The United Kingdom government has launched a consultation on proposed legislation that would prohibit public sector organizations from making ransomware payments to cybercriminals.
The ban would extend beyond government departments to encompass hospitals, schools, railways, local councils, and other public services. The move aims to discourage cybercriminals by making these institutions less appealing targets.
Under the proposed framework, the National Crime Agency (NCA) would gain expanded oversight of ongoing cyber incidents. This would allow them to better guide victims and block payments to identified criminal networks.
Security Minister Dan Jarvis pointed to the growing threat, noting that the global ransomware market reached $1 billion in 2023. "This is a step to hit cybercriminals in their wallets and safeguard businesses and jobs," he stated.
The proposal includes establishing a mandatory incident reporting system to help law enforcement disrupt attacks and monitor emerging threats. It aligns with international efforts like Operation Cronos, which recently dismantled the LockBit ransomware network.
However, security experts have raised concerns about implementation challenges. Ilia Sotnikov from Netwrix highlighted potential moral dilemmas, particularly in healthcare settings where lives could be at risk. He suggested following banking sector models that focus on risk reduction rather than outright payment bans.
Similar initiatives have emerged globally. North Carolina and Florida have enacted laws preventing certain state agencies from paying ransoms. Australia opted for a different approach, implementing mandatory reporting requirements for businesses with annual turnover exceeding AUD $3 million rather than imposing an outright ban.
The National Cyber Security Centre advises organizations to strengthen their defenses through frameworks like Cyber Essentials and develop robust recovery plans while the consultation process continues.