The UK government has proposed a ban on ransomware payments for public sector and critical infrastructure organizations, aiming to disrupt the cybercriminal business model. The Home Office launched a consultation on Tuesday, outlining a "targeted ban" that would prohibit public sector bodies, including local councils, schools, and NHS trusts, from making payments to ransomware hackers.

The proposal comes in response to a surge in cyberattacks targeting the UK public sector. Last year, the NHS declared a "critical" incident following a cyberattack on pathology lab provider Synnovis, resulting in a massive data breach of sensitive patient data and months of disruption. According to new data, the cyberattack on Synnovis led to harm to dozens of patients, causing long-term or permanent damage to their health in at least two cases.

The proposed ban would also make it a criminal offense for critical infrastructure organizations, such as businesses in the energy and communications sectors, to make ransom payments in the event of a ransomware attack. UK government departments are already banned from paying ransomware gangs. The move is seen as a significant step in combating cybercrime, with an estimated $1 billion flowing to ransomware criminals globally in 2023.

Security minister Dan Jarvis emphasized the importance of acting to protect national security, stating that the proposals would "hit these criminal networks in their wallets and cut off the key financial pipeline they rely upon to operate." The UK's National Cyber Security Center managed 430 cyber incidents over the year ending August 2024, including 13 "nationally significant" ransomware incidents, largely carried out by Russia-affiliated criminal gangs.

In addition to the proposed ban, the UK government is also outlining a new mandatory reporting regime for ransomware incidents. This would require cyberattack victims not covered by the ban to report the incident to the government. Another proposal suggests a program aimed at preventing the payment of ransoms to sanctioned entities, which the government would have the power to block.

The UK's move is not isolated, as the federal government in the United States has long urged against paying ransom demands but has stopped short of imposing an outright national ban. However, in October 2023, a US-led alliance of more than 40 countries vowed not to pay ransoms to cybercriminals in a bid to starve the hackers from their source of income.

The Home Office's consultation is set to end in April 2025, but it remains unclear whether the UK plans to bring the measure before lawmakers in Parliament. If implemented, the ban could have significant implications for the way organizations respond to ransomware attacks, potentially leading to a shift in the cybercriminal business model.

The proposal highlights the UK government's commitment to protecting national security and critical infrastructure from the growing threat of ransomware attacks. As the cybercrime landscape continues to evolve, it will be important to monitor the effectiveness of this proposed ban and its potential impact on the global fight against ransomware.