Laws to disrupt ransomware payments considered in the UK

The proposed new “payment prevention regime” would apply to all potential ransomware payments from the UK and forms part of a broader package of potential new ransomware-related legislation the Home Office opened a consultation on, on Tuesday.

Further proposals under consideration include the establishment of a new “economy-wide” ransomware incident reporting regime, as well as prohibiting certain UK organisations making ransomware payments at all – its “targeted ban” would apply to UK public bodies, owners and operators of critical national infrastructure (CNI), and, potentially, “essential suppliers” to those sectors too. It is considering whether to underpin the ban with criminal sanctions for non-compliance

The plans are partly aimed at reducing the amount of money flowing to ransomware criminals from the UK, to deter criminals from attacking UK organisations, and at increasing the ability of UK agencies to disrupt and investigate those behind ransomware attacks through improving “intelligence around the ransomware payment landscape.”, the Home Office said, adding that it is also hopeful of enhancing the government’s own understanding of ransomware threats to “inform future interventions, including through cooperation at international level”.

The Home Office said it wants to “disrupt the ransomware business model and break the cycle of attacks”, citing the fact that ransomware is considered “the greatest of all serious and organised cyber crime threats” in the UK, as well as “the largest cybersecurity threat”, and treated as a risk to the UK’s national security by the National Crime Agency (NCA) and the National Cyber Security Centre (NCSC).

Cyber risk expert Stuart Davey of Pinsent Masons said: “The UK government’s position has, for some time, been to discourage the payment of ransomware attacks, and, as the consultation documents show, ransomware is only increasing as a societal threat. The UK has been a leading country in global initiatives around ransomware, being a co-lead of the Counter Ransomware Initiative, with Singapore.”

“A new Cyber Security and Resilience Bill is expected to be introduced into parliament this year. It was trailed in the Kings Speech last July. Those proposals indicated an intent to ‘mandate increased incident reporting to give government better data on cyber attacks, including where a company has been held to ransom’. It wasn’t clear if this would be limited to only those critical national infrastructure entities subject to existing cyber regulation under the UK’s Network and Information Security (NIS) Regulations. However, it is now clear that the government intends to go broader than that.”

“The Home Office consultation also closely follows other similar developments – most recently, the Australian government passed its Cyber Security Act, which requires private sector entities subject to certain thresholds and those responsible for critical infrastructure assets to report ransomware payments. The UK proposals go further, given that they not only introduce a mandatory incident reporting regime and requirement to engage with authorities, but also introduce a ban on making ransomware payments for all public sector bodies, including local government, and owners and operators of regulated CNI. Even this ‘targeted ban’ could be a very broad change, as the consultation seeks views on whether it should also extend to essential suppliers to those sectors, to reflect the principle that central departmental funds cannot be used for ransom payments,” he said.

Under the proposed payment prevention regime, UK authorities would gain sight of proposed ransomware payments before transactions are completed, giving them the chance to suggest “non-payment resolution options” with victim organisations and even stop the payment from being made “if there is a reason it needs to be blocked”, such as “where it could go to criminals subject to sanctions designations, or in violation of terrorism finance legislation”, the Home Office said.

Subject to the blocking powers, victims of ransomware attacks would retain the discretion to make ransomware payments under the payment prevention regime, save those subject to the proposed “targeted ban”.

On the new ransomware reporting regime that is proposed, the Home Office pledged “proportionality”.

“The intent is to ensure that UK victims are only required to report an individual ransomware incident once, as far as possible, to avoid unnecessary burdens,” it said, adding that it would work with the Department for Science, Innovation and Technology to ensure incident reporting requirements in the upcoming Cyber Security and Resilience Bill are “aligned and complementary” and not duplicative.

The consultation is open until 8 April 2025.