The UK Government considers ransomware attacks to be the greatest of all serious and organised cybercrime threats. In response, it has launched aconsultationon three measures to reduce payments to cybercriminals and increase ransomware incident reporting. The consultation runs until8 April 2025. The Government's aims are to undermine the ransomware business model – making UK businesses less profitable for cybercriminals to target - and improve the Government's intelligence around ransomware threats to inform future interventions. This briefing looks at the proposals and their potential implications.
1 Proposal 1: Targeted ban on ransomware payments
The Government proposes to extend the ban on ransomware payments so that it applies to all public sector bodies, including local government, and owners/operators of critical national infrastructure (CNI) that are regulated or that have competent authorities. The ban in respect of CNI coversthirteen sectors.
The Government seeks feedbackon:
- criminal and civil penalties for non-compliance
- the inclusion ofessential suppliers to these sectors
- an economy-wide ban covering individuals and businesses
2 Proposal 2: Ransomware payment prevention regime
All victims of ransomware attacks not covered by the ban would be required to report their intention to make a ransomware payment before doing so. Authorities would then review and potentially block payments, providing support and influencing victim behaviour. Breaches of sanctions and terrorism finance laws are given as examples of reasons for the Government blocking payments.
The Government seeks feedback on:
- potential penalties for non-compliance, and where responsibility should rest, with the organisation and/or a named individual
- what guidance and support should be offered to victims
- whether the regime should apply to all potential victims or be threshold-based (e.g., by reference to the size of the organisation or the ransom amount) and/or exclude victims who are individuals
3 Proposal 3: Ransomware incident reporting regime
Suspected victims of ransomware would be subject to a mandatory reporting requirement, regardless of payment intentions. The Government's aim here is to improve its understanding and response capabilities. The report would be made to "relevant parts of Government", with an initial report of the incident within 72 hours (specifying whether a ransom demand has been received, if the organisation can recover using existing resilience measures, and if the ransomware group is identifiable), followed by a full report within 28 days (including the means of access, if resilience measures have been implemented, and any further details on the attack).
The Government seeks feedback on:
- measures to help businesses comply
- the reporting timeframes
- potential penalties for non-compliance
- potential thresholds for reporting
- whether reporting should cover all cyber incidents, not just ransomware ( e.g. phishing and hacking etc)
4 Takeaways for business
Information around the process for reporting (and Government interventions) is scant at this stage. While the aims behind the consultation are commendable, organisations may worry about the additional burden that these measures impose at a critical time for the business. Key points to consider include:
- Increased notification burden.Under existing
rules, many organisations already face a race against the clock to
make multiple notifications in multiple jurisdictions in respect of
cyber incidents. These measures will add to that pressure.
Pre-empting concerns, the Government promises a proportionate
approach. Its intention is for UK victims only to be required to
report an individual ransomware incident once, "as far as
possible" – so, for example, these proposals and those
in the Cyber Security and Resilience Bill (which is yet to emerge)
would be aligned, to avoid duplication. However, streamlining
notifications more widely may be difficult. It is not clear whether
these requirements would sit alongside existing notification
requirements under data protection laws and sector-specific rules,
such as reporting to the FCA etc..
- Timing.Engagement with authorities before
making a payment will delay resolution efforts and prolong business
disruption. There is little information on the process, including
the timescales for the Government to respond to confirm whether a
payment is blocked or not. In this time-critical situation, a delay
can have the same effect as a block (and government resourcing is
likely to be a factor here). Moreover, the trigger for the 72-hour
reporting deadline for "suspected" ransomware victims is
unclear and businesses are unlikely to be able to provide
particularly "full" information within 28 days.
- Punishing the victim?Criminalising payments
and reporting failures may be perceived to be a shift away from
persuading and educating, to punishing, victims – while the
cybercriminals often elude law enforcement.
- Layering of penalties. Organisations which
make ransomware payments in breach of legislation related to
sanctions, money laundering and terrorist financing already risk
severe penalties. Will the threat of further penalties make a
significant difference?
- These measures assume that cybercriminals are purely
financially motivated. Other motives may exist to make an
organisation an attractive target, which would not be undermined by
non-payment e.g. disrupting a business to make a statement,
political motivations, espionage etc.
- Downstream impacts of a ban.Could a targeted
ban, which encourages cybercriminals to focus elsewhere, cause
ransomware attacks to balloon in sectors not subject to that ban?
The consultation paper discusses the substantial costs resulting
from a scenario involving an attack on an electricity distribution
network. But if attacks are reduced but not eliminated (which seems
likely), the additional costs and impact of a prolonged attack, if
the option to pay a ransom is removed, for the power company and
its many customers which are reliant on the network, are less
clear.
- Smaller businesses are particularly vulnerable as they
are less able to withstand prolonged disruption.Could the
payment prevention regime push desperate victims underground to
find other (illicit) ways to recover their data?
- Reputational risk.Businesses will be concerned
about the disclosure of sensitive information to the authorities
and its impact on reputational risk. What will be the implications
from an insurance perspective and, if a payment is not blocked but
the business pays the ransom against advice, for its future
relationship with regulators?
- Geopolitical backdrop.The consultation refers to the UK's collaboration with global partners to coordinate policies and discourage ransomware payments, through the Counter Ransomware Initiative. However, relatively few jurisdictions have implemented bans or a specific reporting regime in relation to ransomware payments. For an example of a dramatic divergence in approach, we only need look to the Trump administration, which has recently frozen the US cyber offensive against Russia and reduced the headcount at the US Cybersecurity and Infrastructure Security Agency. Businesses will be concerned about UK competitiveness and investment if UK regulations are stricter compared to other jurisdictions, particularly in a climate of deregulation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.