Skip to content
Request Support Get In Touch
Subscribe

UK Ransomware Proposal

Bola Ogbara
Bola Ogbara Connect on LinkedIn
3 min. read
Article

The UK has proposed several options for dealing with the ransomware crisis - including a total ban on ransomware payments.Ransomware Proposal

Ransomware - malware that prevents access to computer systems unless a ransom is paid - is a global concern that only seems to be getting worse. Each barrage costs more money in recovery or ransom payments, which are typically made to prevent data breaches. 2023 broke records with more than $1 billion paid to attackers, and recent reports show that there was an 11% increase in the number of attacks in 2024. While the US continues to be the most affected by the ever-growing cybersecurity threat, other countries are taking action. Similar to the US, the UK has suffered a substantial wave of ransomware incidents in the past few years. 

 

Ransomware attacks rendered one of their largest privately owned logistics firms insolvent in 2023, disrupted supply chains in 2024, and even leaked patient records from a children’s hospital. One of the UK’s largest health and social services, HCRG Care Group, is currently dealing with an attack from the Medusa ransomware group. Medusa is demanding $2 million in exchange for the deletion of 2.3 terabytes of the sensitive UK health data they stole. Exorbitant ransoms like this are a large part of the conversation about stopping ransomware because they may incentivize threat actors to attack again. 

 

On January 14, 2025, the United Kingdom published an open consultation, proposing to create legislation to fight ransomware and accomplish three main goals:

 

  1. Limit the money going to UK ransomware criminals, so they are discouraged from attacking UK businesses and organizations
  2. Empower operational agencies to block and investigate ransomware criminals by giving them more information about the ransomware payment space
  3. Improve the government’s knowledge of ransomware threats for future initiatives and international collaboration

 

The consultation options assessment covered six options to meet these objectives: 

  1.  A complete ban on ransomware payments 
  2. A targeted ban on ransomware payments for regulated Critical National Infrastructure (CNI) and the public sector 
  3. A ransomware payments prevention regime for all ransomware payments 
  4. Mandatory reporting of a payment prior to the transaction (sector specific or economy wide) 
  5. A mandatory ransomware incident reporting regime for all sectors 
  6. Mandatory reporting of ransomware incidents for specific sectors 

 

This is not the first time the UK has supported banning ransom payments. During the 2024 Counter Ransomware Initiative Summit, the country issued guidance for organizations during a ransomware incident. The guide stressed considering other options besides paying the ransom, and the need to record and report the incident - two themes that are very visible in the proposal. 

 

The proposal argues that “by banning ransomware payments, the number of ransomware attacks will eventually decrease due to the lack of monetary incentive.” It also provides evidence that paying the ransom is not as cost-saving as it used to be, and suggests that the high costs of ransomware demands meant that “organizations that paid the ransom likely ended up spending more overall than those that did not pay the ransom.” 

 

The second arm of the proposals, mandating reporting for these cyber incidents, is also a familiar issue for the UK. In 2023, their National Cyber Security Centre (NCSC) released a blog saying they were "increasingly concerned about what happens behind the scenes of the attacks we don’t hear about, particularly the ransomware…And if attacks are covered up, the criminals enjoy greater success, and more attacks take place.” The proposal explains that mandatory reporting would reduce the ransomware intelligence gap between these cyber criminals and UK law enforcement. 

 

The laws for mandatory reporting will probably build off “existing precedents from US and Australian cyber legislation”, like the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which has been championed by the US’s Cybersecurity and Infrastructure Security Agency (CISA) since being signed into law in March 2022. While the future of CIRCIA seems uncertain in the US as the current president removes regulations, its timeline for incident reporting (setting 72 hours as the deadline) has been influential and also likely inspired Australia’s Cyber Security Bill 2024

 

For now, the public can comment on the consultation until 5 pm (GMT) on April 8, 2025. According to the 2024 Cyber Security Breaches Survey, nearly half of UK businesses (48%) have a policy not to pay ransoms. Another poll suggested that 68% of the public believed “that it is wrong for a business to pay a ransom because that ransom could be used by attackers to fund more criminal activities,” while 89% felt that “businesses should always report a ransomware attack to law enforcement and relevant authorities.” Only 11% of respondents had first-hand experience with ransomware. If these numbers accurately reflect the view of the public, then we can expect the consultation proposal to be very well received.