The UK government wants to know if any private sector entities extorted by cyber crooks intend to pay a ransom, so that, authorities can provide apt support and guidance to help dismantle the business model that fuels cyber criminals. For Public sector? There could be a complete ban.
In an assertive move against the escalating global threat of ransomware, the UK government has unveiled a comprehensive strategy aimed at significantly disrupting cyber criminal operations. Building on extensive public consultation, new legislative proposals seek to reduce payments to criminals and drastically increase incident reporting, positioning the UK at the forefront of the international fight against this pervasive form of cybercrime.
Ransomware, defined as the “greatest of all serious and organised cyber crime threats,” poses a “risk to the UK’s national security. The financial losses, intellectual property theft, service disruption, and reputational damage inflicted by these attacks reflect an urgent need for robust countermeasures.
The UK’s Three-Pronged Legislative Attack
The Home Office’s proposals, developed after a 12-week consultation period (January 14 to April 8, 2025), represent the first specific measures in UK law to counter ransomware. They are designed to be a “targeted and proportionate response” that complements existing resilience efforts by agencies like the National Cyber Security Centre (NCSC).
The three core proposals are:
A Targeted Ban on Ransomware Payments for Critical Entities
This measure proposes to prohibit ransomware payments for owners and operators of regulated Critical National Infrastructure (CNI) and all public sector bodies, including local government. The aim is to remove financial incentives for attackers, reduce their revenue streams, and make UK organizations financially unattractive targets.
Consultation feedback revealed strong support, with nearly three-quarters (72%) of respondents agreeing with the implementation of such a ban. Notably, CNI and public sector respondents showed even higher agreement (82%). The government is committed to defining the scope and application of this ban, including potential extraterritorial effects.
A New Ransomware Payment Prevention Regime
This proposal seeks to cover all potential ransomware payments originating from the UK. While consultation feedback on this regime was mixed, an “economy-wide payment prevention regime for all organisations and individuals not covered by the targeted ban” garnered the most support (47%). This approach aims to reduce the overall flow of money to criminals.
Concerns were raised regarding potential thresholds inadvertently shifting attacks to non-covered entities. The government acknowledges these complexities and is exploring liability across the proposals, particularly concerning financial institutions.
A Mandatory Incident Reporting Regime
This measure would introduce a mandatory requirement for suspected ransomware victims to report incidents to the government. An initial report would be required within 72 hours of an attack, followed by a more in-depth report within 28 days. The objective is to enhance the government’s understanding of the ransomware threat’s scale, type, and source, aiding intelligence gathering, resilience building, and targeted disruptions.
An “economy-wide mandatory reporting requirement for all organisations and individuals” received the highest support (63%) compared to the current voluntary system. Three-quarters of respondents deemed the 72-hour initial reporting timeframe reasonable.
Late last year, Australia introduced a similar 72-hours reporting mandate that was widely expected with a pinch of disagreements among certain sections of experts.
Consultation Highlights and Future Outlook
The consultation process saw significant engagement, with 273 responses received, largely positive and constructive. Key cross-cutting themes emerged, including the need for clear guidance, proportionate penalties (with concerns about re-victimizing victims), and robust support for organizations impacted by attacks. Respondents also emphasized the importance of improving overall cyber awareness and resilience, including updating IT systems and strengthening incident response mechanisms.
The UK government views these proposals as part of a wider, holistic approach to combatting cyber threats. It intends to continue collaborating with industry and will publish additional guidance alongside any new legislation to clarify scope, penalties, and support mechanisms. This comprehensive and collaborative strategy aims to solidify the UK’s leadership in an ever-evolving digital threat landscape.
