The Government has launched a consultation on proposals to reduce payments to cyber criminals and increase the reporting of ransomware attacks.

The consultation document provides a stark account of the how common and dangerous  ransomware attacks can be, calling them “the greatest of all serious and organised cyber threats”. It explains that for every highly-publicised incident (often involving critical national infrastructure) there are thousands of others involving private sector organisations which often feel they no choice but to pay the ransom. However, the natural result of this is that the practice only becomes more prevalent.

Against this background, the Government is proposing a shake-up of the existing legislative and regulatory framework with three objectives in mind: (1) to reduce the amount of money flowing to ransomware criminals from the UK; (2) to increase the ability of operational agencies to disrupt and investigate ransomware criminals; and (3) to enhance the Government’s understanding of the threats in this area to inform future interventions.

Three specific proposals are advanced, as follows:

1. A targeted ban on ransomware payments for all public sector bodies

As things stands, central government departments cannot make ransomware payments. However, under this proposal, that ban will extend to “all organisations in the UK public sector (including local government), and critical national infrastructure owners and operators (in sectors defined by the National Protective Security Authority, subject to regulation/competent authorities)”. The Home Office also seeks views on whether this ban should be extended further still to “essential suppliers” to these sectors, as well as on what measures can be introduced in order to encourage compliance with the ban.

2. A new ransomware payment prevention regime

The consultation document recognises the pressure that many organisations are under when they are subjected to a ransomware attack, stating that “some businesses may feel that they are genuinely faced with no choice but to pay or see their business fold. Others may feel that the harm that would arise if their stolen data was released into the public domain is greater than the harm of paying the ransom”. However, it points to polling which suggests that nearly 70% of the public believe that it is wrong for a business to pay a ransom because it could then be used by the attackers to fund more criminal activities.

Under this proposal, any organisation (save for those that fall under the first proposal) which is the victim of ransomware would be required to “engage with the authorities and report their intention to make a ransomware payment before paying over any money to the criminals responsible”. After making that report, the organisation would receive support and guidance from the authorities, who would also review the proposed payment to determine whether it should be blocked (for example if it might go to criminals subject to sanctions designations, or was in violation of terrorism finance legislation). It would then fall to the victim to decide whether to proceed with payment.

The consultation again invites views on how to encourage compliance, such as (1) imposing criminal and/or civil penalties, especially where a payment is made after an organisation has been told it has to be blocked and (2) whether the regime should distinguish between different types of victims, for example setting a higher threshold according to the size of the organisation or the amount of the ransom demanded.

3. A ransomware incident reporting regime

Finally, the consultation considers the introduction of a ‘ransomware incident reporting regime’ for suspected victims of ransomware. The regime would be mandatory and apply regardless of the victim’s intention to pay, although the proposal does say that the Home Office is exploring whether it should “only impact organisations and individuals meeting a certain threshold”.

The proposed process would require an initial report to be made to the relevant parts of government within 72 hours. The report would set out that an incident has happened and include information such as (a) whether a ransom demand has been received, (b) whether the organisation can recover through existing resilience measures, and (c) whether the ransomware group is yet identifiable. Within 28 days, a full report would be submitted which would include information such as the vector of access and whether resilience measures have been implemented.

The consultation ends on 8 April 2025, and can be read in full here.