UK Government's Latest Counter-Ransomware Proposals: Implications for Public Bodies, Businesses and Individuals

Ransomware has been described by the National Cyber Security Centre (NCSC) as the "most acute cyber threat for most businesses in the UK", and the annual volume of attacks is increasing as threat actors seek ever more lucrative returns. In response to the surging volume of ransomware incidents, the Home Office announced a series of proposals on 14 January 2025 to counter these threats, proposing a ban on public bodies and organisations classed as critical national infrastructure from making ransomware payments, a broader ransomware payment prevention framework, and a mandatory incident reporting regime. Notably, the government is considering criminal sanctions for non-compliance, and an "economy-wide" application[1] for the proposed ban and regimes, potentially covering all UK individuals and organisations regardless of organisational size or sector. This is subject to the outcome of a public consultation open until 8 April 2025, as the government seeks guidance on their implementation in terms of scope and proportionality. These three proposals are set out below.

The Home Office's Three Proposals:

1. A targeted ban on ransomware payments for all public sector bodies and critical national infrastructure (CNI):

In response to the potential for serious harm to public welfare and the wider economy (notably the 2024 NHS incident) where ransomware actors target public organisations and CNI, the Home Office has proposed banning all such organisations from making ransom payments––aiming to "strike at the heart of the cybercrime business model" by reducing the incentive for cybercriminals to target public and essential services given that their targets would not be able to pay them. Such a ban is already in effect for government departments; under the new proposal, all public sector bodies (e.g. local councils and schools) as well as private sector operators of CNI (regulated entities, including but not limited to utility providers, energy producers, transport and healthcare, parts of digital infrastructure and potentially managed service providers[2])  and potentially essential suppliers to those sectors, would be prohibited from paying cyber extortionists. The proposed ban currently focuses on public bodies and CNI, although the government also offers responders to the consultation the option of a complete ban across all UK businesses.

2. A ransomware payment prevention and disclosure regime:

This regime aims to offer advice and guidance to ransomware victims not in scope of the targeted ban before they decide how to respond, focused on offering "non-payment resolution options" even though such victims are not in scope of the ban. The Home Office is also seeking to give itself the authority to assess potential payments before the completion of transactions, and block them in certain circumstances, e.g. if they are directed to known criminal groups or sanctioned entities. In order for the government to assess and block certain payments under the payment prevention regime, a new legal duty to disclose intentions to make ransom payments would be imposed on businesses.

3. A mandatory reporting regime for ransomware incidents:

The Home Office seeks to implement the previously proposed mandatory ransomware reporting regime, a key part of the Cyber Security and Resilience Bill, which is set to be introduced into Parliament in the near future. This, combined with the ransomware payment disclosure regime, is intended to give the government significantly better data, as currently many ransomware incidents (and payment decisions) go unreported. The hope is this will enable authorities such as the National Crime Agency and NCSC to maximise their intelligence-gathering capabilities to establish the true scale of the ransomware threat, and target their investigations and operations on the most prolific and damaging groups.

Implications for UK Public Bodies, Businesses and Individuals

The proposals outlined by the Home Office could impose significant compliance and operational challenges for public bodies, businesses, and/or individuals across the UK. While the Home Office emphasises "proportionality" in the consultation paper, the proposed measures, if taken to their most extreme, would prevent significant parts of the economy from paying ransoms. While eliminating ransomware crime is a worthy goal, proponents of bans have faced counterarguments that blanket bans risk causing unintended consequences in the form of extensive and prolonged disruption to critical services, in the event of a successful attack where payment is not an option. The hope from the government will be that without the legal option for payment, ransomware criminals will stop targeting organisations subject to the ban at all; an assumption which has yet to be tested.

In addition, the proposed ransom reporting regime adds another layer of obligatory reporting, exacerbating the strain on organisations already grappling with resource constraints, criminal threats, and regulatory demands. It is a welcome development that the government acknowledges this concern, stating in the consultation paper that “the intent is to ensure that UK victims are only required to report an individual ransomware incident once, as far as possible", and that it would work to ensure that incident reporting requirements in the upcoming Cyber Security and Resilience Bill are “aligned and complementary” and not duplicative.

It is also worth noting that financially motivated ransomware attacks are only one source of threat faced by public bodies and CNI providers. In a challenging geo-political environment, the threat of state-backed cyber attacks, particularly against essential services, is increasing. Such attacks often seek to extract sensitive information, cause damage and disruption, or have political impacts, and are unlikely to be impacted by a ban on ransom payments.

Conclusion

• The government appears to be shifting away from a reactive stance on ransomware to a more proactive and preventive approach, emphasising early intervention, transparency through mandatory reporting, and stringent measures to limit payments, in the hope that this deters attacks.
• The open consultation will play a critical role in defining thresholds and categories for mandatory incident reporting and ransomware payment disclosure, ensuring that the obligations strike a balance between capturing relevant incidents and avoiding undue burdens on businesses.
• The effectiveness of these measures will also depend on the clarity of reporting mechanisms, and disclosure obligations in respect of organisations not subject to the ban who intend to make payments. For example, the government is seeking guidance on whether a certain threshold for such obligations should be set (e.g. based on the size of organisation and/or the size of ransom demand).
• The idea of banning ransom payments is not new and has been the subject of debate by nation states and international bodies for some time (see related article); but to date very few have adopted bans in law. We expect that the benefits and risks of a ban on payments will be subject to significant debate as this consultation, and ultimately any legislative enactments, progress.

Further details about the consultation and how to participate, see Ransomware: proposals to increase incident reporting and reduce payments to criminals (deadline: 8 April 2025).