The United Kingdom is taking a bold step to combat cybercrime by proposing legislation that would prohibit public sector organizations from paying ransoms to hackers. The Home Office announced a consultation on Tuesday outlining plans for a "targeted ban" affecting local councils, schools, NHS trusts, and critical infrastructure organizations.
The proposed ban aims to disrupt the financial incentives driving cybercriminal operations. Under the new rules, it would become illegal for public bodies and critical infrastructure companies in sectors like energy and communications to pay ransoms following cyberattacks.
This initiative follows several devastating cyberattacks on UK public services. A notable incident involved pathology lab provider Synnovis, which led to a major breach of sensitive patient data, disrupted medical operations, and caused permanent health damage to some patients.
The proposal includes mandatory reporting requirements for ransomware victims not covered by the payment ban. Additionally, the government would gain powers to block ransom payments to sanctioned entities through a new prevention program.
Security Minister Dan Jarvis highlighted the scale of the threat, noting that ransomware criminals collected an estimated $1 billion globally in 2023. The UK's National Cyber Security Center handled 430 cyber incidents in the year ending August 2024, including 13 major ransomware attacks, primarily attributed to Russia-affiliated criminal groups.
The Home Office's consultation period will continue until April 2025. While the UK government departments already operate under a ransom payment ban, this expansion would mark a comprehensive approach to combating ransomware threats.
This move aligns with international efforts to combat ransomware. In October 2023, over 40 countries, led by the United States, pledged not to pay ransoms to cybercriminals, aiming to cut off their primary revenue stream.