By Sarah Wray on 31/07/2025 | Updated on 31/07/2025
The UK government is planning to ban public sector bodies and operators of national critical infrastructure from paying ransom demands to cyber attackers.
This would include hospitals, local councils and schools.
The planned measure follows public consultation and the government said “the ban would target the business model that fuels cyber criminals’ activities and makes the vital services the public rely on a less attractive target for ransomware groups”.
Ransomware is software used maliciously by cyber criminals to access victims’ computer systems. Systems and data can be encrypted, or data stolen, until a ransom is paid. Ransomware is estimated to cost the UK economy millions of pounds each year and presents operational, financial and safety risks.
A ransomware attack in June 2024 on Synnovis, the pathology services provider for several major London NHS trusts, caused widespread disruption, delaying over 10,000 outpatient appointments and nearly 1,700 elective procedures at King’s College Hospital and Guy’s & St Thomas’ NHS trusts.
Following an investigation, King’s College Hospital NHS Trust confirmed in June 2025 that one patient “died unexpectedly” during the incident, citing multiple contributing factors, including a long wait for a blood test result due to the cyber-attack impacting pathology services at the time.
An October 2020 ransomware attack on Hackney Council in London is reported to have cost the council over £12m and disrupted council services for months.
Read more: Responsibility for UK public sector cybersecurity moves to Government Digital Service
Breaking the business model
Security minister Dan Jarvis said: “Ransomware is a predatory crime that puts the public at risk, wrecks livelihoods and threatens the services we depend on.
“That’s why we’re determined to smash the cyber criminal business model and protect the services we all rely on as we deliver our Plan for Change.
“By working in partnership with industry to advance these measures, we are sending a clear signal that the UK is united in the fight against ransomware.”
Under the plans, businesses not covered by the ban would be required to notify the government of any intent to pay a ransom.
The Home Office said: “The government could then provide those businesses with advice and support, including notifying them if any such payment would risk breaking the law by sending money to sanctioned cybercriminal groups, many of whom are based in Russia.”
A mandatory reporting system is also being developed to provide law enforcement with essential information to track down attackers and support victims.
Read more: Governments urged to get back to basics to stay ahead of cybersecurity threats
Pros and cons of banning ransomware payments
The government said that three-quarters (72%) of consultation respondents backed a ban on ransomware payments for public sector bodies and operators of national critical infrastructure.
Just over two-thirds of respondents (68%) thought a targeted ban would be effective in reducing the amount of money flowing to ransomware criminals. Six in ten (60%) said that a targeted ban would be effective in deterring cyber criminals from attacking those organisations subject to the ban.
However, some have concerns.
“While banning organisations from providing ransomware payouts sounds good in theory, it is a disaster in practice,” said Allie Mellen, principal analyst at Forrester.
“If an organisation is paying a ransom, it is because they have no other option, not because they want to. While it’s unfortunate that ransomware payouts happen, the better effort should be spent on supporting organisations in protecting against these kind of attacks. We absolutely recommend discouraging paying the ransom, but to ban it outright is unrealistic and detrimental to the organisations they look to protect.”
