Government consultation considers measures to disrupt ransomware payments

United Kingdom

On 14 January 2025, the UK Government unveiled a consultation document titled “Ransomware legislative proposals: reducing payments to cyber criminals and increasing incident reporting", aimed at addressing the escalating threat of ransomware attacks in the UK.

Background and Scope

The consultation document highlights both a recent increase in frequency of ransomware attacks and public anxiety concerning ransomware, describing it as “the greatest of all serious and organised cybercrime threats” and citing the notable recent examples of ransomware attacks on the NHS and the British Library.

The proposals outlined in the consultation document are designed to disrupt the business model of ransomware criminals by reducing the financial incentives for such attacks. The proposals also aim to facilitate better investigation of ransomware groups, by providing Government bodies with a more complete picture of the ransomware payment landscape.

Key Proposals and Potential Impacts

The consultation document outlines three main proposals:

1.    Targeted ban on ransomware payments for public sector bodies and critical national infrastructure (“CNI”) owners and operators

2.    Ransomware payment prevention regime

3.    Mandatory reporting regime for suspected ransomware incidents

Proposal 1: Targeted Ban on Ransomware Payments

This proposal aims to prohibit all public sector bodies, including local government, and CNI owners and operators (that are regulated or have competent authorities)  from making ransomware payments. This would expand the existing prohibition on central government departments making ransomware payments. By ensuring that these organisations do not pay ransoms, the Government hopes to make the UK a less attractive target for cyber criminals.

The potential impact of this proposal is uncertain. Government backed bodies may already be less likely to make ransomware payments to threat actors. Further, the extent to which threat actors appreciate and respond to changes in legislation remains to be seen. 

There are questions around how this proposal will be enforced, whether it could result in increased risks to data and continuity of critical services, and whether the proposed ban will apply to overseas entities, as well as those registered in the UK.                                               

This proposal will not deter cyber attacks not motivated by receipt of a ransom, including state sponsored attacks or those focussed on data theft.

Proposal 2: Ransomware Payment Prevention Regime

This proposal would require any victim of ransomware, not covered by the targeted ban, to report their intention to make a ransomware payment and, prior to payment, enter into dialogue with Government authorities so they can assess whether to block it. The authorities would then provide guidance on non-payment resolution options and check if there is a reason for the proposed payment to be blocked, e.g. where it could go to criminals subject to sanctions, or in violation of terrorism finance legislation. This proposal aims to improve the Government's understanding of the ransomware payment landscape and influence victim behaviour by discouraging ransom payments.

As part of the consultation, the Government is seeking views on whether this proposal should be subject to a threshold based on the size of the organisation or the amount of the ransom demanded.

As with Proposal 1, this proposal also raises some questions, particularly around implementation and the potential impact on organisations and individuals:

  1. Many organisations who are impacted by ransomware have specialist advisors lined up to provide support in relation to the legality of ransom payments, their options for handling the attack and the issues that arise in engaging with threat actors, including the content of government guidance. These organisations may not be in need of centralised guidance and support.
  2. The process for engaging with the authorities is not specified, which raises some uncertainty about whether the regime will operate efficiently and effectively in practice and whether the advice provided and the ability to block payment could be such that it acts as a de facto ban on making ransom payments for those not in scope for the proposed ban under Proposal 1. We also note that the consultation paper does not indicate any concern on the part of government that organisations are actually making illegal payments to threat actors.
  3. The consultation suggests that the requirement to liaise with the authorities is linked to determining the legality of payment (e.g. it not breaching sanctions). But this is not completely clear and so it is uncertain whether ransom payments could be blocked on other grounds and/or how any determination would be made and by whom.
  4. Responses to ransomware attacks are time-critical and so the proposed payment prevention regime will need to be sufficiently resourced in order to provide organisations with prompt advice.

Proposal 3: Mandatory Reporting Regime

The final proposal involves the introduction of a mandatory reporting regime for suspected ransomware incidents. As with Proposal 2, it is currently not known whether all organisations and individuals will be subject to this requirement, or just those meeting a certain threshold.

The aim of this proposal is to enhance the Government's ability to understand and respond to the ransomware threat by ensuring that all incidents are reported, regardless of whether a ransom is intended to be paid.

The consultation document suggests that an initial report will be required within 72 hours and a full report within 28 days. This might raise concern about overlap with existing reporting regimes, given that ransomware incidents which impact on personal data will likely also be reportable to the Information Commissioner’s Office and affected individuals, and because the UK NIS Regulations also contain reporting obligations. In this respect, the Government has provided some reassurance that it intends to ensure victims should only be required to report a ransomware incident once, as far as possible.

Next Steps

The consultation is open until 8th April 2025, and feedback can be provided by completing the questionnaire set out in the consultation document. CMS intends to participate in the consultation process.