UK to ban ransomware payments by public sector organizations
- Reference: 1753187310
- News link: https://www.theregister.co.uk/2025/07/22/uk_to_ban_ransomware_payments/
- Source link:
This means the NHS, [1]local councils and [2]schools – all of which have been in the crosshairs of various miscreants in recent years – will no longer be able to negotiate with the scumbags that lock up their systems and extort them. Almost three quarters of respondents to a government consultation backed this, we're told.
UK threatens £100K-a-day fines under new cyber bill [3]READ MORE
The idea is to make the public sector and CNI (which includes utilities and datacenters these days) less attractive targets for financially motivated attackers. The exact timeframe for implementing the proposals was not confirmed today.
"Ransomware is a predatory crime that puts the public at risk, wrecks livelihoods and threatens the services we depend on," said Security Minister Dan Jarvis in a [4]statement . "That's why we're determined to smash the cyber criminal business model and protect the services we all rely on as we deliver our Plan for Change."
This is part of the latest crackdown by the UK government on cybercrime: the Cyber Resilience Bill is expected to enter Parliament this year, designed to bolster NIS 2018 regulations. The Bill will give regulators more extensive enforcement powers, help the administration react more nimbly to emerging threats and expand the types of organization in scope of the legislation, including datacenters and MSPs.
[5]
Under the law, the government will have the power to order regulated entities to implement specific security improvements. A failure to download patches to address widely exploited vulnerabilities could lead to daily fines of £100,000 or 10 percent of turnover should a digital break-in occur.
[6]
[7]
"These new measures help undermine the criminal ecosystem that is causing harm across our economy," said Jonathan Ellison, NCSC director of national resilience.
Ransomware criminals have disrupted numerous local councils over the past few years, crippling services for days or weeks on end, they've also created havoc at schools, and [8]contributed to a death in the NHS as well as upending schedules for countless medical procedures.
[9]
The Plan for Change proposals means commercial enterprises not covered by the ban on ransomware payments will still need to notify government of any intent to pay ransoms. These businesses will then be told they risk breaking the law by sending money to "sanctioned cyber criminal groups, many of whom are based in Russia," the government said in a statement.
[10]French cops cuff Russian pro basketball player on ransomware charges
[11]Russia, hotbed of cybercrime, says nyet to ethical hacking bill
[12]Ingram Micro confirms ransomware behind multi-day outage
[13]Attack on Oxford City Council exposes 21 years of election worker data
Mandatory reporting is another aspect under formation, intended to equip enforcement agencies with intelligence to catch the crews masterminding campaigns.
High-profile victims of cyber attacks in the private sector in 2025 included insurance giants, airlines, and well-known UK retail brands such as [14]Marks & Spencer , [15]Harrods , [16]Co-op .
Government advice is to prepare for the worst-case scenario, should it materialize, by maintaining offline backups, developing tried and tested plans to work without IT "for an extended period" and a "well-rehearsed strategy for restoring systems from backups."
Kev Breen, senior director of cyber threat intelligence at Immersive Labs, said of the government's measures today: "If the option is to recover quickly by paying, versus not being able to recover because you're banned from doing so, the temptation may be to pay and simply not report it.
[17]
"There are many moral considerations here. While it's always easy to say 'never pay,' the reality is far murkier. Some organizations have paid ransom demands not to recover infrastructure, but to prevent the public release of large volumes of personally identifiable information (PII) – where the damage to individuals could be far greater than a service being offline." ®
Get our [18]Tech Resources
[1] https://www.theregister.com/2025/06/26/glasgow_city_council_cyberattack/
[2] https://www.theregister.com/2025/01/20/blacon_high_school_ransomware/
[3] https://www.theregister.com/2025/04/01/uk_100k_fines_csr/
[4] https://www.gov.uk/government/news/uk-to-lead-crackdown-on-cyber-criminals-with-ransomware-measures
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aH-1lETj65LiUu9wB-hBAgAAAZI&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aH-1lETj65LiUu9wB-hBAgAAAZI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aH-1lETj65LiUu9wB-hBAgAAAZI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2025/06/26/qilin_ransomware_nhs_death/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aH-1lETj65LiUu9wB-hBAgAAAZI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[10] https://www.theregister.com/2025/07/11/french_ransomware_arrest/
[11] https://www.theregister.com/2025/07/10/russia_ethical_hacking_bill/
[12] https://www.theregister.com/2025/07/06/ingram_micro_confirms_ransomware_behind/
[13] https://www.theregister.com/2025/06/20/oxford_city_council_breach/
[14] https://www.theregister.com/2025/05/21/ms_cyberattack_disruption/
[15] https://www.theregister.com/2025/05/02/ncsc_steps_in_as_harrods/
[16] https://www.theregister.com/2025/07/16/coop_data_stolen/
[17] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aH-1lETj65LiUu9wB-hBAgAAAZI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[18] https://whitepapers.theregister.com/
About time too!
All businesses, public or private should be covered by the same law.
It's very good to see that the idea of fines for those who don't spend the money needed on proper security and patch management is being proposed here as well.
Re: About time too!
If nobody pays them, there is no money to be made from ransomware, and therefore it doesn't happen.
Because while some people will do it just because they can, and some people will do it because they hate what the company is doing and want to put them out of business, ransomware gangs do it for money.
Re: About time too!
Conceivably, they might be able to get money for it from somewhere else. Like being paid by a hostile government, or a competitor of the company being attacked. But for sure, putting M&S offline for a couple of months is a worth a lot more money to M&S than to Kim Jong Un or John Lewis.
Re: About time too!
If someone can prove that you can make yourself less of a target by preemptively committing to not pay ransoms, then laws might be unnecessary. It seems like it could work. The recent attacks all seem to be targeted and bespoke to some degree, not like the old ransomware worms that were completely indiscriminate; there is some effort involved on the part of the attacker. In the absence of any possibility of being paid a ransom, the question will be whether any other revenue streams could justify that effort.
"public sector organizations and critical national infrastructure"...
So any governmental organization can continue paying them then ?
Re: "public sector organizations and critical national infrastructure"...
No, they are public sector.
A better option for the gov
is to hunt the criminals down and remove them from the environment.
Sure the government can get their Extortion Payment out of the Victim too,,,, and call it a FINE....
But why not do the right thing and use the government resources to remove the intentional criminal?
use fire, and video it, I want to watch.
Re: A better option for the gov
What are you suggesting? Sending the SAS on a raid into Moscow?
As much as I'd like to see the ransomware scum "taken out", It remains nothing but a fantasy.
Re: A better option for the gov
I seem to remember the government of a certain country justifying the murder of people in foreign countries as being needed to win "the war on drugs".
That worked well didn't it?
>> Kev Breen, senior director of cyber threat intelligence at Immersive, said of the government’s measures today: “If the option is to recover quickly by paying, versus not being able to recover because you're banned from doing so, the temptation may be to pay and simply not report it.
Of course he would say that - but he's a fool to think any organisation will be able to avoid anyone leaking info about an illegal ransomware payment.
Because if it fits down on ransomware, he has less work for"threat. intelligence. " Just make paying a ransom illegal and be done with it already. Maybe then people will do proper backups.