Public sector bodies and operators of critical national infrastructure are to be banned from paying ransomware demands.

Following public consultation on ransomware, hospitals, businesses, and critical services are set to be protected under new measures. However services such as the NHS, local councils and schools, would be banned from making the payments.

The concept of the ban would be to target the business model that fuels cyber-criminals’ activities, and make public services a less attractive target for ransomware groups.

Three Proposals

The consultation was opened at the start of this year, based around three proposals: 

• Proposal 1: Targeted ban on ransomware payments for all public sector bodies,
• Proposal 2: A new ransomware payment prevention regime 
• Proposal 3: A ransomware incident reporting regime

In the government consultation response, published today, findings were published on the three proposals.

On the proposal around “A targeted ban on ransomware payments for all public sector bodies, including local government, and for owners and operators of critical national infrastructure (that are regulated, or that have competent authorities),” 72% of respondents agreed that government should implement a targeted ban on ransomware payments for CNI owners and operators and the public sector, including local government.

Also, just over two thirds of respondents (68%) thought that a targeted ban will be effective in reducing the amount of money flowing to ransomware criminals and thus reducing their income. 

On the second proposal, on “a new ransomware payment prevention regime to cover all potential ransomware payments from the UK,” there were mixed views, but 47% supported an economy-wide payment prevention regime for all organisations and individuals not covered by the targeted ban.

Respondents also raised issues on a threshold-based approach to a payment prevention regime, including the risk of criminals shifting their methods or targets to those not covered by the regime. A threshold approach would have an increased potential for displacing attacks to those not covered; and would likely create more loopholes or shape business practices to avoid falling within any stated threshold. 

The third proposal, “A ransomware incident reporting regime that could include a threshold-based mandatory reporting requirement for suspected victims of ransomware,” showed agreement among responses that a new mandatory reporting regime should be introduced.

Around three quarters of respondents thought that this economy-wide measure would be effective in increasing the Government's ability to understand the ransomware threat to the UK (79% net effective), and effective in increasing the Government's ability to tackle and respond to the ransomware threat in the UK (74% net effective).

Respondents also highlighted whether individuals should be considered under the mandatory ban, as well as organisations, noting the additional resource implications of a new reporting requirement and whether fulfilling obligations for an individual was deemed reasonable.

Intent to Pay

Under the proposals, businesses not covered by the ban would be required to notify the government of any intent to pay a ransom. The government could then provide those businesses with advice and support, including notifying them if any such payment would risk breaking the law by sending money to sanctioned cyber criminal groups, many of whom are based in Russia.

Mandatory reporting is also being developed, which would equip law enforcement with essential intelligence to hunt down perpetrators and disrupt their activities, allowing for better support for victims. Consultation responses showed strong support for a new mandatory reporting regime to better protect British organisations and industry.

A government statement said the new package of measures will lead the way in tackling ransomware, and follow an extensive consultation with stakeholders across the UK which showed strong public backing for tougher action to tackle ransomware and protect vital services.

Security Minister Dan Jarvis said the government is determined to smash the cyber-criminal business model, and protect the services we all rely on. “By working in partnership with industry to advance these measures, we are sending a clear signal that the UK is united in the fight against ransomware,” he said.

Kev Breen, senior director of cyber threat intelligence at Immersive, said there are many moral considerations here. “While it's always easy to say ‘never pay’, the reality is far murkier. Some organisations have paid ransom demands not to recover infrastructure, but to prevent the public release of large volumes of personally identifiable information (PII) - where the damage to individuals could be far greater than a service being offline.

“This also doesn't address the underlying issue: cybersecurity is expensive. Both people and technology are becoming more costly, and cybersecurity teams are often viewed as loss-makers. They don’t generate revenue - only costs. It’s easy to overlook the hidden savings they provide in the event of an incident.”

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.