UK floats ransomware payout ban for public sector
- Reference: 1736852662
- News link: https://www.theregister.co.uk/2025/01/14/uk_ransomware_payout_ban/
- Source link:
The consultation will consider views on extending the ransom payment ban from central government departments to all public services including hospitals, schools, local authorities, and state-operated transport networks.
Announced today, the 12-week consultation will run from January 14 to April 8 and explore three proposals, the first of which is the total payment ban for the public sector and critical national infrastructure (CNI) organizations.
[1]
The overarching notion is to make the prospect of targeting these sectors undesirable for financially motivated criminals. It would also involve mandatory reporting of incidents to support law enforcement and intelligence agencies.
[2]
[3]
Secondly, "a ransomware payment prevention regime," as the Home Office is calling it, would take the first proposal even further. This idea assumes that a public sector payment ban would be implemented, and then additionally require that any organizations and businesses not covered by an existing ban seek the government's approval before they pay the ransom. It would be something of a ransomware payment "license," which may or may not be issued depending on the nature of the incident.
A pan-industry approach would also see the nation's crime-fighting forces empowered with additional data to inform ongoing investigations and operations, although the consultation will also consider whether the rules would only apply to attacks that meet a certain threshold.
[4]
The third and much weaker approach proposes to implement a mandatory reporting law for ransomware incidents. (So no ban.) This would provide the UK's cyber-crime fighters with as much data as possible to better inform their investigations, (and potentially their disruption efforts à la LockBit,) but is certainly not as powerful as the other ideas on the table.
Like the second proposal, the consultation will consider whether the rule will be for all organizations and individuals or be based on an attack meeting a specific threshold.
"Driving down cybercrime is central to this government's missions to reduce crime, deliver growth, and keep the British people safe," security minister Dan Jarvis said in a statement.
[5]
"With an estimated $1 billion flowing to ransomware criminals globally in 2023, it is vital we act to protect national security as a key foundation upon which this Government's Plan for Change is built.
"These proposals help us meet the scale of the ransomware threat, hitting these criminal networks in their wallets and cutting off the key financial pipeline they rely upon to operate.
"Today marks the beginning of a vital step forward to protect the UK economy and keep businesses and jobs safe."
As part of its first Cyber Security Act, Australia introduced mandatory incident reporting rules in November 2024 requiring organizations to report ransomware attacks, provided they meet the revenue threshold. This was set at AU$3 million ($1.845 million), which captures approximately 6.56 percent of Australian businesses, according to the country's Cyber and Infrastructure Security Centre.
Given the UK's close political and economic ties to Australia, a similar threshold or percentage of British organizations may be considered if the rule were to be mirrored.
No major economy has taken steps toward banning ransom payments on quite the scale as that being described in some of the UK's proposals today. It would be a monumental moment for cyber policy should they be passed and implemented.
The UK's NCSC appears to be onside with the consultation too, with new CEO Richard Horne saying: "This consultation marks a vital step in our efforts to protect the UK from the crippling effects of ransomware attacks and the associated economic and societal costs.
"Organizations of all sizes need to build their defenses against cyber attacks such as ransomware, and our website contains a wealth of advice tailored to different organizations. In addition, using proven frameworks like Cyber Essentials, and free services like NCSC's Early Warning, will help to strengthen their overall security posture.
"And organizations across the country need to strengthen their ability to continue operations in the face of the disruption caused by successful ransomware attacks. This isn't just about having backups in place: Organizations need to make sure they have tested plans to continue their operations in the extended absence of IT should an attack be successful, and have a tested plan to rebuild their systems from backups."
Time to debate… again
So, for 12 weeks, UK policymakers and cybersecurity experts will once again debate the effectiveness of potential approaches to disrupting ransomware.
The pros and cons of both sides of the ransomware payment ban debate have been well told by now. Both camps have fierce proponents fighting their corner, although most agree some sort of middle ground will likely be best. The issue is largely driven by what compromises are and aren't acceptable.
[6]Ransomware crew abuses AWS native encryption, sets data-destruct timer for 7 days
[7]Drug addiction treatment service admits attackers stole sensitive patient data
[8]Database tables of student, teacher info stolen from PowerSchool in cyberattack
[9]Atos denies Space Bears' ransomware claims – with a 'but'
Ciaran Martin, the founding CEO of the UK's NCSC, famously opined last year in [10]national news that ransom payments should be banned, with the resulting debate quickly reaching fever pitch.
He argued that many of the arguments against the ban were "terrible," closing the short piece by saying simply: "We have to find a way of making a ransom payments ban work."
Opponents argue that a ban would bring various unintended negative consequences that would worsen the way ransomware is handled. Arguments include victims possibly pursuing other illicit means to compensate ransomware operators or recover their data, which in turn may discourage their engagement with law enforcement.
The standpoint is one that's adopted even at the highest levels, such as the Institute for Security and Technology's Ransomware Task Force.
One of the co-chairs on that task force, security expert Jen Ellis, said in an [11]online debate on the matter, hosted by the Royal United Services Institute (RUSI) last year, that the idea that policymakers can simply force organizations to become resilient to ransomware is "great" but "completely disconnected from reality."
She said it's not a case of organizations being too lazy to meet resilience standards, but instead there are "a million and one [12]incentives that operate in the wrong direction ." Examples of these include affordability, technical awareness, and maturity.
Another related factor is that criticism has been leveled at the [13]cyber insurance industry for making ransom payments easier, providing organizations with access to liquidity for doing so.
Ellis and Jamie McColl, research fellow at RUSI, both also pointed out that, at the time, a small number of US states had banned government departments from paying ransoms with little to no impact on attack frequency.
Although banning ransom payments may seem like the easy, one-click solution to ransomware – cutting the crims off where it hurts – ushering in that change won't be an easy feat for the UK government should it choose to go ahead with this.
Nevertheless, the UK's cyber situation worsens with each year. The NCSC's most recent [14]annual review revealed the number of security threats that reached the agency's maximum severity threshold tripled compared to 2023.
The number of [15]nationally significant incidents and cases of ransomware also rose year on year, suggesting the current approaches to combating the crime aren't cutting it. ®
Get our [16]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z4aYNwrroCZoV3csRxcMSgAAAJI&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z4aYNwrroCZoV3csRxcMSgAAAJI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z4aYNwrroCZoV3csRxcMSgAAAJI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z4aYNwrroCZoV3csRxcMSgAAAJI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z4aYNwrroCZoV3csRxcMSgAAAJI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2025/01/13/ransomware_crew_abuses_compromised_aws/
[7] https://www.theregister.com/2025/01/10/baymark_data_breach/
[8] https://www.theregister.com/2025/01/09/powerschool_school_data/
[9] https://www.theregister.com/2025/01/04/atos_denies_space_bears_ransomware/
[10] https://www.thetimes.com/article/cyber-ransoms-are-too-profitable-lets-make-paying-illegal-kc8cmhxs0
[11] https://www.youtube.com/watch?v=djgkoAAAP9I&ab_channel=RUSI
[12] https://www.theregister.com/2024/05/16/ncsc_cto_broken_market_must/
[13] https://www.theregister.com/2024/10/14/ransomware_insurance_ban/
[14] https://www.theregister.com/2024/12/03/ncsc_annual_review/
[15] https://www.theregister.com/2024/07/05/qilin_impacts_patient/
[16] https://whitepapers.theregister.com/
The final option they will select is ...
... do nothing (no-one in government ever got sacked for doing nothing).
sensible policy instead of culture war?
The fuck's going on? are there nukes inbound?
Require that the likes of Microsoft and Google ensure core data is protected?
That ransomware finds it easy to propagate networks is the first problem. Personally I have always had all information duplicated on machines that are protected so even if a machine is compromised by any problem it can be rebuilt at any time and the material such as 20+ years of emails are still stored safely away.
I've been running Linux for many years now and that helps keep content isolated from software and my websites use Firebird as the underlying database which backs up all the content on those sites to a safe area on the directory tree and not in a messy area that other databases use.
OK IF someone downloads ransomware then it's the time to rebuild that machine, but the Windows box here refuses to upgrade to Windows 11 and will have to be replaced ... isn't that just another form of Ransomware?
Re: Require that the likes of Microsoft and Google ensure core data is protected?
Microsoft and Google are only going to be able to do that if you (pay to) use them as your store. They'll love that, they will be able to rake in money and still change T&Cs, change charging tiers and discontinue services at whim.
Re: Require that the likes of Microsoft and Google ensure core data is protected?
You did not mention this in your post, but I hope your devices do not have write access to where the backups are stored...
Personally, I consider backups to be "protection from data loss", which includes being able to recover files that get deleted or overwritten. Many people do not understand this, and instead think backups are "protection from a drive failing".
A typical "backup strategy" would be to duplicate your data to a server in another location. Simplest option is some automated process that just copies your data to a writeable location on the remote server. Which the ransomware will specifically search for and overwrite...
Having your backup target do INDEPENDENT versioning (ie. Client devices have no direct write access to previous versions) is an additional complication that many people don't understand the importance of.
(Anyone wondering, the easy way to "bolt this on" to a Linux server is to convert your ext4 FS to btrfs which can be done safely and non-destructively, then Google for a script you can stick in the crontab to take snapshots and clean up old ones... And don't mount the snapshots directory somewhere clients can access!)
Some organisations will
Be resilient already.
It's the entities that haven't got the horsepower or expertise in their core business to have all the security and IT knobs, bells and whistles deployed to provide resilience.
If it's Defence or Finance, they're generally all over it, with some outlaying other industries as they are well financed, or sufficiently profitable to invest in good cyber practices, technologies and controls.
Much like electricity and water, the Cyber Crims will find the path of least resistance and attack those entities that aren't well protected in the first instance.
It's a well intentioned thought that we can ban extortion payments, but the realities remain to be seen.
Re: Some organisations will
"It's a well intentioned thought that we can ban extortion payments, but the realities remain to be seen."
Well we know the realities of the current situation. We're encouraging extortion by allowing it to be paid. We really need to do something different. If there's no financial incentive for them, we've removed a great deal of their motivation.
> It would be something of a ransomware payment "license," which may or may not be issued depending on the nature of the incident.
So instead of paying just the crims one pays the government (to obtain a license) and then pays the crims? Like a tax on a ransomware incident? Brilliant, just brilliant! Almost everybody involved wins!
Is anyone aware of any public sector body that has paid (or allegedly paid) a ransom?
I know of many attacks but none that have paid.
Unless they know public bodies are paying (and the finances would therefore be in the public domain) this was be a waste of legislative time.
Now banning all payments to ransomware ne'er-do-wells that might fly.
There should be a law against it...
How about having the NCSC set standards for IT systems, certify them and then mandate their use in the public sector? Then make the Treasury provide the resources for the public sector to keep its IT estate current.
OTOH if we can't do it for basics like housing (see Grenfell Tower) I guess there's no hope for other public services.
So...
Allow ransom payments, but require that they be paid personally by the CEO? (and no naughty sudden bonuses to cover it!)