The UK government has proposed a public sector ban on ransomware payments under new measures aimed at kneecapping ransomware criminals’ ability to make money.
The measures would see all public sector bodies and operators of critical national infrastructure banned from “paying ransom demands to criminals” in the event of a ransomware attack.
According to a government consultation document, the proposed ban aims to reduce threat actors’ revenue streams and disincentivise attacks on UK organisations by “making them financially unattractive targets”.
“Ransomware is a predatory crime that puts the public at risk, wrecks livelihoods and threatens the services we depend on,” said Security Minister Dan Jarvis.
“We’re determined to smash the cybercriminal business model and protect the services we all rely on as we deliver our plan for change.”
Following widespread targeting of UK healthcare and schools in recent years, the government emphasised the ban would include such public sector bodies as the National Health Service (NHS), and would further extend to local councils and schools.
UK follows Australia on mandatory reporting
The UK’s new anti-ransom package will also see the development of a ransomware incident reporting regime.
Any victims of ransomware – public or private – would be obliged to make an initial report within 72 hours of the attack, followed by a more in-depth report within 28 days.
Such an approach would “equip law enforcement with essential intelligence” to track perpetrators, disrupt their criminal activities, and, according to the government, allow better support for victims.
Additionally, those not covered by the payment ban would instead be required to notify the government of any “intent to pay a ransom”, with the government expected to provide “advice and support” in kind.
This would also include letting a victim know if they were about to break the law by sending money to a sanctioned ransomware group, such as members of Lockbit and other gangs based in Russia.
Ransomware victims would be warned they were breaking the law if they were to make a ransomware payment. Photo: Shutterstock
Similar measures took effect for Australia in late May, mandating certain critical infrastructure handlers and businesses with an annual turnover of $3 million or over report when they pay a ransom.
The Australian government initially forecasted an outright ban on ransomware payments following a string of ransomware attacks at the likes of Optus, Medibank and Latitude Financial, though it later opted for a payment reporting scheme following industry feedback.
Will the ban stop attackers?
Reece Corbett-Wilkins, partner and head of first response at dedicated cyber law firm Atmos said the payment ban wouldn’t prevent criminal actors from targeting UK government.
“There is a misconception that ransomware attacks are targeted,” he said.
“Our experience shows that most are opportunistic in nature and threat actors aren’t even sure who they attacked until they get in.
“Even if the logic were true, and government and critical infrastructure weren’t attacked as often because there’s no pay day in it for cybercriminals, it won’t stop attacks against third and fourth-party suppliers, including managed service providers, professional service providers or call centres.”
Indeed, nearly three quarters of consultation respondents showed support for the ban but were less aligned on whether to widen it to supply chain organisations.
A ransomware attack at Synnovis – an agency which manages labs for NHS trusts and GPs in London – was recently deemed a contributing factor to a patient’s death, though 27 per cent of respondents suggested such third-party entities should not be included in a ban.
Some respondents flagged the potential for supply chain businesses being “too weak” to handle such restrictions, and raised concerns around the ban widening so deeply that it impacts the UK’s ability to “effectively respond to the ransomware threat”.
“Personally, I think the Australian Government is leading the way by implementing ‘after the fact’ only reporting and other governments should follow our approach,” said Corbett-Wilkins.
“The UK arguably doesn’t have the same level of response maturity as we do here with the National Office of Cyber Security, and I don’t think they’re ready for ransom bans yet.”
Though unsure of the proposed ban’s efficacy, Corbett-Wilkins gave the UK government credit for a public consultation which “showed a clear desire for [the] bold policy”.
“If a ban forces critical infrastructure providers and government agencies to heavily invest in prevention and response capabilities to effectively deal with ransomware incidents, then that is a great outcome,” he said.
“I’d be also looking at mandating cyber insurance for sectors where a ban is implemented to address the additional recovery costs, especially for the small business sector.
“As for Australia, we are still 5 years away from a meaningful conversation around ransom bans.”
