In January 2025, the Government launched an open consultation on ransomware, with the aim of increasing incident reporting and reducing payments to criminals.
Ransomware attacks are increasing. The introduction of ‘ransomware as a service’ (where an organised crime group sells malware to a criminal attacker, enabling them to orchestrate an attack, in return for a cut of the ransom payment) means that barriers to entry are now lower than ever and no longer require advanced technical skills.
Organisations and individuals may decide to pay a ransom to try and retrieve their data and/or critical systems, however, such payment only reinforces the attractiveness of such a method of attack for the criminal actors. It’s a catch 22 situation that the Government is now looking to tackle through its three proposals.
The proposals
1. A targeted ban on ransomware payments for all public sector bodies, including local government, and for owners and operators of Critical National Infrastructure, that are regulated or have competent authorities.
At present (and generally) it is not a criminal offence for an organisation based in England & Wales to pay a ransom, unless (a) the attacker is a sanctioned individual or organisation or (b) you know or suspect the payment is being used to fund terrorism. There may also be separate restrictions if the business operates in a regulated space.
Central government departments are, however, prohibited from making payment and the Government’s proposal would extend this prohibition to all organisations in the UK public sector and CNI owners and operators. The Home Office is also seeking views as to whether essential suppliers to these sectors should also be included.
The general purpose of ransom attacks is to make money for the criminal attackers. They will usually carry out some form of due diligence on their target victim, to assess the level of ransom they can get and the profit they can expect to make, against the probability that the victim will pay. The Government believes that if the criminal attackers know that they will not make money from their victim, because it is prohibited from making payment, it will make that target much less attractive.
2. A new ransomware payment prevention regime to cover all potential ransomware payments from the UK
The payment prevention regime would require any victim of ransomware (not already prohibited from making payment), to engage with authorities and report their intention to make a ransomware payment to the criminal attackers. After the report is made, the victim would receive support and guidance, including on whether the payment needs to be blocked because it would, in fact, be illegal (for example, the criminal attacker is a known sanctioned organisation). If the payment does not need to be blocked, then it would be the victim’s decision as to whether to make payment.
The Government hopes that the information provided through the initial reports and further engagement with the authorities may feed into intelligence used to support operational activity and contribute to major investigations into identifying and prosecuting the criminal attackers.
3. A ransomware incident reporting regime that could include a threshold-based mandatory reporting requirement for suspected victims of ransomware
Currently, there is no general obligation to report a ransomware attack, which precludes law enforcement from having a complete view of the ransomware payment landscape i.e. who is making payments, who the money is going to, when, why, and how much. However, the Government believes that better information will lead to better guidance and advice for victims, including more accurate intel on the criminal attackers and their methods.
The Government’s proposal would see the production of 2 reports by the victim:
- An initial report within 72 hours, containing details of (a) if a ransom demand has been received (b) if the organisation can recover from existing resilience measures (c) if the ransomware group is identifiable.
- A full report within 28 days, containing details of (a) how the attacker accessed the victim’s systems, if resilience measures have been implemented and (c) any further details on the attack.
The Government’s proposal would apply regardless of the victim’s intention to pay the ransom. However, it is exploring whether the mandatory reporting should be economy-wide, or whether it should only impact organisations and individuals meeting a certain threshold.
Our thoughts
Whilst the Government’s proposals look good on paper, it is unclear how the proposed measures will be policed and what budget will be available, in particular, to fund the payment prevention regime outlined in proposal 2. Further, ransom demands are usually time sensitive and deliberately sent outside of working hours to place pressure on the victims to make quick decisions without external support. A requirement to engage in a payment prevention regime may see the criminal attackers place even shorter deadlines on payment, to try and leverage payment before the victim receives a response.
The consultation, found here, closes on 8 April 2025. It will be interesting to see how the industry reacts to the proposals.
How can we help?
Our tech experts at Capital Law are here to support you with all aspects of cybercrime and ransomware. Please get in touch with Carrie Jones in our Commercial Disputes team who will be able to support you.
