Assess UK Ransomware Policy

Introduction

Over the past several years, ransomware attacks have become a persistent national security threat. Attacks against hospitals, schools and businesses of all shapes and sizes have normalised what should be intolerable: organised cybercriminals regularly disrupting and extorting victims, causing misery in the process and undermining the UK economy and society.

Despite some operational success and increased international collaboration against ransomware criminals, significant policy interventions have not been forthcoming. The UK government, like many other national governments, has received criticism for its lack of progress on ransomware. In December 2023, for instance, the parliamentary Joint Committee on the National Security Strategy published a report that argued: “If the UK is to avoid being held hostage to fortune, it is vital that ransomware becomes a more pressing political priority, and that more resources are devoted to tackling this pernicious threat to the UK’s national security.” Much of this criticism has been directed towards the Home Office, which is the lead department for the government’s counter-ransomware strategy.

After several years of development, the UK government has launched a consultation on a set of legislative proposals that aim to reduce the impact of ransomware on the UK and increase the amount of intelligence available to operational agencies on incidents and payments. The consultation has three main proposals:

• A targeted ban on ransomware payments for regulated critical national infrastructure (CNI) sectors and the public sector.

• A new ransomware payment prevention regime, which would require victims to acquire authorisation from the government before they can proceed with a ransom payment.

• A mandatory ransomware incident reporting regime.

The consultation on these proposals closes in April 2025. If legislated in their current form, the proposals would significantly change the experience of UK ransomware victims and arguably represent the most consequential intervention by any national government on ransomware to date.

On 25 February 2025, RUSI convened a half-day workshop to assess the strengths and weaknesses of the government’s proposals. Thirty-eight participants took part in the workshop. Most were senior stakeholders from industry, including chief information security officers representing CNI sectors, and senior managers and practitioners from law firms, incident response firms, cyber security vendors and cyber insurers. Additional participants were drawn from regulators, civil society, UK government and UK law enforcement.

The half-day workshop was broken into three main sessions. In the first substantive session, a Home Office representative provided a brief overview of the proposals, which was followed by a moderated Q&A.

In the second session, the workshop participants were divided into three breakout groups. Each breakout room had the same task: to assess the proposals in relation to the government’s stated objectives. These are:

to reduce the amount of money flowing to ransomware criminals from the UK, thereby deterring criminals from attacking UK organisations

to increase the ability of operational agencies to disrupt and investigate ransomware actors by increasing our intelligence around the ransomware payment landscape

to enhance the government’s understanding of the threats in this area to inform future interventions, including through cooperation at international level.

The final session focused on asking participants to discuss alternatives to the government’s proposals. Workshop participants also reflected on whether their perspectives on the proposals had changed following the breakouts, and if so, how. To facilitate candid discussion, the workshop was held on a non-attributable basis.

Proposal 1: Payment Ban for Public Sector and Regulated CNI Providers

At the heart of the ransomware challenge is the issue of incentives around ransom payments. Ransom payments sustain the ransomware business model. The high profit margins of ransomware have drawn more cybercriminals into the ecosystem and enabled operators to expand their capabilities. Although there is some evidence that the number of victims paying and the revenues generated fell in 2024 – likely due to the impact of law enforcement operations and increased organisational cyber resilience – ransomware remains lucrative for many operators and affiliates.

Over recent years, the question of whether to ban ransomware payments has become one of the thorniest and most contentious in cyber policy. Proponents of a ban argue that because payments perpetuate the criminal business model, banning them will remove the primary motivation for ransomware attacks. To date, policymakers in multiple countries have largely resisted these arguments due to opposition from industry, concerns about “revictimising” victims and uncertainty about the effectiveness of a ban.

The UK government has proposed a partial payment ban for ransomware. The ban will cover all public sector bodies and regulated owners and operators of CNI. The government’s logic for the ban is that removing the ability to monetise ransomware will make the UK public sector and CNI “unattractive propositions for ransomware attacks” and therefore deter criminals from targeting UK organisations. At present, the government has not committed to saying how the ban would be enforced or whether criminal or financial liabilities would be levelled against organisations that flout it.

In the workshop, participants were asked to assess the payment ban against the government’s stated aims, whether it was fair to victims, and what possible intended and unintended outcomes it could create. In general, participants were negative about the assumption that the proposed ban would have a significant impact on the volume of ransomware incidents in the UK.

Although some participants agreed that the proposed ban would probably reduce the number of payments that would go to criminals, there was scepticism about whether this would represent a significant blow to the profitability of ransomware, given that UK victims probably represent only a single-digit percentage of global ransomware victims. Even more scepticism was expressed about the government’s assumption that the proposal would ultimately deter attacks against the UK public sector and CNI. This is because most ransomware operators are opportunistic, rather than seeking to target specific victims. A joint National Cyber Security Centre (NCSC) and National Crime Agency (NCA) 2023 white paper on ransomware explicitly assessed that “the majority of the initial accesses to victims are gained opportunistically and are not targeted against a particular organisation or business sector”. One participant argued that even if we assume ransomware operations are targeted, cybercriminals are unlikely to have a rigorous understanding of how the UK defines and regulates CNI. The possibility that the proposal has been developed based on a misguided assumption of how ransomware criminals operate led another workshop attendee to remark that the Home Office “has gone into this with one eye open”.

Some participants argued that the proposal could end up creating more harm than benefit for the UK if essential services experience sustained disruption or businesses are forced to declare bankruptcy because of the cost of business interruption. A particular concern among participants was the possibility that organisations with limited financial and technical resources to improve their cyber resilience – such as schools, local councils or small businesses – could be disproportionately affected by the proposed ban.

One way to mitigate this could be to ensure that more financial and/or technical support is made available for organisations and sectors covered by the proposed ban. Indeed, some participants viewed this as an essential precondition for implementing the ban. However, this would require a significant step change in how the government supports victims of ransomware and other cybercrimes. At present, the UK state provides very limited incident response or financial support for organisations affected by ransomware, even in the public sector. There is currently no suggestion in the consultation documents that the government intends to change its existing approach. Several workshop participants noted that this (and other aspects of the consultation) raised concerns that the proposals have been developed in a silo from other government departments and agencies responsible for cyber resilience.

Additionally, participants were sceptical about the sustainability of a hardline ban. For instance, if a ransomware attack against a public sector or CNI entity presented a serious risk of threat to life should the ransom not be paid, the government would be put in the challenging position of deciding whether or not it should follow (or uphold) its own law. At this stage of the consultation, the government has declined to discuss the possibility of exemptions and thresholds. If a hardline ban is upheld, lives could be put at risk in extremis. If exemptions were created (pre-emptively or reactively), ransomware threat actors could use this as a rationale to insist that public sector and CNI victims can or should pay a demanded ransom.

A final theme of the workshop discussions on the proposed ban centred around compliance and enforceability. While there was a consensus that many organisations would comply with the ban, it was noted that some would seek ways around it. Several participants from incident response vendors and law firms, for instance, argued that some large, privately owned CNI providers would potentially try to divert ransom payments via offices in other jurisdictions or through subsidiaries. Other participants raised questions about effective compliance with the ban for organisations at the other end of the spectrum: SMEs. For instance, ensuring that SMEs in affected sectors are even aware of their obligations under the ban will require the government and regulators to put significant resources into awareness-raising initiatives and campaigns.

Key Takeaways and Recommendations for the Government

Based on the workshop discussions, the following key takeaways and recommendations were identified for the government on the proposed payment ban:

• While there is an ethical case that UK taxpayer money should not be used to fund payments to criminals, there is considerable scepticism among industry stakeholders that the government’s proposal will reduce the impact of ransomware on the UK. The government should consider the argument that the ban will not achieve its objective of deterring ransomware attacks against the UK public sector and CNI. As part of this, the government should encourage ransomware threat intelligence specialists in the NCSC and NCA to provide private feedback on the proposal.

• The government should develop incentives, as well as punishments, to ensure that the ban is fair and that organisations comply with it. This will likely involve expanding the types of financial and technical support available to victims of ransomware in affected sectors. There was a strong sense among workshop participants that a precondition for legislating a ban should be improving support available to affected SMEs and public sector organisations with smaller budgets or limited access to central government funding.

• Finally, if the government is committed to the ban, it should consider how to ensure that multinational companies or companies headquartered in other jurisdictions comply with the ban. Ultimately, this may rest on other countries following the UK’s lead and implementing their own bans. The possibility that some multinationals may circumvent the ban also highlights that its effectiveness may rely on internationalising it.

Proposal 2: The Ransomware Payment Prevention Regime

At present, British ransomware victims who are considering a prospective payment do not need to engage with government or law enforcement entities. Where a payment is ultimately made, neither the victim nor their third-party support needs to report this payment to any relevant public body; however, some do so on a voluntary basis. The Home Office believes that there is scope to engage with – and potentially influence – the ransomware victim journey, by requiring that ransomware victims engage with a suitable government entity when they are considering making a ransomware payment.

To this effect, the government is proposing a ransomware payment prevention regime, which would force UK organisations to engage with a vested authority to request authorisation before they can make a prospective ransomware payment. The vested authority – a proposed new 24/7 unit – would review the case and determine whether authorisation can be granted. During the workshop Q&A, Home Office officials suggested that an initial response would be provided to the victim organisation within a target 72-hour window. Such a payment authorisation regime would be the first of its kind – for ransomware payments – either in the UK or internationally.

During the workshop Q&A, Home Office representatives indicated that the decision to authorise (or not) would be based on sanctions risk (for instance, whether a payment could go to North Korean entities), possibly with the addition of other weighted factors. (At the time of writing, Home Office representatives have not outlined what these additional weighted factors might be.) Once authorisation was granted, the victim organisation would be able to take its authorisation certificate to its chosen ransomware payment intermediary and proceed with the payment. It is important to emphasise that under the proposals as currently worded, a ransomware payment by a UK-based organisation made without explicit authorisation would, in effect, be illegal.

The workshop highlighted that several aspects of the proposal require clarification. For instance, it is not clear whether a victim organisation would have the right to appeal a negative decision. It is also unclear how this law would interface with firms which have a multi-jurisdictional presence and which could, in theory, make a payment from outside the UK without liaising with the authorisation regime in the UK. The Home Office is reportedly aware of these issues and is considering them as part of ongoing internal deliberations.

Workshop participants were forthcoming and forthright in their views about this proposal. Perspectives were shared on: the degree to which the proposed authority could operate effectively; whether it is an appropriate use of resources; and whether there are risks of unintended consequences. On balance, views on the proposal were generally negative.

Concerns were raised about whether the prospective authorisation unit could provide a clear response within a sufficiently rapid timeframe. Participants were worried that the unit could under-deliver on the 72-hour turnaround (for instance, during busy periods). Some participants also noted that, in their view, 72 hours was too slow. This highlights the diverging priorities of victim organisations and government in the event of a ransomware attack. The victim organisation, which may be in the initial phase of a severe forced crisis, will want to quickly develop an assessment of its options for containment and remediation. The payment of a ransom may be one option among others; in extremis, it may be the most expedient, the “least worst” or even the only option available. In contrast, the government’s priority – as an external observer – would be to not only assess the rationale and legality of the proposed payment, but also impose time delays on the victim’s decision-making, in order to counter a rushed decision to make a ransom payment.

Indeed, participants recognised that if the government’s intention is to throw “grit” into the ransomware response ecosystem and “scare” victims into applying serious thought about whether or not they should pay a ransom, the proposal would partially achieve this. Previous research has highlighted that “taking time” in the aftermath of a ransomware incident can reduce a victim’s propensity to pay a ransom. Participants from the ransomware response ecosystem noted that from their experience, the added “nudge” of a government, regulatory or law enforcement agency becoming aware of a prospective payment may make some victim organisations less inclined to seriously explore a payment.

Participants also felt that to make the proposal meaningful, the government would need to “stick its neck out” and provide clarity on what constitutes a sufficient sanctions check. At the moment, while there are some commonalities, ransomware sanctions check procedures vary between different firms. Participants suggested that the government could, by publishing clear guidance alongside the formation of the new unit, provide a legal benchmark and counter permissive interpretations of sanctions compliance that may be present among some industry actors. This would be a significant step change in the government’s approach to ransomware sanctions, as the current approach offloads all responsibility onto victims, insurers, payment brokers and financial institutions. At present, while sanctioned entities have almost certainly received payments, no sanctions enforcement has taken place in the UK – or indeed internationally.

However, some participants noted that they were sceptical that the UK government would actually provide clarity or take a position on sanctions checks. In their view, it was much more likely that the government would continue to offload responsibility onto industry. Nonetheless, the unit would presumably need to have access to its own sanctions data, an ability to make a judgement call, and a means of conveying its judgement in a meaningful way to a victim organisation. Participants noted that it was unclear whether government or private sector intelligence (or a combination) would be used to inform the authorisation decision.

Participants raised concerns about the ethics of the proposed law and unit, as the government could, in effect, “play God” and determine whether a business goes bankrupt due to a ransomware breach. While this hypothetical scenario assumes that a ransom payment would both be affordable and resolve the encryption/exfiltration issue, participants emphasised their disquiet that a government body should be able to make such a high-stakes decision about the future viability of a UK organisation that has been the victim of serious organised crime. Participants suggested that this potential risk could be more pronounced for SMEs, which they referenced as the “bread and butter” of the UK economy. A common phrase through the workshop was that where punitive measures are to be applied against victims of serious organised crime, the UK government should offer more “carrot” to accompany the “stick”.

Key Takeaways and Recommendations for the Government

• The workshop suggested that there is probably considerable opposition to the proposed payment authorisation regime in parts of industry involved in ransomware response.

• If the proposed regime does go ahead, the Home Office should provide clarity on a number of aspects of its design and implementation. These include but are not limited to: appeal processes; type and levels of censure for non-compliance; rationale for authorisation and denial; and the role of loopholes, including payment organised outside of the UK. These are important elements that will define the success and failure of the proposed regime and therefore should be subject to additional public consultation at the earliest possible opportunity.

• As with the other proposals, the government will need to dedicate considerable resources to raising awareness among SMEs about their obligations under the payment prevention regime. The government may well be underestimating the amount of resource required to raise awareness among SMEs, given their challenges with cyber security and general capacity for compliance.

• The Home Office may want to give concerted thought as to whether the payment authorisation regime is the most effective means of achieving the government’s goals, and whether, at an estimated £17.3 million per annum, the new unit would present a cost-effective intervention against ransomware.

Proposal 3: A Mandatory Ransomware Incident Reporting Regime

At present, ransomware breach reporting in the UK is patchwork and ad hoc. In essence, multiple UK entities may receive voluntary reports from ransomware victims. Additionally, the voluntary nature of ransomware reporting means that victims may decide not to report their breach. They may also decide that the nature of their breach does not necessitate a report to the Information Commisioner’s Office (ICO), as data subjects may not be impacted. The lack of a singular catch-all entity to report to – and issues with synchronising existing reporting – means that it is not possible to map the scale and depth of ransomware incidents in the UK. To design and implement suitable interventions, it is necessary to be able to map the problem with sufficient accuracy. The current lack of reporting on ransomware attacks also hinders the ability of future victims to learn from the experiences of others.

The Home Office is proposing a new mandatory reporting regime for ransomware incidents. Victims of ransomware would have an initial 72-hour window to report an incident after it has been discovered. The victim would then be expected to submit a full report within 28 days. This proposed reporting requirement would be in addition to existing requirements to report a data breach to the ICO and other relevant regulators. As one ex-law enforcement officer noted during the workshop, the UK does not typically have a policy of mandatory reporting of crime – although the UK’s Crime and Policing Bill, introduced to Parliament in February 2025, includes provisions to introduce a new statutory duty for professional child-support stakeholders to report suspected cases of child abuse.

During the workshop Q&A, Home Office representatives noted that they are deliberating as to whether reporting should be threshold-based, and if so, what the threshold would be. The core purpose of the mandatory reporting regime would be to build the national UK situational awareness of ransomware, which, at present, is based on a patchwork of mandatory reporting to the ICO (and other regulators) and voluntary reporting to the NCSC and law enforcement (typically through Action Fraud).

Of the three proposals, the reporting regime was the most warmly received by workshop participants. Participants viewed it as the most cost-effective of the three proposed interventions. There was also a sense that it had the least risk out of the three proposals of causing or exacerbating harm to victims of serious organised crime or of displacement and unintended consequences.

Importantly, there was also a pronounced sentiment in the workshop that mandatory reporting was a necessary precondition before the other proposals could be legislated – that is to say, in the absence of a clearer national picture about the scale and depth of ransomware incidence in the UK, proposals 1 and 2 are premature and are based on imperfect or even faulty impact assessments. Participants described the degree of the “known unknown” of the UK’s ransomware threat intelligence picture as more pronounced compared to other analogue or digital threats.

Participants emphasised that any mandatory reporting regime would need to be “low lift” for the victim organisation and empathetic to its circumstances at a time when it is in crisis and may not have a clear picture as to what has occurred. Participants noted that some organisations may not conduct a forensic investigation of the incident and may not be in a position to provide a detailed report.

As is often the case with discussions about public–private cyber threat intelligence sharing, some participants expressed a view that the channel of information should be two-way or quid pro quo; for instance, a victim organisation could be presented, after its initial report, with information about the type of ransomware which was used in its attack. This information could be used by the victim and its third-party support to inform forensics, remediation and recovery efforts. Research has highlighted that ransomware victims can feel that they report into a “black hole”, with limited or no tangible acknowledgement from the public entity that they report to. There is arguably an opportunity to support the formation of a more tangible feedback loop. To maximise the utility of gathered data, the Home Office – and wider government – should consider how the NCSC and the national, regional and local law enforcement community can be primed to best make use of the data to support victims, inform operational activity and bolster prosecutions.

Additionally, while the “displacement” effect or unintended consequences of a mandatory reporting regime are likely to be more limited than those relating to proposals 1 and 2, there may still be some ripple effects. Participants from the incident response sector emphasised that in “almost all” of their cases, the client would agree to voluntarily report the incident to law enforcement. This may include phone calls with police, site visits and so on. There is, however, a perception across government that ransomware incidents are significantly under-reported. Assuming participants spoke in good faith, it should be noted that their attendance may represent a selection bias: industry stakeholders who are willing to engage in person at an event relating to a government ransomware consultation may be more likely to encourage their clients to voluntarily report.

Nonetheless, the workshop highlighted that there is a potential risk that a mandatory reporting regime would reduce the flow of voluntary reporting, as ransomware victims may look to prioritise their mandatory reports and see this as replacing the voluntary ones. In principle, this may not be an issue; information about the incident would still be reaching central government and could filter through to the relevant regional and local law enforcement entities. However, possible consideration could be given to whether voluntary reporting brings informal benefits (either to the victim organisation, third parties or the government) that could be hindered by the introduction of mandatory reporting.

Additionally, at present, the projected private and public familiarisation costs for the mandatory reporting regime are £970,000 and zero respectively. Depending on where the proposed reporting threshold eventually sits – and especially if smaller SMEs are included – thought should be given as to how this budget can be used most effectively and, if necessary, whether the budget should be increased to amplify reach across the UK economy.

Key Takeaways and Recommendations for the Government

• There was a broad consensus among workshop participants that the UK’s ransomware reporting landscape is, at present, confusing, overlapping, and ineffective at developing a true national threat intelligence picture. If the views of workshop participants are a litmus test of vested stakeholders, a mandatory reporting regime may be regarded as having more support than the other proposals in the consultation.

• The government should consider that increasing data on incidents will not necessarily lead to more law enforcement interventions against ransomware threat actors, unless relevant agencies have more resources. Operationalising more intelligence on ransomware incidents and criminals will probably require a significant change in how cybercrime units are funded, particularly within the NCA.

• The Home Office should continue internal deliberation and provide clarity as soon as possible on the suggested thresholds and definitions for a prospective mandatory ransomware reporting regime. There may also be an opportunity to consider implementation of a twinned reporting mechanism for ransomware payments, where victims are mandated to inform the government if they have made payment. Basic reported information could include the original ransom demand, the ransom paid, the ransom note and the wallet details. This could be a lighter-touch way for the government to gather insights on ransomware payments – and “throw grit” into victim decision-making – without implementing a payment authorisation regime.

• The Home Office would also need to give concerted thought as to how mandatory reporting mechanisms would be harmonised with existing reporting. This includes reporting within the UK (to the ICO and other regulators) and outside the UK. It should also be noted that this deliberation about mandatory reporting takes place against the backdrop of severe criticism of the UK’s main cybercrime reporting entity, Action Fraud, which has been described by the parliamentary Justice Committee as “not fit for purpose”.

Jamie MacColl is a Research Fellow in the Cyber and Tech team at RUSI. His current research focuses on ransomware and other financially motivated cybercrimes, the UK’s national cyber strategy, and the role of private companies in global cyber governance. He is also currently a Senior Research Associate at Virtual Routes, a European think tank, and a Project Fellow at the Research Institute for Sociotechnical Cyber Security.

Gareth Mott is a Research Fellow in the Cyber and Tech team at RUSI. His research interests include governance and cyberspace, the challenges (and promises) of peer-to-peer technologies, developments in the cyber risk landscape and the evolution of cyber security strategies at the micro and macro levels.

Jen Ellis is working to reduce cyber risk for society, partnering with security experts, technology providers and operators, civil society and governments to create greater understanding of cybersecurity challenges and strategies. Jen serves on the UK Cabinet Office’s Government Cyber Advisory Board and various UK government working groups. She is an Associate Fellow of RUSI, Co-Chair of the Ransomware Task Force and Co-Host of the “Distilling Cyber Policy” podcast, and sits on various non-profit boards/advisory boards.