A major overhaul of how the UK responds to ransomware attacks is being considered, with a public consultation due next month.

According to The Record, all ransomware victims will be required to report incidents to the government, while a complete ban on ransom payments for organizations involved with critical national infrastructure will be put in place.

Sources told the news outlet that the mandatory reporting requirement would help illuminate the true scale of the problem, although it is not yet clear how the process would work as there are concerns that in some cases the reporting process could delay recovery and potentially increase the harm and disruption caused by a ransomware attack.

However with a public consultation yet to begin, and it typically taking 12 weeks, it may be that a potential change in government later this year could result in any new bills either being passed in a ‘wash up’ or being revised by a new government.

Former NCSC head Ciaran Martin has talked about the need to ban ransomware payments, while research released this week found that the threat of ransomware was one of the biggest drivers in cyber spending.

No Quick Fix?

Laurie Mercer, security architect at HackerOne, said: “Enforcing a ransomware payment ban is like banning smoking - you know it’s good for society in the long run but in the short term, it is difficult to stop getting a quick fix.”

He said that the pros of banning ransomware payments are that it removes an incentive for criminal activity and is a morally sound choice; the cons are that in the short term, this will result in an increase in data breaches, PII leaks, and the destruction of hardware and software assets when the payment demands are not met. 

Mercer believes that many UK organisations lack the resources to defend against these attacks. “One way to offset the risk of ransomware attacks is to counteract the ransomware incentive model for a vulnerability rewards incentive model,” he said. “Public bug bounty programs incentivise white hat hackers to highlight gaps in your defences that can be exploited by ransomware gangs. To stop yourself from being hacked, you might need to work with hackers.”

Chris Denbigh-White, CSO at Next DLP, agreed, saying the only answer to tackling ransomware is systemic change, and organisations should focus on building up controls and committing to doing the important, but routine security jobs. “For organisations wishing to avoid having to splash the cash, the answer lies in ensuring basic cybersecurity principles are followed,” he said.

Denbigh-White also said while the dream is that making ransomware payments illegal would make cybercriminals pack up their ransom bags and go away, in the real world, when a criminal gang’s revenue stream is threatened, their efforts tend to intensify not diminish, at least in the short term.

“Banning specific areas of the industry from paying ransoms will also potentially lead to an increased targeting of those industries not in scope of the rules,” he said. “If definitions are created to determine which companies should or should not pay ransomware demands, those that are legally allowed to do so will become the favoured targets.”

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a seasoned B2B journalist with over 20 years of experience, specializing in cybersecurity for the past 15 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes. Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.