Public sector bodies and operators of critical national infrastructure, including the NHS, local councils and schools are to be banned from paying ransoms to hackers, according to new UK Government proposals.
Private businesses will also be required to notify the government of any intent to pay cybercriminals to regain access to their data and networks, as part of a crackdown against the scourge of ransomware gangs.
Ministers want to make it harder for ransomware gangs to profit from cyberattacks on UK organisations – following an estimated 19,000 incidents last year.
The measures, part of the UK government’s Plan for Change, have been published following a public consultation, which sought views on how to reduce payments to cybercriminals and stimulate incident reporting.
They are being backed by the British Library, which came under a devastating cyberattack in October 2023, forcing the institution offline for a lengthy period and costing the organisation an estimated £6-7 million to rebuild its digital services.
Chief Executive Rebecca Lawrence said: “The British Library, which holds one of the world’s most significant collections of human knowledge, was the victim of a devastating ransomware attack in October 2023.
“The attack destroyed our technology infrastructure and continues to impact our users, however, as a public body, we did not engage with the attackers or pay the ransom. Instead, we are committed to sharing our experiences to help protect other institutions affected by cyber-crime and build collective resilience for the future.”
Jonathon Ellison, director of national resilience at the National Cyber Security Centre, added: “These new measures help undermine the criminal ecosystem that is causing harm across our economy.
“Ransomware remains a serious and evolving threat, and organisations must not become complacent. All businesses should strengthen their defences using proven frameworks such as Cyber Essentials and our free Early Warning service, and be prepared to respond to incidents, recover quickly, and maintain continuity if the worst happens.”
Co-op CEO Shirine Khoury-Haq also supported the measures following a similar recent attack on the nationwide retailer.
She said: “We know first-hand the damage and disruption cyber-attacks cause to businesses and communities. That’s why we welcome the government’s focus on cybercrime.
“What matters most is learning, building resilience, and supporting each other to prevent future harm. This is a step in the right direction for building a safer digital future.”
Nearly three quarters of consultation respondents supported the new proposals. Under the proposals, businesses not covered by the ban would be required to notify the government of any intent to pay a ransom. The government could then provide those businesses with advice and support, including notifying them if any such payment would risk breaking the law by sending money to sanctioned cyber criminal groups, many of whom are based in Russia.
Mandatory reporting is also being developed, which would equip law enforcement with essential intelligence to hunt down perpetrators and disrupt their activities, allowing for better support for victims. Consultation responses showed strong support for a new mandatory reporting regime to better protect British organisations and industry.