The UK Home Office has announced a groundbreaking proposal that could make it illegal for public sector organizations and critical infrastructure companies to pay ransomware demands. This initiative aims to combat the rising tide of cybercrime targeting essential services.
Under the proposed legislation, the existing ban on ransomware payments by government departments would extend to all public sector entities, including hospitals, schools, local councils, and organizations operating critical national infrastructure.
The Home Office has opened a three-month consultation period ending in April 2025 to gather feedback on three key proposals:
- A complete ban on ransomware payments for public sector bodies and critical infrastructure operators
- A new payment prevention regime requiring organizations to report intended ransomware payments before making them
- A mandatory incident reporting system for ransomware attacks within 72 hours
Security Minister Dan Jarvis emphasized the urgency of the measure, citing that criminal organizations collected an estimated $1 billion globally from ransomware attacks in 2023.
The proposal follows several high-profile incidents, including a devastating attack on Synnovis, a pathology lab company serving London hospitals. This incident led to the cancellation of over 800 planned operations and 700 outpatient appointments, with some patients suffering long-term health impacts.
According to the National Cyber Security Centre, ransomware remains the most immediate threat to UK's critical infrastructure. Between September 2023 and August 2024, the National Crime Agency handled 430 cyber incidents, with 13 ransomware attacks classified as nationally significant.
The government's strategy aims to discourage cybercriminals by removing the financial incentive to target these organizations. However, some experts question whether this approach might lead attackers to target these institutions more aggressively to make examples of them.
If implemented, these measures would represent one of the most comprehensive attempts globally to regulate ransomware payments and combat cybercrime targeting essential services.