On 14 January 2025, the UK government launched a public consultation on proposed legislative measures to combat the ever-increasing threat of ransomware. With these proposals, the UK government is seeking to step up its efforts to understand, deter and prosecute ransomware attacks by gathering more information from victims and undermining the ransomware business model.
The new framework would ban ransom payments in the public sector and for certain critical infrastructure providers, and more broadly would require all companies to report ransomware attacks, including whether they plan to pay the ransom. The government is seeking views on these proposals, including the introduction of criminal sanctions, and whether the regime should cover all UK individuals and organisations, or be limited by size of the organisation and/or ransom. The public consultation is open until 8 April 2025.
The Three Proposals
- Ban on Ransomware Payments for the Public Sector and CNI
- Proposal: All organisations in the UK public sector – including local government, as well as owners and operators of critical national infrastructure (“CNI”) that are regulated, or that have competent authorities – would be prohibited from making payments to cyber criminals in response to ransomware incidents. The proposal expands the current principle that government departments cannot make ransomware payments.
- Goal: The public sector has been increasingly targeted by bad actors, resulting in serious harm to the UK public. The proposal aims to disincentivise cyber criminals – who will not receive a payout from their targets – from targeting essential agencies and infrastructure, thereby protecting the UK’s public services and CNI from the disruption caused by ransomware attacks.
- Consultation: The government is seeking views on (a) whether additional businesses, including essential suppliers to these sectors, should also be in scope; and (b) effective and proportionate measures to encourage compliance with the proposed ban, including criminal and civil penalties.
- Ransomware Payment Prevention Regime
- Proposal: All companies and individuals not covered by the ban would have to, prior to making a payment in response to a ransomware attack, report their intention to make a payment to the government. Following notification, the government would review the payment proposal and open up a dialogue with the reporting company on next steps, including exploring alternative options. The government could ultimately block any payment.
- Goal: The intention behind this proposal is to:
- increase the intelligence available to support operational activity, major investigations, and the government’s understanding of the ransomware payment landscape;
- influence the behaviour and experience of victims of ransomware through the provision of advice and guidance; and
- prevent payments that would breach sanctions or terrorism finance legislation.
- Consultation: The government is seeking views on (a) measures for encouraging compliance with the regime, such as whether to impose criminal and/or civil penalties for non-compliance; and (b) whether the regime and any accompanying compliance measures should be subject to a threshold determined by the size of the organisation and/or the amount of the ransom demanded.
- Ransomware Incident Reporting Regime
- Proposal: Companies and individuals would be required to report a ransomware attack to the government, regardless of their intention to pay the ransom. The government intends to harmonise the new ransomware regime with the NIS Regulations and upcoming Cyber Security and Resilience Bill, to ensure that UK victims will only have to report an individual ransomware incident once.
- Goal: To assist the government’s understanding of the scale, type and source of the ransomware threats that individuals and organisations in the UK face.
- Consultation: The government is seeking views on whether the mandatory reporting requirement should only impact organisations and individuals that meet a certain threshold. If the regime is introduced with a threshold, the government would continue to encourage all victims of a ransomware incident to report through the same mechanism.
Conclusion
Whilst there are clear aims behind this proposal to disincentivise cyber criminals, these reporting obligations will introduce another layer of complexity and accountability during the early stages of a ransomware attack. If the proposals are implemented in their most extreme form, many UK businesses and individuals will be effectively stopped from making ransomware payments, and will face additional reporting obligations. The government is, however, open to input, including on scope and sanctions. Any businesses that wish to submit comments on the proposals should do so here by 8 April 2025.
At Goodwin, we have a dedicated team of data, privacy and cybersecurity experts to assist clients navigate their legal obligations following a ransomware attack, whether in the UK, EU or globally.
The post UK Ransomware Consultation: Government Moves to Rein in Attacks appeared first on Data, Privacy & Cybersecurity Insights.