The UK government has launched a consultation on plans to ban hospitals, railways and public services from making ransomware payments.
Aimed at safeguarding critical national infrastructure and public sector organisations, the proposals target the financial incentives driving cybercrime while bolstering national cybersecurity resilience.
Key measures include extending the current ban on ransomware payments by government departments to all public sector bodies, including the NHS, schools, and local councils.
This move aims to deter attackers by making essential services less attractive targets.
Additionally, a mandatory incident reporting regime will be introduced to enhance law enforcement’s ability to disrupt attacks and track emerging threats.
According to the Home Office, the proposed ransomware payment prevention framework will provide the National Crime Agency (NCA) with increased visibility into ongoing incidents, enabling guidance for victims and blocking payments to known criminal networks, the Home Office said in a press release.
Security minister Dan Jarvis emphasised the importance of these measures, highlighting the global $1 billion ransomware market in 2023 and the urgent need to protect the UK economy and critical services.
“This is a vital step to hit cybercriminals in their wallets and safeguard businesses and jobs,” he said.
The measures also support global anti-cybercrime initiatives, including Operation Cronos, which disrupted the LockBit ransomware network, and international sanctions targeting cybercriminal groups.
National Cyber Security Centre CEO Richard Horne urged organisations to strengthen their defences, highlighting the importance of frameworks like Cyber Essentials and robust operational recovery plans.
Australia’s mandatory reporting law
While cyber security analysts have welcomed the move the question of how successful this ban will be in combatting these attacks remains unanswered.
Ilia Sotnikov, security strategist at Netwrix, said that the complexity of implementing a proposed ransomware payment ban, which in the case of hospitals could lead to moral dilemmas.
“Ransomware attacks, particularly those targeting hospitals, can endanger lives, making the ethics of a blanket ban complex. Attackers are adaptive, and such restrictions may lead to challenging moral dilemmas,” he said.
“Instead of outright bans, governments could follow the example of how banks reduced robbery risks—not by banning cash handovers but by adopting robust risk mitigation strategies.
“Establishing cybersecurity benchmarks for high-risk industries like healthcare and transportation could provide essential guidance. Consulting with both industry and academia will be vital to shaping effective legislation,” he added.
Some US states have already made legislative moves towards restricting payments, with North Carolina and Florida being the first to pass legislation prohibiting certain state agencies from paying ransoms.
While a similar ban was mooted in Australia, after extensive deliberation, the government decided against an outright ban, opting for a mandatory reporting regime for ransomware incidents.
Businesses with an annual turnover exceeding $3 million AUD are now required to report any ransom payments made to cybercriminals.
