UK wants to ban ransomware payments from public institutions

Getting your Trinity Audio player ready...

In the first half of 2024, ransomware payments hit a new record of $460 million, with the largest single payment hitting $75 million by an undisclosed Fortune 500 company. To protect institutions in the United Kingdom from this rising threat, the country’s Home Office has proposed a new ransomware framework that bans payments from public agencies and plans to make reporting mandatory.

The Home Office, which oversees security, law and order, proposed new laws that aim to reduce the amount of money cybercriminals make by extorting U.K. businesses through ransomware. The public consultation on the proposed law will end in early April 2025.

The new law seeks to ban ransomware payments by all public sector bodies and operators of critical national infrastructure (CNIs). The Office says this would let the cybercriminals know that “they will make no money from doing so.” The proposal leaves room to expand the scope to include all essential suppliers to the public bodies and CNIs.

A second proposal seeks to cover every other business that doesn’t operate CNIs, mandating that all ransomware attacks are reported to authorities before any payment is made.

“Breaking this payment cycle is essential to disrupting the ransomware business model,” the Office says, adding, “[It] stops these funds moving into the hands of criminals and prevents them from growing and developing their operations.”

Banning payments is a high-risk move. Proponents argue that it disincentivizes attackers from targeting specific firms or sectors, as they don’t stand to make any money. 

These proponents include the United States government. Anne Neuberger, who has been President Joe Biden’s national security advisor, is among those pushing for a ban in the country.

“Fundamentally, money drives ransomware, and for an individual entity, it may be that they make a decision to pay, but for the larger problem of ransomware, that is the wrong decision,” she stated.

However, cybersecurity experts warn that in some instances, the criminals pose an existential threat and could bring an institution to its knees—in 2023, for instance, a British logistics firm became insolvent after a ransomware attack, with 730 workers losing their jobs. In such instances, paying the ransom may be the lesser of the two evils.

Still, the Home Office believes cutting off the payments is the best response. 

“These proposals help us meet the scale of the ransomware threat, hitting these criminal networks in their wallets and cutting off the key financial pipeline they rely upon to operate,” commented Security Minister Dan Jarvis.

Ransomware attacks threaten our national security & damage our economy.

We’re taking action to deter the cyber criminals responsible by disrupting & defeating their business models.

Our aim is simple: defend our national security & economic prosperity. pic.twitter.com/8DFrXtYlfI

— Dan Jarvis MP (@DanJarvisMBE) January 14, 2025

Besides prohibiting payments, the new law seeks to establish an incident-reporting regime allowing the government to assist the victims.

Globally, ransomware remains one of the biggest threats. Experts say that over 4,000 ransomware attacks take place daily, translating to an attack every two seconds. Criminals have favored digital assets for payments, with Tether’s USDT being the most common. 

Watch: Universal Blockchain Asset unlocks the future of payments