In January, the UK government proposed a set of measures to help thwart ransomware, including a ban on payments for public sector bodies and critical national infrastructure (CNI) organisations. Three months later, the government’s consultation is coming to a close, after which it is hoped a set of measures will be created to reduce the amount of money flowing to ransomware criminals from the UK. 

The proposed ban comes alongside proposals to help prevent payments among all sectors, and an incident reporting regime. 

There’s no doubt ransomware is a problem that occurs across borders. With this in mind, experts say a UK-only ban payment ban would not have a satisfactory impact. At the same time, a payment ban isn’t a practical solution for many sectors that need to keep operations up and running in critical scenarios. 

So, as the consultation comes to a close on April 8, what is being proposed, how realistic is it, and what might the legislation look like in practice?  

The Proposals 

The current proposal in the UK looks at three ideas for preventing ransomware attacks: A targeted ban on ransomware payments for CNI and the public sector, a ransomware payment prevention regime, and a ransomware incident reporting regime. 

For businesses and individuals not covered by the full ban, the government is suggesting a new system where victims must report ransomware attacks and their intention to pay before doing so, says Ron Moscona, partner at law firm Dorsey & Whitney. “This would give the government an opportunity to provide guidance to victims of attacks and to block the payment, for example, if they suspect it would be used to fund terrorism or sanctioned individuals.” 

Plans for incident reporting currently suggest an initial report should be made within 72 hours, with a full review to follow within 28 days. This would help public authorities monitor the criminal activity landscape, including which organisations are being targeted and how much is being demanded in ransom payments, says Moscona. 

A Good Idea in Theory 

Many experts think a ban is a good idea in theory, but they say the reality could present challenges. Banning ransomware payments is unlikely to stop UK organisations falling victim, says Anthony Young, CEO at Bridewell.  

“Cyber-criminals aren’t always targeted in their approach and often launch ransomware campaigns indiscriminately, impacting thousands of organisations with no regard for their location or the legality of ransomware payments,” Young explains. “Since UK organisations will form part of these campaigns in either scenario, a ban on ransomware payments would only prevent them from making that last resort choice to pay if there’s no other option available.” 

David Dunn, EMEA head of cybersecurity at FTI Consulting, agrees. He thinks attempting to enforce a UK-specific ban without coordinated geopolitical collaboration would be “highly complex” and “largely ineffective”.  

“Attackers would likely continue to exploit regulatory gaps, making the ban insufficient as a standalone measure,” he says. 

Stopping ransom payments altogether is “ambitious”, says Casey Ellis, founder of Bugcrowd. While it could reduce the profitability of ransomware over time, it also puts targeted bodies in “a tough spot”, he says. “For some, paying the ransom could be the only way to recover critical operations, especially if backups fail or downtime costs are catastrophic.” 

Mandatory reporting is more achievable, but it requires trust, he says. “Businesses may fear reputational damage or increased regulatory scrutiny, which could deter them from reporting unless there are strong assurances of confidentiality and support.” 

Reprimanded by Government 

With a possible ban impending, firms will be wondering whether they would be reprimanded by the government for paying a ransom under the new rules. At the moment, businesses must already report qualifying personal data breaches to the UK Information Commissioner's Office (ICO) in accordance with the UK General Data Protection Regulation (UK GDPR), says Dunn.  

Additionally, they could be required to submit notifications under the Network and Information Systems Regulations 2018 (NIS Regulations) or the Privacy and Electronic Communications Regulations (PECR).  

At present, the interaction between the proposals and these existing obligations “is not fully clear”, says Dunn. “However, it is expected that any enforcement would likely be handled as a civil matter, primarily under the jurisdiction of regulatory authorities such the ICO, rather than through the courts.” 

If the ban on paying ransoms is implemented, and an organisation paid anyway, they could “theoretically face penalties from the government”, says Darren Thomson, field CTO EMEAI at Commvault. 

However, the enforcement of this might become complicated, he concedes. “The UK government has revealed it is navigating the right balance of effective and proportionate measures to ensure compliance with the ban. This is ranging from criminal penalties, such as making non-compliance a criminal offence, to civil penalties, where a monetary penalty may be given.” 

The duress under which payments are made, especially for public bodies or businesses with “extremely confidential data” such as patents, might also be considered in how the legislation is enforced, he says. 

The proposed ban and reporting requirements have noble intentions, but it’s likely the resulting legislation will have a lighter approach. While paying ransoms is always undesirable, as it directly funds cybercrime, it’s “never a black and white choice”, says Young.  

As such, he thinks the UK government is unlikely to implement a blanket ban on paying ransoms. “This doesn’t reflect the morally challenging and nuanced situations organisations find themselves in,” he says. 

Instead, he thinks the proposal is more likely to be that victim organisations should consult with the National Cyber Security Centre (NCSC) about their specific situation and whether paying the ransom is the least harmful choice available. “Under this approach, the NCSC will have a better view of the scale of ransomware incidents in the UK and potentially be able to offer alternative solutions.” 

Kate O'Flaherty Cybersecurity and privacy journalist