ransomware attacks have caused havoc with the systems of assorted schools and local councils. The UK government contends that all of this will come to an end if attackers believe that ransom payments are simply not available, but that plan also hinges on all impacted organizations being fully prepared. If attackers feel that targets are still vulnerable, they may well still launch attacks against them hoping to force some sort of quiet backdoor payment instead.
Tj McClearin, CEO at Xcape, supports the general idea and believes it is ultimately on individual organizations to be prepared to make the system work: “I think the overall stance on ransomware is generally the right thing to do. In my experience, every time we’ve assisted an origination with navigating ransomware, we generally advise the same thing every time – Don’t pay the ransom. In every case, the ransomware group responsible takes the first payment as a sign that you have money to throw away at the problem and will likely be responsive to request for more money. The FBI takes the same stance in dealing with ransomware in that they advise organizations never to pay the ransom for the same reasons. The issue with the UK’s approach is leaves some low hanging fruit with originations that are in a particular sector or of a smaller size leaving them the vulnerable targets. Like most criminal organizations, the target is always the lowest hanging fruit so by leaving some organizations off the roster it opens targeted attacks to orgs that likely don’t have the resources to respond to an attack. The key takeaway here is that organizations worldwide should adopt a no response stance on ransomware and instead focus on testing their attack surface at a more regular cadence. These problems are solvable with more focus on attack surface vulnerability management.”
