But 99% of respondents supported a ban nonetheless
The government is moving ahead with measures to ban public sector bodies and critical national infrastructure organisations from paying ransoms. But new research suggests that most business leaders would break such a ban if it were imposed on them.
New research from cyber resilience firm Commvault, reveals 75% of UK business leaders would risk criminal charges and break a ban on ransomware payments if one were in place for the private sector.
A government consultation on ransomware payment concluded last month. In addition to an outright ban on public sector or critical national infrastructure (CNI) providers making ransomware payments, a second proposal involved organisations and individuals that fall victim to ransomware having to, essentially, ask permission from the government.
All affected individuals and organisations (bar the previously mentioned public sector and CNI organisations) would be required to notify the authorities of their intention to make a ransomware payment within 72 hours of the ransom demand before sending funds to the criminals responsible, to be followed with a full report within 28 days. The authorities would then review the notification to determine whether the proposed ransomware payment should be blocked.
Payments would be blocked on the grounds of sanctions designations or on the grounds that it was likely to fund terrorism for example.
The Consultation document also briefly discussed the possibility of imposing criminal and/or civil penalties for non-compliance.
The Commvault research of UK business leaders from £100 million+ companies found that 96% of those leaders believe payments should be banned across both public and private sectors. However, 75% also admit that if a ban was extended to the private sector, they would still pay a ransom if it were the only way to save their organisation, regardless of a possible civil or criminal sanction.
Only 10% said they would comply with the law in the event of an attack. A further 15% said they would be neither likely nor unlikely to comply. This suggests that while respondents think the ban is a good idea on paper and makes sense for government agencies, if their own company’s survival is at stake, all bets are off.
Of those who support a proposed payment ban, more than a third (34%) believe it would lead to increased government support and intervention to safeguard cyber resilience. Another third (33%) believe that it would decrease the prevalence of attacks by reducing the incentive for attackers which is one of the central aims of the ban.
The research reflects a growing awareness of the vast amount of money being extracted from the legitimate economy by ransomware and cybercrime. The attacks on the retail sector earlier this year helped to boost that awareness further.
The latest Cyber Security Breaches Survey 2025 stated that over four in ten (43%) UK businesses (equating to approximately 612,000 UK businesses) reported having experienced any kind of cyber security breach or attack in the last 12 months.
The fact is, that even if companies do quietly pay up, there are no guarantees that data will be unlocked and not leaked (or stolen by another group) at a future date. Victims of ransomware are negotiating with criminals.
“Paying a ransom rarely guarantees recovery and often increases the likelihood of being targeted again,” said Darren Thomson, Field CTO EMEAI, Commvault. “A well-enforced ban could help take the profit out of ransomware, but it must be matched by greater investment in prevention, detection, and recovery-testing. Without that, more organisations could find themselves exposed at the worst possible moment, with no viable path to recovery.”
Jonathan Wright, partner in the UK Data Privacy and Cybersecurity practice at Hunton Andrews Kurth LLP, welcomes the focus on improving cyber resilience, but cautions against victim blaming and unintended consequences of very tight payment restrictions.
He says: “While making ransom payments illegal removes the motive and in theory takes away the incentive for threat actors to launch ransomware attacks, you are also punishing the victims. It is also worth noting of course that threat actors have other means available to them and there will always be hacktivists and those acting for reasons other than money so cyber-attacks will continue.
“It is difficult to see how any law against paying ransom demands would be enforced. It doesn’t seem right that an organisation, victim of a ransomware attack having had files stolen, should then face sanctions (whether financial or administrative) for paying a ransom demand that may not even have resulted in it retrieving the stolen data.”
