The UK is moving forward with a ban on its public sector and operators of critical national infrastructure paying ransomware demands.
The proposals released on Tuesday as a result of a public consultation call for a ban on ransomware payments covering all public sector bodies and critical national infrastructure such as energy, health service and local councils — expanding an existing ban on government departments.
Other parts of the proposal include a prevention regime to require victims and businesses not covered by the ban to report when they intend to pay a ransom.
A mandatory threshold-based reporting system that requires victims to pen a report with key details for the government within 72 hours of the attack, and a more in-depth analysis within 28 days, is also on the table.
UK security minister Dan Jarvis said the Home Office is “determined to smash the cyber criminal business model and protect the services we all rely on,” and work “in partnership with industry to advance these measures.”
Ransomware is malicious software that encrypts a computer or network to block access to it until a sum is paid, which is typically requested in cryptocurrency.
Ransomware declined last year, with Chainalysis reporting in February that ransomware attacks decreased by 35% last year compared to 2023.
In June, CertiK said the bulk of crypto losses this year have been from wallet compromises and phishing attacks.
Most agree with ban, split on penalties
The UK Home Office consulted on the proposals from Jan. 14 to April 8 and received 273 responses, 57% identified as organizations, 39% individuals and 4% are classed as other.
Nearly three-quarters agreed that a targeted ban on ransomware payments was warranted, while a little over one in five disagreed. There were also mixed views on the prevention regime, with nearly half favoring an economy-wide ransomware payment ban.
The third proposal for a threshold-based reporting system had 63% of respondents in favor, and less than half — 41% — agreed with continuing the current voluntary reporting system.
A point of contention was possible penalties for victims who violated the measures. Respondents agreed with using penalties across all proposals; however, concerns were raised about criminalising victims and whether criminal or civil penalties would be suitable.
The Home Office said because the feedback on penalties was mixed, it would “continue to explore the most appropriate and proportionate penalties.”
UK flags ransomware as an immediate threat
The UK’s 2024 National Cyber Security Centre’s Annual Review, released in December, found ransomware attacks “continue to pose the most immediate and disruptive threat” to the country.
According to the review, in June 2024, a ransomware attack on the pathology laboratory Synnovis delayed elective procedures and outpatient appointments. Another attack on Oct. 28, 2023, compromised the British Library’s online systems.
British Library Chief Executive Rebecca Lawrence said in a statement on Tuesday that the library “holds one of the world’s most significant collections of human knowledge,” and the attack “destroyed our technology infrastructure and continues to impact our users.”
US to cut funding for cyberattack disclosure rules, Australia enforces mandatory reporting
On Monday, US House Republicans sought to cut the Securities and Exchange Commission’s 2026 budget by 7% and included a provision that blocked funding for enforcing a rule that requires public companies to disclose cyber incidents within four days.
In November, Australia enacted laws which came into force in May that require businesses with an annual turnover of over 3 million Australian dollars ($1.9 million) and entities responsible for critical infrastructure to report ransomware demands.
The country had previously considered whether ransomware payments should be made illegal after a cyberattack hit consumer lender Latitude Financial, but it was rejected at the time.
