UK Government proposes ransomware payment ban for public sector
The UK government has proposed extending its ban on ransomware payments to cover the entire public sector in an attempt to deter cybercriminal attacks and protect taxpayers.
A consultation white paper explains that under the proposal a formal ban on ransomware payments would be widened to include all public sector bodies and critical national infrastructure. This would include essential services such as education, hospitals (including the NHS), financial institutions and transport.
The proposal has been coupled with more stringent reporting regulations for those not included in the ban.
The Home Office is proposing the introduction of a "payment prevention regime" which would require organisations and individuals not covered by the proposed ban to "engage with the authorities and report their intention to make a ransomware payment" before giving in to the hackers' demands.
The Government describes that potential victims would be given support and guidance, including the discussion of "non-payment resolution options" and whether payment to the criminals would be in violation of sanctions or terrorism finance legislation.
A weaker third proposal being considered still involves implementing a mandatory reporting regime for ransomware attacks, but does not enforce a payment ban.
I think most of us wouldn't have a huge concern about the benefits of mandatory reporting of ransomware attacks to the authorities. However, things get rather more nuanced when it comes to a complete ban on payment.
Don't get me wrong. It's understandable that the UK government would want to do this. After all, it's estimated that US $1 billion was paid to ransomware attackers around the world in 2023. As has often been pointed out, if no one ever paid a ransom, attackers would surely get the message pretty quickly that it wasn't a profitable pursuit.
But we don't live in a perfect world where no one will ever pay a ransom.
It is not a surprise that some organisations do end up paying their extortionists, recognising pragmatically that it may be the least worst of the options available to them.
Ransomware attacks can be devastating for both businesses and individuals. Without a proper recovery plan in place, or in the absence of secure backups, companies risk catastrophic data loss, while individuals could lose irreplaceable files of sentimental value like family photos and videos.
If there was simply no way to unlock its systems and recover its data, what is an organisation supposed to do? Should it simply shut up shop and close its doors? Make its staff redundant? Potentially harm other businesses that relied upon its services and products?
I think it can easily be argued that the financial and human cost of a company going bust could be much larger than the ransom demanded by a cybercriminal gang. And that, undoubtedly unpleasant as it is, it may be a better choice to pay the ransom than to not pay it.
For instance, take the impact on healthcare services when they are hit by a determined ransomware attack. Any delays in recovery may put lives at risk. A ban on ransomware payments may have the very best of intentions – but still have serious and costly unintended consequences.
The question of whether it is right or wrong to pay a ransom to cybercriminals has been passionately debated for years, and probably will for many years to come.
I can see both sides.
It's undoubtedly the case that the more companies that pay a ransom, the more likely it is that criminals will launch similar attacks in the future.
But currently, the decision as to pay or not remains in the hands of most companies and individuals in the UK. This means one day your business might find itself making the difficult but pragmatic decision to pay the criminals if you feel it cannot survive any other way.
I do believe you should inform law enforcement agencies of the incident and work with them to help them investigate who might be behind the attacks, whatever your decision.
Always remember that paying the ransom does not necessarily mean you have erased the security problems that allowed you to be attacked in the first place. If you don't find out what went wrong and why and fix it, then you could easily fall victim to further ransom demands in the future.
Do remember to do what you can to prevent your company from finding itself in such a predicament. Strengthen your defences against ransomware, which includes testing your continuity and recovery plans.
Make sure to read Exponential-e's step-by-step guide on ransomware remediation.
Monitoring, management and testing are vital to maintaining a robust cyber security posture.
Stay Informed
When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.
