UK proposes banning hospitals and schools from making ransomware payments

The United Kingdom proposed on Tuesday a major overhaul of how the country responds to ransomware attacks, including by banning public sector bodies from making extortion payments and requiring all victims to report incidents to the government.

Ransomware attacks have risen year-on-year for the past five years, according to the best dataset available, but authorities have warned they are “increasingly concerned” victims are keeping incidents secret, meaning even that data provides only a partial view of the true scale of the problem.

The new mandatory reporting regime aims to bring these attacks “out of the shadows,”  the government said, and to provide law enforcement with the intelligence it needs “to warn of emerging ransomware threats, and target their investigations on the most prolific and damaging organised ransomware groups.”

According to the government, the consultation — which allows anyone to make a representation to the government ahead of a law being introduced — wants to establish “whether this [reporting requirement] should be applicable economy-wide or should be threshold based, applying to certain organisations and/or individuals.”

A similar law in Australia requires organizations with an annual turnover of greater than AU$3 million ($2 million) to report incidents, which is expected to capture the largest businesses in Australia, together comprising roughly half of the country’s total annual turnover.

The success of the reporting regime will depend on law enforcement having an operational reporting platform for cyberattacks. As previously reported by Recorded Future News, last year officials from the City of London Police admitted that the replacement service for Action Fraud, the country’s national reporting platform, was delayed.

The existence of the consultation was first reported by Recorded Future News last May. Officials had then expected it to be launched in June, but their plans were disrupted when then-Prime Minister Rishi Sunak called a snap election, which he subsequently lost.

The consultation period will run until April 8, after which the government will issue a formal response before introducing legislation on the issue. It is not clear whether this legislation will be independent of the government’s pledged Cyber Security and Resilience Bill, which is expected to be introduced to parliament this year.

The ransomware consultation includes a “targeted ban on ransomware payments for all public sector bodies and critical national infrastructure” intended to make “the essential services the country relies on the most unattractive targets for ransomware crime.”

“Driving down cyber crime is central to this government’s missions to reduce crime, deliver growth, and keep the British people safe,” said the new Security Minister Dan Jarvis, adding that the proposals “help us meet the scale of the ransomware threat, hitting these criminal networks in their wallets and cutting off the key financial pipeline they rely upon to operate.”

Mandatory reporting is also expected to provide the National Crime Agency with “awareness of live attacks and criminal ransom demands, providing victims with advice and guidance before they decide how to respond,” as well as give the country’s sanctions body the ability to block payments.

According to the government’s announcement, anyone who wants to make a payment would also be required to report this intent to the government, which would make an assessment and have “a power to block any payment (e.g., to a suspected sanctioned entity or state).”

The consultation leaves open whether the regime “could be applicable to all victims (businesses and individuals) or could operate on a threshold basis, with the possibility to exclude individuals.”

The additional insight into payments will be helpful for sanctions authorities. According to information obtained by Recorded Future News last year, the agency responsible for monitoring financial sanctions in Britain has never detected an illicit payment to an entity embargoed under the country’s counter-ransomware regime.

Richard Horne, the head of the NCSC, said the “consultation marks a vital step in our efforts to protect the UK from the crippling effects of ransomware attacks and the associated economic and societal costs.”