UK Gov plans to ban ransomware payments: everything you need to know

At the start of the year (14^th January 2025), the Home Office opened a public consultation on proposals seeking to address the growing threat and impact of ransomware in the UK.

With recent high profile ransomware attacks within the UK retail sector highlighting vulnerability, it is increasingly apparent that security awareness and training are sorely lacking in organisations and amongst employee bases. This is increasingly driving cyber criminals to pursue these financially lucrative ransom attacks. The move to ban ransomware payments in Critical National Infrastructure will drive these criminals to focus their efforts elsewhere, where ransoms can still be demanded, thus shifting the ransomware threat to the commercial sector.

These latest proposals follow a global crackdown in 2023 after a coalition of 40 nations signed an agreement designed to stop digital extortionists.

Before we dive into the proposals listed in the consultation further, it is important to understand what the UK government considers as ransomware, why this consultation is taking place and the current risk level of ransomware attacks in the UK.

Why This Matters and Who Needs to Pay Attention

The UK Government’s latest ransomware proposals target public sector bodies and Critical National Infrastructure (CNI) organisations. If you work in healthcare, energy, transport, finance, emergency services, or in any organisation essential to national security or public welfare, this proposal could drastically change how you prepare for and respond to ransomware incidents.

The measures could also impact business leaders, cyber security professionals, IT teams, and legal advisors, particularly those supporting infrastructure, regulatory compliance, or cyber resilience.

The Home Office’s definition of ransomware

The Home Office defines ransomware as: "A type of malicious software ("malware") that infects a victim's computer system(s). It can prevent the victim from accessing system(s) or data, impair the use of system(s) or data and/or facilitate theft of data held on the victim's networked systems or devices. A ransom is demanded (normally payment of cryptocurrency) from the victim to regain access to the system(s); for data to be restored; or for data not to be published on criminal-operated data leak websites."

Is ransomware a problem in the UK?

Ransomware has evolved from isolated digital extortion into a coordinated, international cybercrime operation. The UK is not immune, far from it:

• The NCSC's 2024 Annual Review recorded 430 significant cyber incidents, up from 371 in 2023.
• Of these, 13 were “nationally significant” ransomware attacks, posing a direct threat to essential public services and the broader economy.
• Generative AI is now amplifying the threat by enabling even amateur criminals to create sophisticated attacks.
• The 2025 UK Cyber Security Breaches Survey found that 43% of businesses and 30% of charities reported experiencing some form of cyber breach or attack in the past year.

According to Bloomberg, the attack on Synnovis in June 2024, which led to months of NHS disruption, resulted in harm to dozens of patients. The UK government wants to avoid situations like this in the future.

In December 2024, Richard Horne, head of the U.K.’s National Cyber Security Centre, said that hostile activity had “increased in frequency, sophistication, and intensity.”

The National Cyber Security Centre (NCSC) published a ransomware white paper in 2023 where it identified ransomware as the most significant and organised cyber-crime threat facing the UK.

The UK National Crime Agency also identified ransomware as the greatest cybercrime threat to the UK, particularly highlighting the threat to Critical National Infrastructure (CNI).

The Home Office also says: "In 2023, incidents of ransomware attacks reported to the Information Commissioner's Office reached their highest level since 2019, and private sector reporting to the National Crime Agency indicates that the number of UK victims appearing on ransomware data leak sites has doubled since 2022".

According to the NCSC’s Annual Review 2024, the agency handled 430 incidents this year compared to 371 in 2023. Of these, 13 were “nationally significant” ransomware incidents threatening essential services or the wider economy. Morgan Lewis notes the cost of ransomware attacks has been increasing nearly 20% year-on-year.

Also, according to GOV.UK’s 2025 survey, “over four in 10 businesses (43%) and three in 10 charities (30%) reported having experienced any kind of cyber security breach or attack in the last 12 months.”

Furthermore, the NCSC also states that the pervasion of generative AI has been found to increase the risk of ransomware by providing “capability uplift” to attackers. This means that even amateur attackers can use generative AI to craft powerful social engineering materials and ransomware code, lowering the skill level required to launch a ransomware attack.

So, What Exactly Is the Government Proposing?

In its January 2025 consultation, the Home Office put forward three major proposals aimed at curbing ransomware’s grip on UK organisations:

1. Ban on Ransom Payments by Public Sector and CNI

The proposed ban would legally prevent public sector bodies and CNI organisations from making ransom payments under any circumstances. This measure targets criminal profitability, aiming to “cut off the financial pipeline” fuelling global ransomware networks.

Scope caveat: The full legal definitions and boundaries of which organisations fall within this proposal are still under consultation. For example, not all organisations in the 14 CNI sectors (e.g., food or space industries) are automatically included. Only those whose disruption could cause a major detrimental impact on national security or essential services will be in scope.

2. Ransomware Payment Prevention Regime

While details are limited at this stage, this regime would establish a structured framework of rules, controls, and guidance to prevent ransomware payments. This could include:

• Internal policy requirements
• Insurance limitations
• Legal penalties for non-compliance

The goal is to create systemic deterrents within high-risk organisations—reducing both the likelihood and ability to pay a ransom.

3. Mandatory 72-Hour Reporting for Ransomware Attacks

Organisations in scope would be legally required to report ransomware incidents within 72 hours of discovery. This echoes global cyber standards like GDPR and aims to:

• Improve situational awareness for the National Crime Agency (NCA) and NCSC
• Help identify patterns, actors, and vulnerabilities
• Build better collective intelligence on ransomware payment flows and organised criminal groups (OCGs)

Security minister Dan Jarvis said in a press release: “These proposals help us meet the scale of the ransomware threat, hitting these criminal networks in their wallets and cutting off the key financial pipeline they rely upon to operate.” Jarvis continues: “With an estimated $1 billion flowing to ransomware criminals globally in 2023, it is vital we act to protect national security as a key foundation upon which this government’s Plan for Change is built.”

What Is the “Plan for Change”?

Although details are sparse, the "Plan for Change" is part of the UK’s wider strategy to modernise its cyber defences and digital resilience capabilities across national infrastructure. It aligns with:

• The National Cyber Strategy
• Ongoing CNI resilience upgrades
• Increased funding for the NCSC and Joint Cyber Units

This ban is intended as a deterrent and disruptor, not a standalone solution. It forms part of a broader effort to push organisations toward better prevention, detection, and recovery.

What is the point of the new law?

The proposal intends to:

• Reduce the amount of money flowing to ransomware criminals from the UK (thereby deterring criminals from attacking UK organisations).
• Increase the ability of operational agencies to disrupt and investigate ransomware actors by increasing its intelligence around the ransomware payment landscape.
• Enhance the UK Government's understanding of the threats in this area to inform future interventions, including through cooperation at an international level.

The proposal also maintains the possibility of imposing criminal and/or civil penalties for non-compliance. There is sure to be resistance to this, as it could result in a scenario where the only party involved in a ransomware attack that faces sanctions is the victim as it is usually very difficult to identify and apprehend ransomware attackers.

Critical National Infrastructure: Who’s In and Who’s Out?

The UK Government defines CNI as sectors where service loss would have significant security, economic, or public health consequences. The 14 sectors include:

• Energy
• Water
• Transport
• Health
• Emergency Services
• Finance
• Defence
• Civil Nuclear
• Communications
• Space
• Food
• Chemicals
• Data Centres
• Government

Not all organisations within these sectors will be affected. For example, not every food distributor or health clinic qualifies. Only those designated by the Government as critical based on service dependencies and risk profiles will fall under the ban.

Unintended consequences of the new ransomware proposal

• The Home Office acknowledges the potential for the legislation to disproportionately impact smaller businesses “which cannot afford specialist ransomware insurance or clean up specialists.” These SMBs will have less employee capacity during an attack to engage with the government and meet reporting deadlines. As a result, they may feel that the only option to retain their business is to pay to decrypt data.
• The legislation also does not consider hackers who are motivated by factors other than money. For instance, in geopolitically motivated attacks or nation-state attacks, ransomware is used as a tool to cripple CNI NOT extract money. As a result, in these instances, banning ransomware payments would be unsuccessful in stemming these attacks as the attackers are purely motivated by data and disruption, not financial gain.
• There is also a concern because organisations publicly disclosing ransomware attacks can lead to reputational damage which may cause some organisations to cover up incidents, thus rendering the ban ineffective.
• Furthermore, if critical service and infrastructure organisations like healthcare providers experience a ransomware attack and cannot get their systems back up and running quickly by paying a ransom, lives could be put in significant danger or even lost.

What Support Will Be Offered to Affected Organisations?

As of now, the Government has not yet outlined specific support measures for organisations unable to recover without ransom payments. Stakeholders have called for:

• State-sponsored decryption support
• Emergency recovery funds
• Incident response coordination centres
• Affordable insurance alternatives

The final policy may evolve following consultation.

What Should Organisations Do Now?

Whether or not the ban proceeds as planned, this is a wake-up call for UK organisations—especially those in the public sector or critical services. Here’s what you should be doing:

• Review your incident response plan: Only 22% of UK businesses and 19% of charities currently have one.
• Audit your cyber risk posture: Identify weak points across endpoints, cloud, third parties, and employee behaviour.
• Engage with the consultation: Make your voice heard before legislation is finalised.
• Plan for a “no-payment” world: Assume ransom payments won’t be possible—and prepare accordingly.

CNI organisations must take this new proposal seriously

If the UK Government proceeds with its proposed ransomware payment ban, it would be a stark change from its previously more hands-off approach to cyber risk. Public sector bodies and CNI operators will need to be proactive in reassessing their cyber security strategies and even more proactive in identifying and plugging gaps in their security posture, employee awareness levels and incident response plans. According to the government’s own figures, just 22% of UK businesses and 19% of charities have a formal incident response plan. This proposal will compel organisations to bolster their cyber defences with new approaches.