UK Proposes Ransomware Payment Ban For Critical Sectors, But Experts Warn Of Blind Spots | #ransomware | #cybercrime

The UK government is preparing to outlaw ransomware payments by public sector and critical national infrastructure (CNI) organisations.

This is part of a broader plan to cut off funding streams to cybercriminals and shrink the attack surface across the economy. The move follows a 12-week public consultation and lands as ransomware continues to dominate the national threat landscape.

The July 2025 response paper outlines the government’s intention: to deter attacks by making targeted organisations less lucrative, while bolstering visibility through mandatory reporting. Critics and supporters alike agree. This is a significant step. But whether it hits the right targets is another matter.

A Direct Strike at Criminal Revenue

The central proposal is simple: a legal ban on ransomware payments for public sector bodies and CNI operators. That includes local councils, health authorities, utilities, and transport infrastructure. These are essential services, attractive, high-leverage targets for extortionists.

Support is strong. Of the 273 consultation responses, 72% backed the targeted ban. Among CNI and public sector respondents, support climbed to 82%. The logic is straightforward: if these institutions stop paying, they become less appealing targets. Fewer payouts, fewer attacks. Or so the theory goes.

Tj McClearin, CEO of Xcape, supports the approach but sees gaps. “Every time we’ve assisted an organisation with navigating ransomware, we advise the same thing: don’t pay. The first payment signals to attackers that you’re willing to deal. They often come back for more.”

Still, McClearin cautions that the policy may leave “low-hanging fruit” exposed. “By leaving some organisations off the roster (especially smaller ones with fewer resources) you shift the threat. Criminals will adapt.” 

That adaptation is already happening.

Ransomware Without the Malware

Ransomware gangs are increasingly skipping the encryption phase altogether. Instead, they steal sensitive data and threaten to leak it if demands aren’t met. It’s still extortion, but skirts technical definitions.

Dray Agha, senior manager of security operations at Huntress, sees a loophole forming. “Would the ban also apply to data theft extortion or is it only if malicious encryption occurred?” he asks. “Public sector payments might stop, but private firms remain exposed. The reputational and legal risks are still there, and many will quietly pay.” 

Agha stresses education as a more enduring defence. “A security-aware workforce repels many attacks. Good password hygiene, MFA, and phishing awareness are critical. But government action shouldn’t stop there. Dismantling criminal infrastructure, seizing crypto, and working with global law enforcement are equally vital.” 

The Wider Net: Prevention and Reporting

Alongside the targeted ban, the government floated the idea of a broader ransomware payment prevention regime. One version (Measure 1) would apply across the UK economy. But this idea was divisive. Just 47% supported it.

Respondents cited enforcement challenges, risk displacement, and loopholes. Some feared attackers would simply pivot to softer targets outside the ban’s reach, like charities, SMEs, or individuals. Others warned that an economy-wide regime could criminalise victims and create confusion around thresholds and exemptions.

Ben Hutchison, Associate Principal Security Consultant at Black Duck, struck a cautionary tone. “Existing advice is to treat ransomware like any other extortion: don’t engage. But banning payments only impacts victims. If people feel desperate enough, they’ll still try to pay. I find it difficult to condone making life harder for victims instead of perpetrators.”

He adds, “These funds are handed to criminals and may fund further harm. Limiting this stream matters, but without broader action, the criminals remain untouched.”

Mandatory ransomware incident reporting drew more consensus. Over 63% backed a national requirement, far more than the 41% who supported the existing voluntary regime. Supporters argue that reporting helps government understand threat patterns and improve response coordination.

Still, concerns remain. Organisations already face heavy reporting burdens under GDPR and other regimes. Applying these rules to individuals would be a stretch.

Definitions, Penalties, and the Fine Print

The consultation exposed critical grey areas. Respondents asked for sharper definitions of who’s covered, particularly in sprawling public-private supply chains. How far do obligations extend? And will rules apply to foreign-owned entities operating in the UK? 

Penalties were another concern. There was wide support for some form of enforcement, but little agreement on whether these should be civil or criminal. The goal is deterrence, not punishment of victims.

That distinction, many argue, must be clear.

Stakeholders also called for practical guidance. Sector-specific advice, recovery support, and law enforcement coordination were all flagged as essential. Without that, the best-intentioned policies may falter on implementation.

Banning Payments Won’t Stop Cybercriminals

Boris Cipot, Senior Security Engineer at Black Duck, notes that ransomware deterrence begins before the attack. “Banning ransom payments won’t stop cybercriminals. They’ll find other revenue streams. What helps is ensuring attacks don’t succeed in the first place, and that stolen data becomes unusable.”

He adds, “The reality is that most ransom demands are small. A few thousand pounds. These low-dollar attacks often go unreported. Organisations quietly pay because the cost of disclosure exceeds the ransom. Stopping those exchanges is hard. Security must come first, then we can talk bans.” 

A Step Forward, with Caveats

The government has said it will refine the proposals and engage further with industry. It plans to develop detailed guidance for all covered entities and explore how to apply the rules proportionately.

But there’s no silver bullet.

Ransomware is fluid, and its operators are inventive, distributed, and hard to prosecute. Their tactics evolve quickly, often outpacing regulation. Banning payments in critical sectors is one move, but it’s hardly checkmate.

As McClearin put it, “These problems are solvable. But they require more focus on attack surface management. If you test your defences regularly, you reduce your risk of ever having to make that call.”

Whether the UK’s approach strikes the right balance remains to be seen. What’s clear is that the era of voluntary restraint is ending. In its place, the government is laying down rules. The message is simple: don’t pay, report the attack, build better defences. And do it together.