What The UK’s Ransomware Payment Ban Means For Organisations

The UK government hopes to tackle the rise of ransomware attacks by banning what it claims to be their primary enabler: ransom payments. The proposed ban, described by officials as a “new ransomware payment prevention regime”, would prevent public sector organisations like local authorities and critical national infrastructure (CNI) providers in areas such as energy, water and healthcare from paying ransoms after falling victim to a ransomware attack.

Currently under consultation, these proposals would also compel private companies to inform authorities of their intention to pay hackers in the event of a ransomware attack. And if the perpetrators behind the ransomware attack represent a foreign country or a group on the UK’s sanctions list, the government could step in and stop payments being made. Meanwhile, both public and private sector organisations would need to disclose ransomware incidents to officials, regardless of whether they plan to pay ransoms.

However, reactions to these proposals have been mixed, with some experts arguing that a ransomware payment ban could be a good thing by forcing organisations to take cybersecurity seriously. Some, however, question whether a ban would actually deter cyber criminals from launching cyber attacks and believe that public sector organisations could be put in precarious situations without having the option to pay hackers. Either way, having measures in place to mitigate, contain and recover from ransomware attacks is an absolute must for all organisations.

Forced To Take Cybersecurity Seriously

If the UK Government proceeds with its proposed ransomware payment ban, it would be a significant change in its previously more hands-off approach to cyber risk. Sean Tilley, senior sales director of EMEA at cloud platform 11:11 Systems, describes it as a “significant shift” in government cybersecurity policy that promises to reduce the number of ransomware attacks targeted at public sector organisations by diminishing the financial rewards for hackers.

However, for such a ban to be effective, Tilley says public sector bodies and CNI operators would need to undertake a “proactive reassessment” of their cybersecurity strategies. Without the option of paying hackers to recover stolen or locked data, he explains that organisations would need to implement strong defensive measures and recovery plans. He adds: “This shift underscores the importance of investing in comprehensive cybersecurity frameworks to safeguard critical operations.”

Jake Moore, global cybersecurity advisor at antivirus maker ESET, agrees that a ransomware payment ban would be a big change for affected organisations.  He says it would compel organisations to bolster their cyber defences with new approaches that allow them to recover from ransomware attacks without giving into hackers’ ransoms.

Like Tilley, Moore says organisations would need to shift their attention to robust cybersecurity measures, backups, and incident response plans under these new rules. But given the rapid rate at which the online threat landscape is evolving, he’s concerned that organisations could still fall victim to malware attacks with ransom demands despite new and improved mitigatory efforts. Consequently, he believes that data leaks will “remain a problem”.

The Ban May Fall Flat

While it seems reasonable that banning ransomware payments would discourage hackers from conducting attacks and compel organisations to find other ways to mitigate them, some experts doubt it can work in practice.

Dan Kitchen, CEO of IT managed services provider Razorblue, raises questions about the mandatory reporting element of the proposed ransomware payment ban. In particular, he’s concerned that public disclosure of ransomware attacks and the reputational damage this could cause may result in some organisations covering up incidents. He fears this would render the ban ineffective.

Rather than banning ransomware payments, Kitchen suggests that government-backed initiatives like the Cyber Essentials certification scheme are a more practical approach to tackling ransomware attacks. Kitchen explains that these types of programmes offer organisations the “ideal baseline” for improving their cyber security. However, he encourages firms to go one step further by creating comprehensive incident response plans in collaboration with government and industry peers, which would “enhance the overall national response to cybercrime”.

Crystal Morin, cybersecurity strategist at IT security software company Sysdig, also anticipates huge issues should the government implement its proposed ransomware payment ban. She suggests that if critical service and infrastructure organisations like healthcare providers experience a ransomware attack and cannot get their systems back up and running quickly by paying a ransom, lives could be put at risk.

“In today’s practicalities, the onus should be on the victim organisation to decide on making a ransomware payment,” she says. “Only affected businesses have enough insight to weigh the potential risks and impacts of paying or not paying.”

Morin urges the government to consider contingency plans before banning ransomware payments in the public sector. Namely, public sector organisations would need resources to improve their resilience against cyber breaches and ensure their backup plans are effective.

She believes extra support would also be necessary for critical services and infrastructure providers with a lot to lose by not paying ransoms after experiencing a ransomware attack. Describing this as a “centre of excellent approach,” she says it would ensure organisations are “better prepared” to respond to and recover from ransomware attacks.

She adds: “Overall, bans will only encourage attackers to change tactics, becoming more covert in their operations, requests, and transactions. It’s a lucrative line of work that won’t go away any time soon.”

Mitigating Ransomware Attacks

Even if a UK ransomware payment ban occurs, countless best practices can help organisations mitigate ransomware attacks. Morin recommends that organisations invest in robust threat detection and response measures, regularly back up their data, and segment their cloud environments to contain potential breaches. These steps will “harden their infrastructure and facilitate recovery in the event that they refuse to pay.”

According to Tilley of 11:11 Systems, zero-trust architectures could also help prevent ransomware attacks by ensuring users only have the access privileges needed to do their jobs. But when going down this route, it’s important to assess and change access privileges regularly.

Because ransomware attacks often occur due to human error, such as clicking a malicious link in an email or setting a weak password, it is also important to educate employees on cybersecurity risks. Tilley says cybersecurity awareness programmes should include information on phishing, social engineering, and other common online threats.

In addition to targeting poorly educated users to spread ransomware attacks, hackers may also use outdated software as a point of entry. So, organisations cannot afford to ignore the importance of patch management. According to Tilley, the rise of ransomware attacks means organisations need “a rigorous process for applying security patches and updates to all systems and software promptly”.

Given that the online threat landscape is evolving rapidly, Tilley says organisations must continually improve their incident management processes by conducting “regular drills and post-incident reviews”. He adds: “A well-structured incident response plan enables organisations to swiftly identify, contain, and remediate security incidents, minimising

operational disruption.”

But creating such a plan needn’t be difficult. Tilley says professional industry frameworks such as ISO 27001 provide many of the best practices needed for mitigating ransomware and other cyber threats. What’s more, adhering to these best practices will show that an organisation is committed to cybersecurity and help it foster an “ongoing culture of security enhancement”, he adds.

A ransomware payment ban will increase the importance of streamlined incident reporting processes, according to ESET’s Moore. He says organisations should prepare for this inevitability by adopting automated tools for tracking incidents and closely following regulations like GDPR and NIS2. He adds: “Competent compliance audits and clear communication channels also help with more open clarity, which is essential in the understanding of an attack and progressing forward.”

Overall, a ransomware payment ban may seem like a good idea, putting crooks off ransomware attacks as they’ll have nothing to gain from them. But things are far more nuanced. The reality is that, even if ransomware payments are banned, hackers will simply focus their efforts on other attack vectors or target industries that aren’t covered by the blanket ban. Without being able to pay cyber criminals who launch ransomware attacks, public sector and critical national operators could experience severe disruption to their operations, potentially putting lives at risk.

A better approach may be for the government to provide more support and resources for helping organisations deter ransomware attacks, with ransom payments being the last resort but not completely off the table. Whatever the case, ransomware attacks are continuing to grow in scale and sophistication. So, organisations can’t afford to ignore this fact and leave their guard down.