UK’s New Legislative Push on Ransomware Payments

On 14 January 2025, the Home Office launched a public consultation to explore measures targeting the growing ransomware threat in the UK. The consultation proposes three key actions:

1. A ban on ransomware payments by public sector bodies and operators of Critical National Infrastructure (CNI), including energy, water, transport, health, and telecommunications.

2. The creation of a ransomware payment prevention regime.

3. The establishment of a ransomware incident reporting regime.

What is Ransomware?

Ransomware is a type of malicious software that locks victims out of their systems or steals data, demanding a ransom (often in cryptocurrency) for access or to prevent the data from being published. This definition aligns with those used by bodies such as ISO, ENISA, and NIST.

A high-profile example of ransomware’s impact is the 2017 WannaCry attack, which affected 230,000 computers in over 150 countries and caused an estimated $4 billion in damages.

The Ransomware Problem in the UK

Ransomware poses a major threat to the UK. The National Cyber Security Centre (NCSC) and the UK National Crime Agency (NCA) have both highlighted ransomware as the most serious cybercrime threat, particularly for CNI and national security. In 2023, ransomware incidents reported to the Information Commissioner’s Office (ICO) reached record highs, and the number of UK victims listed on ransomware leak sites doubled since 2022.

What Do the Proposals Aim to Achieve?

The proposals aim to:

• Halt financial flows to ransomware criminals, reducing the incentive for attacks.

• Enhance the UK’s ability to disrupt and investigate ransomware activity by improving intelligence on payment practices.

• Strengthen the government’s understanding of ransomware threats to guide future policy and international collaboration.

Overview of the Proposals

Proposal 1: Ban on Ransomware Payments by Public Sector and CNI Operators
The government proposes extending the current ban on ransomware payments by central government departments to all public sector bodies and CNI operators. This includes critical sectors like energy, communications, and transport. The potential wider impact of this ban, such as increased risks to other entities or individuals, will be explored in future consultations.

Proposal 2: Ransomware Payment Prevention Regime
Organisations and individuals (excluding those covered by Proposal 1) would be required to notify authorities within 72 hours of receiving a ransomware demand. Authorities would assess whether the payment should be blocked, and penalties could be imposed for non-compliance. The proposal aims to discourage payments that might support criminal activities, though it may face criticism for holding victims accountable.

Proposal 3: Ransomware Incident Reporting Regime
Victims of ransomware attacks would be required to report incidents to authorities, regardless of whether they intend to pay the ransom. The government is considering whether this should apply across all sectors or only to larger organisations or those facing significant ransom demands.

Interaction with Existing Legislation
Many organisations may already be required to report breaches under GDPR or other regulations. The consultation doesn’t clarify how these new proposals would align with existing legal obligations but aims to ensure a coherent approach to ransomware reporting.