Hospitals and other public health bodies, public sector organisations such as councils and schools, and operators of critical national infrastructure (CNI) will be among those organisations officially forbidden to pay off cyber criminal ransomware gangs under proposals introduced today by the Home Office.
The measures are set to be introduced following a lengthy national debate, and public consultation, on the ransomware threat to the UK.
The Home Office said that roughly 75% of all the various bodies and individuals who responded to the consultation expressed support for a ban.
Cyber extortion costs the country millions of pounds every year, and recent incidents have highlighted the severe operational, financial and life-threatening risks it presents.
“Ransomware is a predatory crime that puts the public at risk, wrecks livelihoods and threatens the services we depend on,” said security minister Dan Jarvis.
“That’s why we’re determined to smash the cyber criminal business model and protect the services we all rely on as we deliver our plan for change.
“By working in partnership with industry to advance these measures, we are sending a clear signal that the UK is united in the fight against ransomware,” said the minister.
At the same time, organisations not in scope of the ban will be required to notify the government through a yet-to-be described channel if they intend to pay a ransom.
The Home Office said these businesses would then receive advice and support from the relevant authorities.
They will also be told if making a payment will risk breaking the law by funding previously sanctioned cyber criminal gangs.
The government is additionally pressing ahead with mandatory ransomware reporting methods that it hopes will better equip the authorities with the intelligence needed to hunt down ransomware gangs and disrupt them, where possible.
Co-op CEO Shirine Khoury-Haq, who is still dealing with the aftermath of a Scattered Spider ransomware attack on her organisation’s systems, welcomed the government’s focus on the issue.
“We know first-hand the damage and disruption cyber attacks cause to businesses and communities,” she said. “What matters most is learning, building resilience and supporting each other to prevent future harm. This is a step in the right direction for building a safer digital future.”
Attractive targets for cyber crime
Ultimately, the Home Office hopes its ban will target the business model fuelling cyber crime, and make the UK’s public services a less attractive target for ransomware gangs.
These gangs are often motivated to attack critical sectors because they know an organisation like a hospital or a water company cannot risk operational downtime in the same way a business can, and as such are more likely to give in to their demands.
Cyber experts have reservations
Jamie MacColl, a ransomware expert and senior research fellow at the Royal United Services Institute (Rusi) think tank, welcomed the proposals as a sign the government is taking ransomware very seriously, but expressed scepticism that the ban would have the effect of making UK organisations less attractive targets.
“Ransomware, as the NCA and NCSC’s own whitepaper makes clear, is largely an opportunistic crime, and most cyber criminals are not discerning,” said MacColl.
“Ransomware threat actors are unlikely to develop a rigorous understanding of UK legislation or how we designate our critical national infrastructure. Given that, I can’t see most cyber criminals taking a limited UK payment ban into account for their operating models.”
MacColl warned that the ban risked making it harder for CNI operators to recover from ransomware incidents without actually reducing the chances of being victimised to begin with.
NymVPN chief digital officer Rob Jardin said the government’s aims were admirable, but like MacColl, warned that cyber criminal groups won’t take its plans lying down.
“If the best solution to the issue is to just turn around and say to the hackers, ‘We’re not giving in to your demands anymore,’ don’t be surprised if they double down and try to expose more data, and make a business selling it on the dark web,” he said.
“Government efforts from above to mitigate cyber crime is just one step,” said MacColl. “More importantly, both individuals and institutions need to adopt robust self-defence measures to defang hackers at the source.”