The UK government has introduced a consultation process (running until April 8, 2025) for a proposed ban on ransomware payments by the public sector, and by owners and operators of regulated critical national infrastructure (CNI).
The ban on paying ransoms is coupled with more stringent reporting requirements. Organizations outside the ban, and legally able to pay a ransom, would be required to report the intention to pay that ransom before making any payment. The suggestion is that this will increase ransomware intelligence gathering, but it equally asserts non-legal pressure on these organizations to decline to pay.
The intent is clear. Since no technical means have been found to curtail criminal extortion through prevention or attack, the new proposal is to eliminate its profitability. If criminals cannot benefit from the attack, they have no incentive to carry out the attack. It’s a modern variant of the siege attack – we’ll starve the enemy into submission.
Since this is a consultation (PDF) period, there is no guarantee what proposals, if any, will eventually become law. For example, the difficult area of health services is given no special treatment. Health is one of the UK’s 13 sectors classified as CNI, and would (within the consultation proposals) be unable to pay a ransom – even if patients’ lives depend upon it. Is this what the government intends, or is it an area in which it genuinely seeks public opinion?
What is interesting, however, is that the proposal seems to follow the US blueprint. The federal government does not have carte blanche in imposing blanket national regulations. Instead, it requires federal agencies and regulated industries (the US CNI) to abide by its proposals – and then allows a trickle down process to get these requirements voluntarily adopted by the rest of industry.
The UK government proposals are similar: regulate where it is easier to regulate, and hope everyone else will follow suit.
This consultation document does not tell us what will happen – but it is worth noting that consultations in the past have had little effect on the original proposals.
Related: Compromised AWS Keys Abused in Codefinger Ransomware Attacks
Related: Emerging FunkSec Ransomware Developed Using AI
Related: Addiction Treatment Firm BayMark Says Ransomware Attack Caused Data Breach
