Is a ban on payments to hackers the answer to the growing threat of ransomware?

Ransomware continues to be a fast-growing and hugely damaging form of cyber attack. It is believed to have earned criminal gangs over $1billion in 2023 and, as we discussed in our recent blog, shows no sign of abating in 2025.

As a result, in January, the UK Government declared ransomware to be “the greatest of all serious and organised cyber crime threats, the largest cyber security threat, and is treated as a risk to the UK’s national security by the National Crime Agency (NCA) and the National Cyber Security Centre (NCSC)”. 

The Government simultaneously announced a crackdown on ransomware attacks, including a headline-grabbing proposal to ban all UK public bodies from making ransomware payments. But will the Government’s proposals have any real effect on stalling the growth of ransomware attacks?

Ransomware attacks occur when threat actors gain access to IT systems, and then deploy ransomware – software which can be used to lock access to systems, or to facilitate the theft or deletion of data.  Data might also be encrypted and rendered inaccessible. These incidents can undermine full systems, preventing entire organisations from operating, or can be targeted at specific repositories of information. In recent years, attacks of this kind have been used on the NHS, The Guardian, and the British Library.

In exchange for restoration of access to the systems and / or data, the attackers demand a ransom, usually to be paid using cryptocurrency. 

The challenge is that the more victims pay up, the more profitable the threat actors’ business becomes, and the more likely it is that their attacks will become more widespread.

One of the many challenges with paying a ransom is that this means engaging with the attackers, who are clearly operating criminally. Sector specific regulators may discourage payments, and insurers may refuse cover where one is paid. Payment can also run the risk of breaching laws on sanctions, as it can be difficult, if not impossible, to verify the identity of the recipient. To add to an organisation’s woes, the Office of Financial Sanctions Implementation (OFSI) has the power to impose a large fine if it uncovers that the ransom was paid (knowingly or not) to a ‘designated’ person. Finally, even where payment is made, there is no guarantee that access will be granted or the data restored and we are aware of several organisations that have been in that unfortunate position

It is for these and other reasons that our advice is always not to pay a ransom. This is in line with guidance issued jointly by the UK Information Commissioner and the National Cyber Security Centre which wrote jointly in 2022 to state that “Law Enforcement does not encourage, endorse nor condone the payment of ransoms.”. 

However, despite the risks, victims of a ransomware attack very commonly pay up. They often feel under pressure to take any steps available to them to protect stolen data and prevent further harm to the business or data subjects, and hope that making the payment will provide an immediate end to the disruption.

Whether to pay a ransom is an even more difficult assessment for public sector organisations, where the payment will come from public funds, as will the cost of recovery where a ransom is not paid.  

In an attempt to put the brakes on the continued growth of ransomware attacks, the government has launched an open consultation to consider legislation to meet three policy objectives.

• Reduce the amount of money flowing to ransomware criminals from the UK, thereby deterring criminals from attacking UK organisations.
  
  
• Increase the ability of operational agencies to disrupt and investigate ransomware actors by increasing our intelligence around the ransomware payment landscape.
  
  
• Enhance the government’s understanding of the threats in this area to inform future interventions, including through cooperation at international level.

In particular, the consultation is looking at various options, particularly aimed at the public sector to respond to the growing threat. Organisations and individuals are being asked to give their views on the options available if there is ransomware, particularly on the merits of the following:

Option 0: Do nothing.

Option 1: A complete ban on ransomware payments.

Option 2: A targeted ban on ransomware payments for regulated Critical National Infrastructure (CNI) and the public sector.

Option 3: A ransomware payments prevention regime for all ransomware payments.

Option 4: Mandatory reporting of a payment prior to the transaction (sector specific or economy wide).

Option 5: A mandatory ransomware incident reporting regime for all sectors.

Option 6: Mandatory reporting of ransomware incidents for specific sectors

The consultation closes on 8 April, and the UK Government will then consider the responses in order to inform the approach taken in future legislation in this space. The legislation may go as far as an outright ban for all entities on ransomware payments or may take a more targeted sector approach. 

The consultation will also be used to ingather evidence to help produce future advice and guidance which the UK Government will produce for victims of ransomware. This guidance will be useful for organisations in preparing incident response plans and better understanding the threat. In particular, public bodies may be required to take note of the recommendations in any advice which follows the consultation, and to comply with any suggested responses. 

In the event of a breach, public sector entities already benefit from a more lenient approach to enforcement by the ICO, which moves away from fines for public bodies other than in the most egregious cases. This approach was initially adopted on a trial basis but has now been adopted by the ICO going forward. There is growing support and resources for these organisations in managing their data protection responsibilities, and this latest consultation reflects this. 

It is clear that ransomware presents an ever-growing risk. Organisations can suffer from conflicting advice when in crisis in the midst of the attack, and guidance from the government which clarifies its position on paying a ransom will be welcomed by many in the industry.  However, until the outcome is published, it is difficult to anticipate how helpful any conclusions will be. In any event, the guidance is likely to only be binding or highly persuasive for public sector bodies. It will still be a matter for private entities suffering a cyber attack to determine the appropriateness of paying a ransom. 

Burness Paull’s leading cyber security, data protection and group litigation experts have significant experience in managing cyber security risks, including ransomware attacks, and best practices. Our team are on hand to support you on your cyber resilience journey, from implementing protective measures to handling a full-scale incident. Please get in touch with any of our team to discuss your needs.

Related News, Insights & Events