UtopianKnight Consultancy – James Griffiths

STRATEGIC | TECHNICAL | ADVISORY | AI | DEVELOPMENT | vCTO | CYBER | ICS & OT

, , , ,

UK proposes banning ransomware payments in the public sector

·

by

UtopianKnight

Introduction

In July 2025, the UK government unveiled plans to introduce a targeted ban on ransomware payments by public sector bodies and regulated operators of critical national infrastructure (CNI).  This represents a significant shift in the state’s approach to cyber-extortion: instead of mere guidance or internal policy, the state seeks to legislate a prohibition on paying ransoms in certain contexts.

The stated goal is to “smash the cyber criminal business model” by removing one of the incentives for ransomware attacks.  In parallel, the proposals include new mandatory incident-reporting obligations and a “payment prevention regime” for those not directly covered by the ban. 

These proposals have prompted a lively debate: on one hand, supporters argue this is a bold and necessary move; on the other, sceptics warn of unintended consequences, operational risk, and the difficulty of enforcing such a ban in practice.

In this post I’ll explore:

  1. The policy background and rationale
  2. The scope and mechanics of the proposals
  3. The arguments for and against the ban
  4. Risks, challenges and potential unintended consequences
  5. What public bodies should do now to prepare
  6. Concluding reflections

1. Policy background and rationale

Ransomware as a growing threat

Ransomware attacks in which attackers encrypt systems or exfiltrate data and demand payment for decryption or suppression have become among the most pervasive forms of cybercrime globally. They can cause severe disruption, data loss, reputational damage and financial cost.

In the UK, high-profile incidents have hit public institutions and critical services. The 2017 WannaCry epidemic significantly affected NHS trusts.  More recently, the British Library suffered a ransomware attack in 2023; although it refused to pay, the incident raised fresh alarm over vulnerabilities in public bodies.  In its announcement of the proposals, the government even cited that a ransomware incident was “a factor” in a patient death. 

Ransomware also feeds on the fact that many organisations are dependent on their IT systems and data: service outages or data loss can lead to cascading operational failure, making the pressure to pay very real. Attackers know this and often set high ransoms.

Moreover, the payment flows from victims to attackers fund further innovation, recruitment and sophistication in cybercrime. Cutting off or reducing that income stream is therefore seen by many as a long-term strategic lever to weaken the ransomware economy.

From guidance to legal prohibition

Until now, the UK’s approach to ransomware payments in public bodies has largely been one of policy and guidance rather than hard rule. The government already asserts that “government departments should not use taxpayer money to pay ransoms” (i.e. in central government), but that has been a recommendation rather than a universal legal ban. 

The new proposals would push much further: making a targeted ban (i.e. legally enforceable) for public sector bodies, local government, and regulated operators of critical national infrastructure.  The idea is to set a clear and binding rule: public funds cannot be used to pay ransoms, even in crisis, for those organisations in scope.

By doing so, the government intends to send a firm signal to cyber-criminal groups that particular classes of targets are off limits at least in terms of ransom payout potential. 

The proposals also aim to improve transparency, intelligence, and governmental support by introducing mandatory reporting of ransomware incidents, and a regime by which victims in the private sector must notify their intention to pay before doing so. 

In sum, the rationale is twofold:

  • Disincentivise attacks by reducing the profitability and success rate of ransomware targeted at public services
  • Increase visibility and control for law enforcement and government over response, detection and support

2. Scope and mechanics of the proposals

To evaluate whether these proposals are realistic or prudent, one must look at the details. Amid consultation and ongoing policy development, many details remain to be finalised but enough has been published to sketch out the likely contours.

Who is covered by the ban?

The proposals envisage a targeted ban applying to:

  • Public sector bodies (central and local government, NHS, schools, local councils and other publicly funded bodies) 
  • Regulated operators of critical national infrastructure (CNI) those with industry regulation or “competent authorities” oversight 

In practice, this would cover organisations running vital public services energy networks, transport, water, telecoms (if regulated), health services, local government, etc.

It does not necessarily extend immediately to all private sector businesses, although some of the proposals (for example, the payment notification regime) would impose obligations on private entities not covered by the ban. 

Consultation feedback shows that about 62% of respondents supported extending the ban to supply chain organisations within CNI or public sector supply chains.  But this is an area of contention, because supply chains can be complex and the burden on smaller organisations may be significant. 

What counts as a “ransomware payment”?

This is not fully clarified yet, but logically the ban would encompass payments to a threat actor in response to a ransomware demand i.e. paying to decrypt systems, releasing data, preventing publication, or negotiating in the context of extortion. 

One critical caveat is that payments to sanctioned entities are already illegal, so part of the regime would require oversight to ensure victims are not inadvertently breaking sanctions law. 

Furthermore, even organisations not under the ban would need to notify the government of any intent to pay, giving authorities a chance to intervene or block payments if they violate broader legal or policy constraints. 

Enforcement, penalties and compliance support

The consultation outlines several mechanisms for enforcing compliance and encouraging adoption:

  • Civil penalties are proposed as a primary enforcement tool for organisations that flout the ban. 
  • Criminal penalties may also be considered, especially for deliberate non-compliance, though many respondents to consultation urged that penalties be proportionate. 
  • The government would provide guidance, tailored support and templates to organisations to help them comply. 
  • A central mechanism would enable organisations to report intent to pay, and authorities would have the power to review or block proposed payments if necessary. 
  • Organisations already must adopt robust cybersecurity practices, incident response plans, offline backups, and resilience measures. The proposals emphasise that the ban must be accompanied by investment in defence. 

Reporting obligations

One of the strongest pillars of the proposal is mandatory reporting of ransomware incidents.

  • For organisations outside the ban, they must inform the government of any intention to pay a ransom, enabling advice or blocking. 
  • The government also proposes requiring all victims to report ransomware incidents, whether or not they intend to pay to improve threat visibility, intelligence sharing and law enforcement action. 
  • In consultation feedback, 63% of respondents supported an economy-wide mandatory reporting regime. 

The idea is that greater transparency will improve the government and law enforcement’s situational awareness, enabling quicker disruption of criminal actors.

3. Arguments in favour of the ban

Let us consider the arguments supporters put forward for this move.

Undermining criminal incentives

At the heart of the policy is a belief in economic disincentive: if public bodies cannot pay ransoms, attackers will view them as less valuable targets. Over time, the hope is that the volume and success rate of ransomware attacks on public infrastructure will fall.

Ransom payments currently funnel significant funds into cybercrime ecosystems money that supports new tool development, recruitment and infrastructure (e.g. bulletproof hosting, money laundering). Cutting off those flows may starve parts of the criminal model.

Reducing dependency and moral hazard

If public bodies rely on paying when attacked, that may reduce incentives to invest in robust prevention, detection and recovery. The ban encourages state institutions to build greater resilience tested backups, segmentation, incident response capability, “going dark” fallback plans, and rapid recovery without needing to negotiate with malicious actors.

Clearer rules, consistency, and deterrence

A law, rather than a guideline, creates certainty. It removes ambiguity about whether a body “can” pay or not the default becomes non-payment. This clarity may discourage attackers and reduce confusion in crisis moments.

Moreover, consistent refusal by state institutions may yield reputational and strategic deterrent value: attackers know certain targets will not fold under extortion.

Intelligence, oversight, and early intervention

Mandatory reporting and the notification regime allow government and law enforcement to see attacks and payment plans earlier, potentially intervening or coordinating responses rather than being blindsided.

The government could block payments to sanctioned entities, ensure due legal compliance, and potentially gather data to trace funds, track attacker groups, and disrupt infrastructure.

Public interest and accountability

Because public sector bodies are accountable to taxpayers and the public, many argue they should not be in the business of negotiating with criminals or using public funds to reward wrongdoing. A ban asserts that public assets are off-limits to criminals, reinforcing trust that services won’t be held hostage.

4. Arguments against, risks and challenges

While the proposals have significant appeal, there are serious questions and risks. Several technical, operational, legal and policy challenges must be reckoned with.

Risk of permanent loss or service failure

The most fundamental objection is: what happens if a public body is crippled by ransomware and has no viable fallback? Without the option to pay, some data or systems may be irrecoverably lost, emails and services offline for prolonged periods, and core public services degraded.

In life-or-death or time-sensitive services, this could pose real threat to wellbeing. Some consultation respondents argued for exceptions in national security or public safety cases. 

Smaller or less well-resourced organisations may lack the capacity to respond effectively without paying. In those cases, the ban may force them into catastrophic outcomes.

Displacement of attacks

There is a danger that attackers will simply shift to other targets private organisations, non-covered sectors, or supply chain entities not under the ban. Indeed, critics warn that the ban merely pushes the problem elsewhere, rather than eliminating it. 

If attackers cannot succeed in public sector, they may intensify attacks on companies that service or supply those bodies, or more lightly defended private firms.

Increased complexity, compliance burden, and unintended behaviour

The regime will introduce new administrative burdens: reporting, intent notification, internal controls, audits, etc. Organisations may find themselves torn between responding rapidly and complying with procedural rules.

Some bodies under attack may delay recovery action while awaiting permission or guidance, increasing downtime. Others may attempt to disguise or misclassify incidents to evade reporting or penalties.

There is also risk that restrictive rules embolden attackers to escalate tactics for example, by publishing stolen data (double extortion), threatening reputational harm, or using other forms of extortion rather than encryption. A ban on payments does not prevent data theft or other vector-based extortion.

Enforcement and proportionality

Implementing and policing this regime will be challenging. Distinguishing legitimate payments (e.g. to external recovery services) from ransom payments may be non-trivial. Determining intent and proving it in some circumstances may strain enforcement capacity.

Penalties must be carefully calibrated to avoid punishing victims harshly or creating perverse outcomes. Some consultation respondents warned that overly draconian punishment might discourage full transparency or push victims underground. 

Cost and resource implications

Many public sector bodies already struggle with underfunding, legacy IT systems, patch debt, and limited cyber capacity. Expecting them to pivot rapidly into a world where ransom is not an option demands significant investment in backup systems, resilience, resilience testing, incident response, staff training and security operations.

If that investment is not supplied or supported centrally, many local or resource-constrained bodies may struggle to comply without risk of failure.

Legal and cross-border challenges

Criminal groups operate outside UK jurisdiction; enforcing bans on payments across borders may be difficult. Attackers might reroute payments via intermediaries or payment laundering networks.

Additionally, as noted earlier, some payments to attackers violate sanctions or terrorist funding laws oversight must be robust to avoid criminal liability. The government must reconcile the ban with existing laws on counter-terrorism finance and sanctions. 

Also, the line between ransom and negotiation is sometimes blurred (e.g. paying for decryption keys, paying a lighter fess, paying for extortion). The legal definitions must be clear.

5. What public bodies should do now

Whether or not the ban becomes law, public sector organisations and CNI operators should treat the proposals seriously and begin preparing. Below are key recommended actions.

5.1. Assume non-payment is a possibility

Strategically, organisations should plan as if ransom payment will not be an available or reliable recovery path. That means building resilience, redundancy and fallback capability.

This mindset shift is analogous to assuming worst-case scenarios in disaster recovery planning: recovery must work even if the attacker demands cannot be met.

5.2. Strengthen preventative and detective controls

  • Maintain robust, frequent, and isolated backups. Test backups regularly and ensure they are offline or air-gapped.
  • Architect systems with segmentation, zero trust, least privilege and minimal exposure to attack surfaces.
  • Employ strong detection, logging, anomaly detection, endpoint monitoring, and network visibility.
  • Patch and update systems consistently, remove legacy or end-of-life software, and decommission unused infrastructure.
  • Invest in training and awareness for staff (phishing, social engineering, privilege abuse).
  • Engage in threat intelligence sharing and collaboration with national cyber agencies.

5.3. Develop and rehearse incident response playbooks

If an incident happens, time is critical. Bodies should have well-defined playbooks covering:

  • Forensic investigation
  • Containment, isolation, crisis governance
  • Legal, regulatory and stakeholder communication
  • Insurance and third-party response partners
  • Data recovery from backups or rebuild
  • Internal chains of decision-making (who is empowered to act, when, and how)

It is prudent to rehearse “no-pay” scenario drills (i.e. how to recover without ransom) to ensure that processes work under pressure.

5.4. Understand legal, regulatory and reporting obligations

Public organisations should familiarise themselves with:

  • The developing legislation around the ban (track consultations, draft bills)
  • Reporting obligations, internal compliance processes, escalation paths
  • Sanctions, counter-terrorism finance law (to ensure no inadvertent illegal payments)
  • Insurance policy terms (cyber insurance often includes incident response support)

Engaging legal and compliance teams early is essential.

5.5. Engage with central support and advocacy

Many organisations will need support, guidance, and possibly funding to execute the necessary security transformation. Bodies should:

  • Participate in government consultations (if still open)
  • Request clear, sector-specific guidance, templates, and toolkits
  • Advocate for central funding or grants for cyber maturity improvement
  • Coordinate with peers in sector (e.g. local government networks, health bodies) to share lessons and best practices

5.6. Review and adapt budgets, insurance and risk posture

Given the increasing stakes, public bodies should:

  • Reassess and potentially increase budgets for cybersecurity, backup, resilience and incident response
  • Review cyber insurance and whether it covers non-payment or legal exposure from the ban
  • Re-evaluate the organisation’s risk appetite and recovery priorities in light of non-payment constraint
  • Ensure contracts with third parties (suppliers, cloud providers, managed service providers) are robust and resilient

6. Concluding reflections

The UK’s proposed ban on ransomware payments in the public sector and regulated critical infrastructure is a bold policy initiative. It seeks to shift the balance in the state’s capacity to resist cyber-extortion and crack down on criminal incentives. If properly executed, it could make public bodies tougher targets, reduce incidence of successful ransomware attacks, and enhance transparency and government oversight.

Yet the challenges are substantial. The risk of crippling downtime, data loss, or service failure in the absence of a fallback payment option cannot be ignored. The policy may push attackers elsewhere, create perverse incentives, and impose heavy compliance and financial burdens on struggling public bodies. Enforcing such a regime across jurisdictions and ensuring proportional, sensible penalties will require finesse.

What is clear is that a ban alone is not enough; it must be accompanied by large-scale investment, clear guidance, capacity building, and oversight. Public bodies must act now to prepare assuming non-payment is a real possibility, hardening systems, rehearsing response, and clarifying legal and reporting obligations. If they wait for the law to land before strengthening resilience, they may find themselves exposed and unprepared.

From a wider perspective, the UK’s move could influence other countries and set a precedent. If successful, it could shift global norms around ransom payments. But if poorly executed, it might become a cautionary tale of overreach and unintended consequences.