UK Government Launches Consultation on Ransomware Payments

At a Glance

• Reporting statistics maintained by the UK Information Commissioner’s Office show a significant increase in ransomware attacks. This reflects the global increase in “ransomware as a service (RaaS)” business models, where organised criminal groups provide malicious actors the necessary technical skills with access to malware in return for a cut of the ransom payment.
• The consultation has three proposals for: a targeted ban on ransomware payments for all public sector bodies; a new ransomware payment prevention regime; and a ransomware incident reporting regime.
• The consultation runs until 8 April 2025; and the UK government urges businesses, cybersecurity experts and the public to contribute their views. By gathering broad input, the UK aims to develop a comprehensive strategy that strengthens its cyber resilience and reduces the economic impact of ransomware attacks.

The UK government has launched a public consultation on proposed measures to combat ransomware — a growing cyber threat with serious economic and security implications — and seeks input from businesses, cybersecurity professionals and the public.

The consultation defines ransomware as malicious software attacks that prevent a victim from accessing systems or data (including through encryption); impair use of systems or data, or facilitate theft of data and require a payment (normally cryptocurrency) from the victim to restore; or access or prevent publication of data, which often includes personal data, intellectual property and sensitive commercial data.

Although there have been a number of high-profile attacks, including attacks on UK public sector bodies, ransomware attacks are widely underreported; yet their impact is severe, often compelling victims to pay ransoms to regain control of their data. However, this only fuels further criminal activity. UK Home Office polling shows that more than two-thirds of the public oppose ransomware payments, recognising the risk of financing more cybercrime.

Reporting statistics maintained by the UK Information Commissioner’s Office show a significant increase in ransomware attacks. This reflects the global increase in “ransomware as a service (RaaS)” business models, where organised criminal groups provide malicious actors the necessary technical skills with access to malware in return for a cut of the ransom payment, and the UK government aims to develop a more effective strategy to disrupt these operations and bolster the UK’s cyber resilience.

Key Objectives

The UK Home Office has three key objectives in this area:

1. To reduce the flow of money from the UK to ransomware criminals, discouraging them from targeting UK organisations.
2. To strengthen the ability of law enforcement agencies to investigate and disrupt ransomware groups by improving intelligence on ransom payments.
3. To deepen the UK government’s understanding of these threats to shape future policies, including through international collaboration.

Consultation Proposals

Proposal 1: A Targeted Ban on Ransomware Payments for All Public Sector Bodies

The first proposal suggests implementing a targeted ban on ransomware payments, across all public sector bodies, including local government and owners and operators of critical national infrastructure (CNI). This proposal expands on the existing principle that central government departments cannot make ransom payments, by extending the prohibition to all public sector entities in the UK. The UK Home Office is seeking feedback on whether essential suppliers to these sectors should also be included. This would extend the existing restriction on central government funds to all publicly funded bodies.

Many countries (including most EU member states, Canada, India, Singapore and the United States) have endorsed this principle through the Counter Ransomware Initiative Statement, expressing their commitment to refraining from making ransomware payments. The UK Home Office is also seeking feedback on how to strike the right balance of effective and proportionate measures to ensure compliance with the proposed ban. Potential approaches include criminal penalties, such as making violations a criminal offence, or civil penalties, like fines or disqualification from board positions. The inevitable downside of any sector-based initiative is that malicious activity would simply be diverted to other sectors which have fewer rules in respect of ransomware payments. This approach also presupposes that ransomware attacks are specifically targeted, when many attacks will be victim-agnostic, as attackers move from one potential victim to another, focusing on their inherent vulnerablities rather than the sector in which they operate. Conversely, some attackers will still seek to attack UK public sector bodies for nonfinancial motives, particularly where the attackers are backed by organised crime or malicious state actors.

Proposal 2: A New Ransomware Payment Prevention Regime

The second proposal is a ransomware payment prevention regime to cover all potential ransomware payments from the UK. This would require victims (both individuals and organisations not covered under other proposals) to report their intent to pay a ransom before making the payment. Once reported, victims would receive support and guidance on alternative responses, and authorities would assess whether the payment should be blocked, for example, if it risks funding sanctioned criminals or violating terrorism financing laws. If no legal barriers exist, the final decision to proceed would rest with the victim.

Beyond influencing victim behaviour, this proposal aims to improve intelligence on ransomware payments, helping law enforcement agencies disrupt cybercriminal operations and support major investigations, such as those targeting groups like LockBit and Evil Corp. By implementing this approach, the UK government hopes to reduce the financial incentives for ransomware attackers and strengthen the UK’s cybersecurity resilience. Much would depend on the speed and efficiency of any such system, to ensure that ransomware victims are not stuck in impossible situations.

Proposal 3: A Ransomware Incident Reporting Regime

The third proposal is the introduction of a mandatory ransomware incident reporting requirement for suspected victims. This aims to improve understanding of ransomware threats, ensure effective interventions, support organisations in building resilience and enhance law enforcement intelligence to disrupt cybercriminals. The UK government is consulting stakeholders on whether the requirement should apply economy-wide or only to certain organisations and individuals meeting a threshold. Reporting would be required regardless of whether a ransom is paid, and victims outside the mandatory scope would still be encouraged to report incidents voluntarily.

Next Steps

Apart from the practical consequences for businesses of each of these proposals, the consultation raises some interesting public policy issues, particularly how to prevent the proceeds of such attacks from being used for nefarious purposes, including financing terrorism. The consultation runs until 8 April 2025; and the UK government urges businesses, cybersecurity experts and the public to contribute their views. By gathering broad input, the UK aims to develop a comprehensive strategy that strengthens its cyber resilience and reduces the economic impact of ransomware attacks.