Ransomware attacks remain a persistent danger to businesses. And according to the National Cyber Security Centre’s (NCSC) Annual Review 2024, these attacks continue to pose the most immediate and disruptive threat to the UK’s critical national infrastructure.
The Government’s initiative to widen the ransomware payment ban to public sector organisations, the NHS, schools, councils, and critical infrastructure providers, to make them unattractive to cybercriminals, is a daring move in fighting cybercrime. For too long, ransomware operators have benefitted from a “pay-and-forget” culture, reaping profits with little consequence.
Cutting off the financial incentives is a significant move. But will this ban stop the attacks?
The ransomware payment ban: The proposals
The Home Office is currently carrying out a three-month consultation on three proposals. The first is a targeted ban on ransom payments for public sector organisations and critical national infrastructure providers. The second, a requirement for private organisations to report payment intentions before proceeding; And the third, mandatory incident reporting for all victims enhancing the intelligence available to UK law enforcement agencies. This will enable law enforcement to identify emerging ransomware threats and focus their investigations on the most active and harmful ransomware groups.
While these proposals aim to deter attacks and improve intelligence-sharing, they also present issues.
The government hopes that a complete, although targeted, ban on ransom payments for public sector organisations will remove the financial motivation for cybercriminals. However, without adequate investment in resilience, these organisations may be unable to recover as quickly as they need to, putting essential services at risk.
Many NHS healthcare providers and local councils are already dealing with outdated infrastructure and cybersecurity staff shortages. If they are expected to withstand ransomware attacks without the option of paying, they must be given the resources, funding, and support to defend themselves and recover effectively.
Short term wins; long term losses
A payment ban may disrupt criminal operations in the short term. However, it doesn’t address the root of the issue – the attacks will persist, and vulnerable systems remain an open door. Cybercriminals are adaptive. If one revenue stream is blocked, they’ll find other ways to exploit weaknesses, whether through data theft, extortion, or targeting less-regulated entities.
The requirement for private organisations to report payment intentions before proceeding aims to help authorities track ransomware trends. However, this approach risks delaying essential decisions in high-pressure situations. During a ransomware crisis, people need to make decisions in a matter of hours, if not minutes. Adding bureaucratic hurdles to these critical moments could exacerbate operational chaos.
Similarly, if an organisation needs urgent access to its systems to maintain critical services, a delay caused by regulatory reporting could increase the damage. There is also the possibility that some businesses may avoid disclosure, undermining the intended benefits of the policy. Also, who foots the bill for the operational chaos if payment is denied?
Mandatory reporting of ransomware incidents is also an important step in building a clearer understanding of the threat landscape. However, fears remain about how organisations will respond. Many may be concerned about regulatory scrutiny or reputational damage which could lead to underreporting. If this policy is to be effective, the government must ensure that reporting mechanisms offer practical support rather than retributive consequences.
Resilience is essential
Resilience is the key here. Rather than focusing solely on banning payments and implementing regulatory reporting, organisations should prioritise preventing attacks and ensuring they have robust recovery strategies. However, without the right funding and support, under-resourced organisations won’t just struggle to prevent attacks, they’ll also flounder in recovery.
Leveraging a framework like ISO 27001 has proven effective in bolstering defences and preparing organisations for worst-case scenarios.
This framework helps organisations integrate security into their daily operations rather than treating it as a second thought. Public sector bodies can strengthen their defences by systematically identifying vulnerabilities and reducing the likelihood of falling victim to an attack. ISO 27001’s emphasis on regular testing and monitoring ensures that threats are detected early, limiting the potential damage.
One of the most critical aspects of resilience is business continuity. ISO 27001 places significant focus on incident response planning, ensuring that organisations have a clear and tested strategy for restoring services. This is especially key for public sector organisations that cannot afford extended disruption. By having a set recovery plan, organisations can avoid the difficult decision of whether to pay a ransom simply to get back online.
Yet many public sector bodies simply lack the staffing, expertise, or funding to adopt these strategies at scale. Without significant investment in cyber resilience, the ban might feel like the Government is tying public sector organisations’ hands behind their backs.
So, if this ban comes into effect, what other options does the Government have to support and help public sector organisations?
Additional initiatives
The government, instead of relying on overstretched and underfunded bodies to manage ransomware response on their own, could assist with developing cyber expertise and supporting these businesses. One way to do this is to enhance the UK Cyber Cluster Collaboration (UKC3) initiative. This would increase the support these regional cybersecurity support hubs can offer by pooling cybersecurity professionals to assist multiple councils, schools, or NHS trusts rather than each trying (and failing) to build their own team.
Similarly, the government could also establish a Cyber Civil Defence initiative which engages vetted cybersecurity professionals who can volunteer to assist in national or regional cyber emergencies – like that of voluntary organisations supporting emergency response like St John Ambulance. This could be structured as a public-private partnership, tapping into the expertise of private-sector security firms that handle ransomware incidents.
Public sector bodies also often face slow, bureaucratic procurement processes that prevent them from quickly obtaining the necessary cybersecurity tools. The government could create pre-approved cybersecurity solution frameworks (similar to the G-Cloud procurement model), allowing organisations to deploy vetted security solutions rapidly without red tape.
Ultimately, the government’s ambition is commendable, but ambition without actionable support, risks failure. If this ban is to succeed, it must be paired with tangible investments in cybersecurity for the public sector: grants for modernising infrastructure, workforce training, and robust incident response resources.
Cyber resilience should be a fundamental component of organisational operations rather than merely an afterthought or compliance exercise. Without this, the ban could fail, penalising victims while allowing attackers to remain unaffected.
- Cybersecurity