UK Bans Ransomware Payments for Public Sector & Critical Infrastructure
▼ Summary
– The UK government is proceeding with a ban on ransomware payments by public sector and critical national infrastructure organizations to deter cyberattacks.
– The ban follows strong public support from a 2025 consultation and aims to protect essential services like hospitals and schools.
– Businesses not covered by the ban must notify the government before paying ransoms, which could be illegal if sent to sanctioned groups.
– The government will also introduce mandatory ransomware reporting to improve intelligence for law enforcement and international operations.
– Experts warn the ban may create a two-tier system, push attacks underground, or discourage reporting, citing similar issues in Italy.
The UK has officially moved forward with plans to prohibit ransomware payments for public sector organizations and critical national infrastructure (CNI), marking a significant shift in cybersecurity policy. This decision comes after overwhelming public support during a consultation period earlier this year, with roughly 75% of respondents backing the proposal. The ban aims to reduce the appeal of targeting essential services like healthcare, education, and transportation by cutting off a primary revenue stream for cybercriminals.
Recent ransomware attacks have disrupted numerous public institutions, including local governments and NHS facilities. In response, NHS England recently called on suppliers to strengthen their cybersecurity measures, citing the growing threat of ransomware as “endemic.” While private businesses won’t face an outright ban, they will be required to inform the government before making any ransom payments. Authorities will then provide guidance, including warnings about potential legal consequences if funds are directed toward sanctioned hacking groups.
Security Minister Dan Jarvis emphasized the government’s stance, calling ransomware a “predatory crime” that endangers public safety and critical services. He stressed that the new measures are part of a broader strategy to dismantle cybercriminal operations while safeguarding vital infrastructure.
Alongside the payment ban, the UK plans to introduce mandatory reporting for ransomware incidents. This system, which received strong backing during consultations, is designed to improve intelligence-gathering for law enforcement and support international efforts to combat ransomware networks.
However, cybersecurity experts have raised concerns about potential unintended consequences. Some warn the policy could create a “two-tier system,” where organizations not covered by the ban become more frequent targets. Others fear victims may resort to covert payments through intermediaries or misclassify attacks to avoid penalties.
Kev Breen, a senior cyber threat intelligence director, questioned whether the ban might discourage reporting altogether. He pointed out that if paying a ransom remains the quickest recovery option, some businesses might choose secrecy over compliance. Similarly, Mark Jones, a legal expert, highlighted findings from Italy, where ransomware payments are already illegal, showing that 43% of organizations still admit to paying ransoms despite the prohibition.
The UK’s approach reflects a growing global effort to disrupt ransomware economics, but its success will depend on balancing enforcement with practical realities faced by targeted organizations.
(Source: InfoSecurity Magazine)
