The Home Office is kicking off a consultation aimed at tackling the ransomware threat in the UK. They’re proposing to expand a current ban on ransomware payments to include vital sectors like the NHS, local councils, and schools, as well as key utility providers.
Right now, this ban only applies to government departments. But with these new proposals, public sector bodies will not be allowed to pay off cyber criminal extortionists. The government claims it’s a “world-leading” move, aiming to cut off the money flow to cyber criminals and protect the organizations people depend on every day. Security Minister Dan Jarvis emphasized the need to drive down cyber crime as a key part of their plan to keep the British population safe.
In 2023, cyber criminals are expected to rake in about $1 billion globally, prompting urgent action for national security. Jarvis stated that these proposals would help disrupt criminal networks financially. He described today’s consultation as a crucial step for protecting the UK economy and securing jobs.
Richard Horne, CEO of the National Cyber Security Centre (NCSC), noted that organizations must bolster their defenses against ransomware. He pointed out that there’s a wealth of resources available online, including frameworks like Cyber Essentials, to enhance security. Horne stressed that organizations need more than just backups; they should have clear, tested plans for maintaining operations if an attack happens.
The consultation, running until April 8, 2025, will also consider measures aimed at ransomware victims outside of the targeted payment ban. It’ll provide guidance on how to respond to attacks while requiring victims to inform authorities if they plan to pay a ransom. Additionally, the government is eyeing the power to block payments under certain conditions, like payments to sanctioned entities.
Another aspect on the table is a mandatory ransomware reporting regime, part of the upcoming Cyber Security and Resilience Bill. This plan aims to pull ransomware operations into the light, allowing agencies like the National Crime Agency (NCA) and NCSC to better understand the ransomware threat and focus their efforts effectively.
Paul Foster from the NCA’s National Cyber Crime Unit welcomes this consultation. He highlighted that ransomware is the biggest cyber crime threat to the UK and that reported attacks have doubled in 2023 compared to the previous year. Quick reporting from victims is crucial for gaining the support and guidance they need.
However, opinions vary regarding the government’s plans. Jamie MacColl, a ransomware expert from RUSI, expressed mixed feelings. He sees sense in mandating ransomware reporting for improving law enforcement responses. But he doubts that banning payments for certain sectors will effectively deter attacks, as ransomware operators tend to target opportunistically.
MacColl is wary of the government’s proposal to manage individual ransom payments. If the government turns down requests, it raises questions about how they’ll support victims in financial distress from operational downtime. Still, he acknowledges that if these proposals become law, they would mark a significant move by any government in addressing ransomware, especially given the UK’s lackluster approach over the last decade.