Home » Topics » Cybersecurity » Ransomware payments to be banned – the unanswered questions

Ransomware payments to be banned – the unanswered questions

The ransomware payments consultation took place between January and April 2025

Avatar photoby Anna Jordan

The government has announced a ban on ransomware payments from public sector organisations. We explore the loose ends to be tied

The government has announced that public sector organisations and Critical National Infrastructure (CNI) will be banned from making ransomware payments. This includes the NHS, local councils and schools.

Organisations will be expected to make an initial incident report within 72 hours.

Private organisations, meanwhile, will have to notify the government if they plan on making a ransomware payment, under what it calls a new ‘payment prevention scheme’. The government would then provide advice and support, including clarification if a payment would be in breach of funding cybercriminals.

According to the government, the move is intended to send a message to cybercriminals “that the UK is in the fight against ransomware”, while making UK public services less attractive targets.

In a consultation carried out earlier this year, over two-thirds of respondents (68 per cent) thought that a targeted ban will help fight cybercriminals’ income by restricting the amount of cash going to them. What’s more, 60 per cent thought that the ban would deter cyber criminals from targeting UK public services.

As an organisation, you’ll be expected to have actions in place so that you can maintain operations in the event of a ransomware attack. This could include having offline back-ups as well as strategies to survive without your IT systems for a period, plus plans to restore your systems from back-ups.

Though this is an initial announcement, a lot of concerns have been raised by experts and consultation respondents, which we’ll be exploring here. You can fast-track using the links below.

  1. Which organisations will be included?
  2. What about public sector bodies’ supply chains?
  3. How will the ban will be applied?
  4. Will the law risk criminalising victims?
  5. What will penalties for non-compliance look like?
  6. Will it put pressure on businesses/organisations excluded from the ransomware payments ban?

Which organisations will be included?

There is a need to establish exactly which organisations will be covered by the ban.

What about public sector bodies’ supply chains?

In the same vein as which organisations are covered, we aren’t sure whether their supply chain is also covered. Companies in supply chains will have a connection and crucial information about the criminals’ would-be target organisations.

How will the ban will be applied?

Questions remain around how the ban will be applied. For example, it could be introduced as a blanket ban across public organisations or it could be applied based on certain criteria such as turnover or number of employees.

With thresholds in place, businesses/organisations may choose to operate differently so that they aren’t covered by the ban, such as lowering turnover or number of employees.

All of this said, rules like this could help to get a better picture of what’s going on with ransomware threats in the UK. Arda Büyükkaya, senior cyber threat intelligence analyst at EclecticIQ, explains more: “As attackers evolve their tactics and exploit vulnerabilities across sectors, timely intelligence-sharing becomes critical to mounting an effective defence. Encouraging businesses to report incidents more consistently will help build a stronger national threat intelligence picture something that’s important as these attacks grow more frequent and become sophisticated.

To spare any confusion, sector-specific guidance should be provided by government on how resources should be implemented, making resources clear and accessible. “Many victims still hesitate to come forward due to concerns around reputational damage, legal exposure, or regulatory fallout,” said Büyükkaya. “Without mechanisms that protect and support victims, underreporting will remain a barrier to national cyber resilience.”

Especially in the earlier days of the legislation, organisations may still feel pressured to pay in order to keep operations running, even if they’re banned from doing so. Jamie Moles, senior technical manager at ExtraHop, said: “Organisations that haven’t already bolstered their cyber defences will be susceptible to significant downtime if attacked by a ransomware group with no way to pay the problem away. This goes even deeper for public service organisations, like health services or critical infrastructure, which could have catastrophic consequences if impacted by threats like ransomware.”

Will the law risk criminalising victims?

Critics have raised concerns about criminalising or revictimising victims, which could make organisations more reluctant to come forward and report ransomware in the first place.

“The reality is that many organisations have historically chosen to pay ransoms out of a pragmatic desire to resume operations quickly while minimising costs,” James Neilson, SVP international at OPSWAT, said. “The new measures therefore risk criminalising such victims while they are dealing with an attack or leaving them compliant but facing long-term disruption or denial of operations at significant cost. That’s uncomfortable position for organisations to be in.” 

What will penalties for non-compliance look like?

For those covered by the ban who do pay out to cybercriminals, what happens to them? Would criminal or civil proceedings be involved or would it incur a financial penalty?

Will it put pressure on businesses/organisations excluded from the ransomware payments ban?

“This policy could also unintentionally shift the spotlight onto private sector organisations that fall outside the ban’s scope,” said Neilson. “Cybercriminals are adaptive and economically rational and will refocus on less regulated targets with a perceived higher likelihood of paying ransoms.”  

Taking preventative steps

Most commentators have emphasised prevention as the greatest line of defence. Etay Maor, chief security strategist at Cato Networks, said: “This legislative move marks a firmer policy stance than is typical across Europe, shifting from guidance to clear, enforceable action.”

But depriving attackers of funds isn’t enough, he said. “Real gains come from making compromises harder in the first place. Ransomware exploits weaknesses in how users access corporate systems, making secure access and business continuity non-negotiable.”

Matt Cooke, cybersecurity strategist at Proofpoint, agrees that it’s individuals – not the organisation itself – that tend to be targeted: “It wouldn’t be hard for someone to find your email address and target you. So, we need to tackle that challenge on two fronts: making it harder for attackers to get in and ensuring ransomware payments dry up.”

So, part of the responsibility falls to the organisation itself, as Moles points out: “The onus remains on organisations to take the needed measures to protect themselves from this increasingly sophisticated threat, including unparalleled visibility into the network to detect ransomware before any lateral movement or data exfiltration occurs.”

But tackling it needs to be a joint effort with the government, as Trevor Dearing, director of critical infrastructure at Illumio, said: “If the government wants to talk the talk, it has to also walk the walk. For charities and small public bodies who don’t have big cyber teams, extra government support with this will be critical. It can’t stop at policy. Real-world support and practical help are key to make this work.”

Key takeaways

  • Public organisations will be banned from making ransom payments, but private organisations will have to notify the government if they plan to make a payment.
  • As an organisation you’ll still be expected to have plans in place to deal with a cyber attack, such as offline back-ups.
  • There are some details yet to be established on this ransomware payments announcement, such as public organisations’ supply chains and what penalties for non-compliance will look like.
  • Prevention is still the best line of defence. Make sure you have measures in places in the event of a ransomware attack.

Read more

Why banning ransomware payments is only a limited fix – JumpCloud’s Chief ISO explains how ransomware attacks are still a threat despite proposed legislation and discusses some key defence strategies

Why slow recovery is the real threat of ransomware events – With ransomware attacks, it’s a case of when (not if) you’ll be hit and, crucially, how long recovery takes. Here’s how to bounce back quicker

Why shutting down systems can backfire during a cyber attack – Despite what instinct might dictate, shutting down your systems during a cyber attack could lead to a slew of negative outcomes

Avatar photo

Anna Jordan

Anna is Senior Reporter, covering topics affecting SMEs such as grant funding, managing employees and the day-to-day running of a business.

Related Topics

Ransomware

Related Stories

Cybersecurity

Prioritising cyber resilience in a cloud-first world

Despite complexity and cost, it's certainly worth devoting time to your organisation's cyber resilience strategy. Here's what to do

Cybersecurity

Why slow recovery is the real threat of ransomware events

With ransomware attacks, it's a case of when (not if) you'll be hit and, crucially, how long recovery takes. Here's how to bounce back quicker

Cybersecurity

Building blocks – what’s required for my business to be SECURE?

Here is how to build up your cybersecurity defences, broken down step-by-step, to keep your business safe and secure

Cybersecurity

Bridging the IT and security team divide for effective incident response

Greater alignment between IT and security teams is crucial for effective incident response – here's how to lay down the foundations