The UK government has opened a consultation on countering the issue of ransomware infections, and banning ransomware payments for public sector bodies and CNI firms.

Also proposing mandatory reporting for ransomware incidents, the consultation paper from the Home Office will work on three “immediate, overarching objectives”. Which are to reduce the amount of money flowing to ransomware criminals from the UK, and increase the ability of operational agencies to disrupt and investigate ransomware actors by increasing intelligence around the ransomware payment landscape.

The third is to enhance the Government’s understanding of the threats in this area to inform future interventions, including through cooperation at international level.

Seeking Feedback

The Home Office said it is seeking feedback on the proposals before any movement on their implementation. “The key aim of these proposals is to protect UK businesses, citizens and CNI, whether UK owned or not,” the paper said.

“This consultation will tackle difficult questions about victim behaviour during a cyber incident; how much information can and should be shared with UK authorities; and if and when it is appropriate to pay a ransom.”

The three proposals include:

• A targeted ban on ransomware payments for all public sector bodies, including local government, and for owners and operators of Critical National Infrastructure, that are regulated, or that have competent authorities.

• A new ransomware payment prevention regime to cover all potential ransomware payments from the UK. 

• A ransomware incident reporting regime that could include a threshold-based mandatory reporting requirement for suspected victims of ransomware. 

Claiming that the proposed measures “reflect the seriousness with which ransomware is taken by this Government and reflects an ambition to drastically reduce the harm” caused to UK prosperity and security by ransomware attacks, the Home Office is welcoming responses from organisations with global and multinational structures to ensure that the UK is protected.

Avoid Burdens

Also, the paper claims the intent of the consultation is to ensure that UK victims are only required to report an individual ransomware incident once to avoid unnecessary burdens.

The Home Office will also work with the Department for Science, Innovation and Technology to ensure that these proposals - and those in the upcoming Cyber Security and Resilience Bill - are aligned and complementary.

Edward Lewis, CEO of CyXcel, said: “There is no doubt that there are lots of positives that could come from these new proposals, including an increased spotlight on ransomware generally; a clear message to ransomware gangs that the UK is not an easy target for cybercrime; and a refocus within industry on the importance of having robust cyber security controls and implementing proactive defence measures, as opposed to businesses being too reliant on cyber insurance as something of a ‘safety net’ in the event of an incident.

“However, the proposals do also come with the risk of unintended consequences. For example, there is a risk that a ban on ransomware payments ends up penalising the wrong people, with some smaller organisations who may lack the resources to respond effectively ending up going out of business without the option of paying ransoms.

"Equally, a mandatory reporting regime could expose victims to reputational damage if matters are not handled confidentially and information about intended payments becomes public knowledge.  It will therefore be interesting to see how industry responds to these proposals and whether the Government continues to refine the proposals as a result.”

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.