8 hours ago
6
The UK government is planning to ban public bodies from paying ransoms to computer hackers, and private companies will be required to inform authorities if they plan to cave into cash demands.
The stance, announced on Tuesday by the Home Office security minister, Dan Jarvis, is intended to send a message to international cybercriminals “that the UK is united in the fight against ransomware”. It follows crippling ransomware attacks on the British Library in 2023 and NHS hospitals in London last summer.
The government said almost three-quarters of responses to a consultation backed the proposal and that “public sector bodies and operators of critical national infrastructure, including the NHS, local councils and schools, would be banned from paying ransom demands to criminals”.
Industry estimates suggest ransomware criminals received more than $1bn (£741m) from their victims globally in 2023. But Alan Woodward, a leading computer security expert at the Surrey Centre for Cyber Security, said UK public authorities are not known to pay ransoms.
He said the latest measures appeared aimed at signalling the refusal to pay more clearly to hackers around the world, which include regular offender networks like LockBit and Evil Corp.
“Some of the criminals may not know this and so communicating this could be valuable in that hackers will read that there is no point in attacking,” Woodward said. “I am not sure it will change anything in practice, but it puts everyone on notice so there can be no confusion.”
Businesses not covered by the ban on public sector ransoms would be required to notify the government of any intent to meet hackers’ demands for cash.
The Home Office said: “The government could then provide those businesses with advice and support, including notifying them if any such payment would risk breaking the law by sending money to sanctioned cybercriminal groups, many of whom are based in Russia.”
Jarvis said he wanted to “smash the cybercriminal business model”. “By working in partnership with industry to advance these measures, we are sending a clear signal that the UK is united in the fight against ransomware,” he said.
The consultation documents said: “This type of crime only works if the potential victims are willing to pay the ransom that the gangs demand. Academic research suggests that criminals operating in this area will assess the level of ransom they can set, and the profit they will expect to make, against the probability that the victim will pay.”
Jonathon Ellison, director of national resilience at the National Cyber Security Centre, said ransomware “remains a serious and evolving threat, and organisations must not become complacent”.
“These new measures help undermine the criminal ecosystem that is causing harm across our economy,” he said. “All businesses should strengthen their defences using proven frameworks such as Cyber Essentials and our free Early Warning service, and be prepared to respond to incidents, recover quickly, and maintain continuity if the worst happens.”
