UK Houses of Parliament showing ransomware payments by public sector

UK Government Weighs Ban on Public Sector Ransomware Payments

“To pay or not to pay” has been a hotly debated topic since ransomware spiked about 10 years ago, and to date most governments have fallen on the side of allowing payments at the lower or more municipal levels. That may change in the United Kingdom, at least for its public sector entities. A new proposal from the Home Office would prevent the NHS as well as schools and local councils from making ransomware payments, and certain limitations would also be put on private companies in what has been described as “the most significant intervention against ransomware by any national government to date.”

UK’s tighter restrictions on ransomware payments would include new reporting requirements

In addition to forbidding the national health service and local governments from making ransomware payments, entities beyond the public sector would be impacted. Private operators of critical infrastructure would also be forbidden from paying ransoms under the new Home Office proposal. And if sanctioned entities or state-backed hackers are involved any ransomware payments must be reported to the government and are subject to being blocked.

Required reporting of ransomware attacks would also be greatly expanded under the new terms, for both the public and private sector. The rules bring impacted entities in line with existing terms for national government agencies, which are already forbidden from making payments.

The move comes after several years of hackers showing increased interest in lower-level public sector targets, primarily due to a perception of poor defense and ease of access. NHS hospitals have particularly been a popular target as of late, highlighted by a June 2024 attack on the London-based Synnovis pathology lab. That attack threw patient services into chaos for some time with a rash of cancelled appointments and the loss of a substantial amount of sensitive patient data.

The Home Office proposals are on the schedule for discussion during a 12-week consultation that will run until April 8. Any one of these individual terms could ultimately be adopted on its own, for example an expansion of reporting requirements without any additional bans on ransomware payments. An adoption of the strongest terms, those banning payments across the public sector, would be the first such regulation put in place among the world’s largest economies. It is still unclear how these discussions will ultimately shake out, but the public sector ban does appear to have the support of the UK National Cyber Security Centre (NCSC) based on recent statements from its CEO. But there has been pushback from some other elements of the government such as the Institute for Security and Technology’s Ransomware Task Force, whose co-chair Jen Ellis has said that it is unrealistic to attempt to force all organizations to be resilient against ransomware attacks.

Public sector attacks increase internationally

Ransomware attackers have shown a greater deal of interest in hospitals and patient care facilities around the world over the past few years, primarily due to the perception that they cannot afford to not pay a ransom (even if they are not as well-resourced as other potential targets). Some have opted not to make ransomware payments, however, instead soldiering on by returning to pen-and-paper methods for days or even weeks as recovery from backups is underway. But the other side of this argument is illustrated by the deaths caused by ransomware, nearly all attributable to an attack disrupting patient services at an inopportune time.

The UK has seen this risk with the attacks on NHS, but has also fielded quite a few less-potentially-lethal but nevertheless publicly disruptive attacks: shutdowns due to ransomware have occurred at the Royal Mail, British Library,  and Bristol Airport among others. Attacks on the public sector are becoming more popular and frequent around the world, as evidenced by spikes in recent years in the US of both attacks on hospitals and on smaller local government entities that often struggle to maintain adequate IT support.

Dr. Darren Williams. Founder and CEO of BlackFog, expands on this trend: “Ransomware gangs, like most criminals, are highly motivated by profit and tend to gravitate towards targets that are more likely to pay up. But paying up often doesn’t pay off. At the end of the day you are negotiating with criminals who are unlikely to uphold their end of the deal, and in many cases they go further than leaking stolen data by  targeting the same victim a short time later. Organisations in the public sector are often a soft target for attacks due to insufficient cybersecurity budgets and a reliance on antiquated technologies. There is no doubt that a ban on ransom payments would make ransomware less appealing to criminals, but firms need to get their house in order first by ensuring they have effective modern security solutions in place to defend against attacks.”

Though attacks are both more frequent and more risky, and show no signs of slowing, there has been little further movement toward banning ransomware payments outside of the UK. The primary argument is that smaller organizations simply cannot be expected to spend on defenses that prevent the possibility, or be able to financially recover after an incident. There is also concern that outlawing ransomware payments would simply push victims to cut contact entirely with law enforcement and engage in even riskier forms of payment that offer no hope of recovery.

There is something of an international push toward more stringent reporting requirements, however. Australia’s new Cyber Security Act introduced terms in late 2024 that require both private and public sector organizations to report incidents when they rise past a certain threshold of damages. In the US, determinations about public sector ransomware payments have been largely left to the states and some of these have implemented their own rules restricting government entities. But the federal government has gradually put new reporting requirements on organizations involved with critical infrastructure, which includes 16 sectors of industry in total.