Extension of UK ransomware payment ban would bring additional challenges for victim organisations and incident responders

Written By fra juniper

Event:

The UK government on 14 January 2025 announced a consultation on a proposed expansion of the law governing payments to ransomware groups [LINK]. 

Assessment:

The proposals include a ban on public sector bodies and critical infrastructure operators making ransom payments, a system to evaluate proposed payments, and a mandatory incident reporting regime [LINK]. Options for enforcement discussed in the proposal include civil and criminal liability.

The UK is one of a group of countries that have publicly pledged not to pay ransoms for attacks on government institutions [LINK]. Wider prohibitions on payments across the public and private sector have long been debated, but not adopted. A ban on ransomware payments has been floated in the US, but has encountered considerable opposition [LINK]. Australia has introduced mandatory reporting requirements but not a ban [LINK]. 

If adopted, the proposals would put the UK at the forefront of efforts to use changes in victim behaviour to combat ransomware. The idea that banning payments will dissuade criminals assumes a high degree of precision and discrimination on the part of a fragmented online criminal ecosystem. It also depends on criminal actors believing that victims will commit to non-payment even in the face of serious or even existential disruption. 

The proposals assert that “[t]he main mitigation against ransomware is to change victim behaviour” [LINK]. Alternative mitigations would be to disrupt the groups themselves or to strengthen victim cyber defences. However, efforts by the UK National Crime Agency and international partners to directly target and disrupt ransomware groups have not translated into a reduction in the overall threat [LINK, LINK]. 

The emphasis on victim behaviour over cyber security is notable amid indications of concern in government over the low uptake of the NCSC’s cyber security guidance and accreditation [LINK]. In a revealing statement, NCSC CEO Richard Horne has recommended that organisations develop and test “plans to continue their operations in the extended absence of IT” [LINK]. The head of the national technical authority for cyber security advising organisations to prepare to operate without access to digital systems suggests parallels to the US, where federal guidance now implicitly assumes the insecurity of core telecommunications infrastructure [LINK]. 

Outlook:

The proposals are subject to a public consultation that will run until 8 April. The government has not indicated whether the proposed changes will be included in the forthcoming Cyber Security and Resilience Bill [LINK]. 

It is unlikely that these changes would drive a shift in ransomware activity within the one-year outlook, if indeed they are implemented within that timeframe. In the intervening period, the number of ransomware incidents is very likely to continue to increase, as groups maintain a high operational pace and innovate in methods and target selection. 

In contrast, it is likely that these proposals would increase the regulatory requirements on companies and public sector bodies. Mandatory disclosure requirements would pose reputational and legal risk for companies, particularly those operating across jurisdictions that will be subject to varying legal regimes around disclosure and liability. The proposals would also disrupt parts of the incident response industry engaged in intelligence collection and engagement with threat actors. 

A prohibition on paying ransoms would very likely lead to situations where some victim organisations do not recover from otherwise survivable incidents. This raises the prospect of a key infrastructure or healthcare provider suffering a fatal ransomware attack in the public eye, a scenario that would test this regime [LINK]. Facing a potentially existential threat, we assess that some companies will experiment with alternative payment methods designed to circumvent these controls. 

Recommendations:

  • UK-based organisations should consider a submission to the public consultation process, outlining the impact that the proposed changes would have on their incident response and crisis management processes.

  • We recommend that organisations conduct executive-level table-top exercises (TTX) to test how incident response and crisis management processes would function if these changes were implemented. Companies that do so early on will have an advantage if and when these changes come into effect. 

  • Regardless of whether these changes come into effect, we recommend that companies develop and test their incident response and crisis management procedures. Doing so increases response effectiveness, builds confidence in decision making, and limits operational impact.

Tyburn Associates is a leading provider of incident response and digital resilience services. As the preferred provider of table-top exercises for one of the world’s largest private equity houses, we have a wealth of experience in delivering impactful exercises for company leadership. 

fra juniper
Previous

Cyber incident at Dutch university highlights ongoing elevated threat to higher education institutions
Next

How to quickly identify a good OSINT report