The Home Office has launched a public Consultation (the Consultation) which considers responses to the government’s recent proposals to tackle the issue of ransomware payments in the UK. The proposals are part of wider plans to reform UK cybersecurity rules and the Consultation will conclude on 8 April 2025. A copy of the consultation is available in the link attached.
Ransomware victims
The types of ransomware attack victims are increasing and range from individuals at home using a personal computer to SME businesses, major companies and public bodies whose systems and networks are attacked. According to the Consultation, it is estimated that ransomware criminals received more than $1bn from their victims globally in 2023. In addition to headline businesses where ransomware hits the news, there are a large number of businesses where this goes under the radar.
The consultation’s proposals
The consultation considers three new proposals and takes into account issues such as victim behaviour, the extent and information sharing with UK authorities and whether it is appropriate to make a ransom payment.
Proposal 1: a targeted ban on ransomware payments for UK critical national infrastructure (CNI) and the public sector
Currently, central government departments cannot make ransomware payments. This proposal expands on the existing ban to ensure that criminal gangs looking to target essential agencies and infrastructure will not be able to make a financial gain. It suggests a prohibition on all UK public sector organisations (as opposed to central government) and on UK critical national infrastructure (CNI) owners and operators from making payments to cyber criminals in a ransomware attack.
Proposal 2: ransomware payment prevention regime
This new regime would require any victim of ransomware (any organisations and/or individuals not covered by the proposed ban set out in proposal 1) to engage with the authorities and report their intention to make a ransomware payment before paying any money to the ransomware criminals. Following the making of a report, the victim will receive support and guidance, including discussions around non-payment resolution options. Additionally, authorities will review the proposed payment to determine if there is any reason to block it, for example if the payment will be made to criminals subject to sanctions designations or in violation of terrorism finance legislation.
Proposal 3: ransomware incident reporting regime
This proposal suggests an incident reporting regime for suspected victims of ransomware. The reporting requirement would apply regardless of the victim’s intention to pay the ransom. The report would be made confidentially to the government and victims would be required to provide the following:
- An initial report setting out that an incident has occurred, whether a ransom demand has been received, if the organisation can recover using their existing resilience measures and if the ransomware group is identifiable at this stage.
- They would then be required to submit a second, “full report” including details on the vector of access, if resilience measures have been implemented and any further details on the attack.
The victim would need to provide the initial report within 72 hours and the full report within 28 days.
Key takeaways
The government’s proposals and the consultation follow concerns that the current underreporting of ransomware attacks creates a substantial and avoidable gap in our intelligence picture within the UK.
This will be in addition to any other reporting requirements set out under the network information system regulations and in the case of personal data, the information commissioner’s office in certain circumstances.
Despite some uncertainty as to how the proposals will interact, the Home Office has indicated it will collaborate with the department for science, innovation and technology to ensure these proposals, along with those in the forthcoming Cyber Security and Resilience Bill, are complementary. The aim is to prevent duplication and ensure the regimes are straightforward and clear for the relevant organisations.
Beverley Flynn
Ella Tunnell