Aims to dismantle hacker business models
The UK government has unveiled a new policy to “smash the cybercriminal business model” by banning public sector organisations from paying ransoms.
The measure, announced on Tuesday by Home Office Security Minister Dan Jarvis, forms a central part of the country’s escalated cybersecurity strategy and comes amid mounting concerns over repeated and increasingly damaging cyberattacks on British infrastructure.
Under the proposed rules, public bodies including the NHS, local councils and schools, will be explicitly prohibited from making ransom payments to cybercriminals.
In parallel, private companies will be legally required to inform government authorities if they intend to pay up, allowing officials to intervene, offer support and ensure that potential transactions do not breach laws surrounding sanctions.
The government’s objective, Jarvis said, is to “smash the cybercriminal business model” and send a unified message that “the UK is united in the fight against ransomware.”
Ransomware, malicious software that locks victims out of their own systems until they pay up, has become a leading form of cybercrime globally.
Criminals received over $1 billion in ransom payments in 2023 alone, according to industry estimates.
The UK has been no stranger to these assaults. The 2017 WannaCry ransomware outbreak disrupted hospitals across the NHS, delaying critical surgeries and treatments.
In 2023, the British Library refused to pay a ransom and suffered prolonged operational downtime.
A ransomware attack on NHS systems earlier this year was cited as a contributing factor in the death of a patient.
Retail giants such as Marks & Spencer and Co-op Group have also been targeted in a wave of attacks throughout 2025, further amplifying public alarm.
Strong support
The Home Office revealed that nearly 75% of responses to a public consultation backed the ban on public sector ransom payments.
The government has pledged to implement the measure across all operators of critical national infrastructure, ensuring that vital services are less susceptible to coercion.
Alongside the ban, officials are urging all UK organisations to prepare for the possibility of an attack by strengthening digital defences and operational resilience.
The government recommends that organisations maintain offline data backups, develop tested contingency plans for operating without IT systems and rehearse the process of restoring services from backup systems.
While the UK cannot legislate against cybercriminals operating overseas, particularly those sheltered by hostile regimes, the government hopes the new policy will make the country a less lucrative target.
Commenting on the proposed policy, Adenike (Nikki) Cosgrove, CMO and security strategist at Mimecast, said the move “sends a strong signal,” but is “only one piece of the puzzle.”
“The uncomfortable truth is that most ransomware attacks start with a human action: clicking a link, trusting the wrong source, or bypassing security controls.
Nikki urged a shift-left mindset to prevent compromise in the first place, which is of course the goal for everyone.
Alex Laurie, SVP of global sales engineering and go-to-market programmes at Ping Identity, said the government’s move is “well-intentioned but complex.”
He added, “While it’s clear paying ransoms offers no guarantee of data recovery and may encourage future attacks, outright bans risk leaving under-resourced sectors dangerously exposed with few alternatives.”
However, Jonathan Wright, partner in the UK Data Privacy and Cybersecurity practice at law firm Hunton Andrews Kurth LLP, said making ransom payments illegal punishes the wrong people:
“While making ransom payments illegal removes the motive and in theory takes away the incentive for threat actors to launch ransomware attacks, you are also punishing the victims. It is also worth noting, of course, that threat actors have other means available to them and there will always be hacktivists and those acting for reasons other than money, so cyberattacks will continue.
“It is difficult to see how any law against paying ransom demands would be enforced. It doesn’t seem right that an organisation, victim of a ransomware attack having had files stolen, should then face sanctions (whether financial or administrative) for paying a ransom demand that may not even have resulted in it retrieving the stolen data!”
Click Here For The Original Source.
