In light of this continuing threat, governments are being forced to consider the steps they can take to effect lasting change on the ransomware threat landscape. To that end, the UK Government has launched a consultation titled: “Ransomware legislative proposals: reducing payments to cyber criminals and increasing incident reporting" ("the consultation").

Setting out proposals which would fundamentally reshape the UK's approach to ransomware, the consultation sets out three key proposals that would be introduced:

• A targeted ban on ransomware payments for all public sector bodies, including local government, and owner-operators of critical national infrastructure
• A ransomware payment prevention regime
• A ransomware incident reporting regime

What do these measures entail, and how do they compare to steps being taken in similar jurisdictions?

Changing the threat landscape

An estimated $800 billion² was pocketed by cyber criminals in 2024 in reported ransomware payments alone, with the actual costs to businesses significantly higher. These figures represent a 35% decrease in reported payments compared to analysis for the same period. However, this is not a sign of a reduced threat from ransomware.

Despite evolutions in law enforcement tactics which have generated successes such as the LockBit takedown in 2024, the consultation stresses that the combined challenges posed by ransomware such as anonymity and traceability of finance mean that significant reductions in ransomware cannot be achieved by law enforcement alone.

In light of the continuing risk posed by similar attacks, the consultation sets out that the proposals aim to accomplish three key objectives:

1. To reduce the financial incentives involving in ransomware, thus diminishing the attractiveness of UK targets and harden the UK public sector.
2. To increase the ability of operational agencies to investigate ransomware actors by improving intelligence around the ransomware payment landscape.
3. To enhancing the government’s understanding of threats in this area to inform future interventions, including international cooperation.

Key Proposals

In order to achieve these key objectives, the consultation outlines three key proposals:

1. A targeted ban on ransomware payments for public sector bodies and Critical National Infrastructure (CNI) owners and operators.
2. Implementation of a ransomware payment prevention regime.
3. Institution of a mandatory reporting regime for ransomware incidents.

Targeted Ban on Ransomware Payments

This proposal would prohibit all public sector bodies, including local government, and all CNI owners and operators from making ransom payments to threat actors. If implemented, this will widen the current self-imposed ban on central government departments paying ransoms.

The consultation also seeks views on whether essential suppliers should be included within the scope of the ban but stops short from making a recommendation to that effect. There remain questions of whether the proposed ban could redirect attacks to downstream suppliers, and how far a ban should extend.

However, the clear intention of the ban is to deter cybercriminals from targeting UK-based entities within scope of the prohibition, and by focusing on the financial incentives that drive these attacks, this should disrupt the ransomware operating model. This focus is directed with the assumption that ransomware attacks are primarily financially motivated, and not motivated by other factors such as espionage, political disruption, or pure opportunism.

The efficacy of the proposed ban may lie in the proposed enforcement measures. The consultation document reiterates the Home Office's commitment to strike the right balance of "effective and proportionate measures to encourage compliance". Pending the outcome of the consultation, potential consequences may range from civil penalties (fines and a ban for being a member of a board) to making it a criminal offence to pay ransom.

New Ransomware Payment Prevention Regime

The second proposal is the introduction of a payment prevention regime which will require victims to engage with the authorities and report their intention to make a ransomware payment before paying money to criminals. Perhaps obviously, this new regime will apply to organisations not in scope of the targeted ban above.

Prior to allowing a payment, the authorities will provide guidance on possible non-payment resolution. However, the consultation acknowledges that some businesses may genuinely feel the need to pay in order to protect their business or prevent the release of stolen data.

As part of the proposed process, the authorities will review the proposed payment with the possibility of blocking the payment in certain circumstances. The consultation document does not provide any further detail on the decision-making framework for blocking payments but suggests that payments will be blocked should there be concerns, it will be made to criminals from sanctioned designations, or if it is made in violation of terrorism finance laws. 

The consultation also seeks views on the best approach for encouraging compliance with the regime, including additional support and collaboration with bodies such as the ICO and NCSC. The response to a ransomware attack is often time critical. Many organisations have policies and procedures in place to deal with such attacks, and additional reporting and engagement with authorities could impede the victim's speed of response causing loss of data and serious disruption.

Delays in dealing with ransomware attacks may disproportionately affect SME's and individuals less able to withstand prolonged business disruption. Therefore, it is not surprising that the consultation seeks views on whether the regime should apply to all potential victims including small businesses, charities and members of the public. A threshold requirement is also discussed as a possibility.

The consultation also considers the possibility of criminal or civil penalties for non-compliance, in particular where payment has been made after the victim has been told it should be blocked.

Mandatory Reporting Regime for Ransomware Incidents

The final proposals would establish a mandatory reporting framework for ransomware attacks, irrespective of whether the victim has an intention to pay. The victim organisation will be asked to provide background to the incident, whether ransom demand has been received and whether the ransomware group is identifiable within 72 hours and follow up with a full report with additional details in a 28 day timeframe.

This framework would allow authorities will be able to provide improved support to victims and strengthen the overall resilience and prevention of ransomware attacks.

From a prevention perspective, it is expected that the information obtained from the reporting framework will equip agencies with the intelligence and evidence needed to disrupt ransomware gangs, conduct investigations and impose sanctions.

These proposals are consistent with recommendations from the Joint Committee of the National Security Strategy report on ransomware. The Joint Committee recommended the urgent introduction of a central reporting mechanism, suggesting a longer 3 month reporting period with a number of requirements including technical data and those systems compromised.

The Home Office acknowledges the additional reporting obligations which organisations may be subject including the reporting obligation under the Payment Prevention Regime (Proposal 2) and will look to deconflict reporting regimes. The Government also promises alignment between the proposed regime and any measures introduced in the upcoming Cyber Security and Resilience Bill.

To address potential disproportionate impact on SMEs, the Home Office is considering the possibility of applying thresholds based on the organisation's annual turnover and/or number of employees. The consultation notes it will consider any best practice available from other countries, particularly in considering the scope and/or financial threshold for any mandatory reporting regime, similar to the measures recently introduced in Australia discussed below. If a threshold was to be introduced, then those falling below would still be actively encouraged to report the incident through the reporting mechanism.

Ransomware measures in other countries

Launching the consultation, the UK's Security Minister, Dan Jarvis MP declared the proposals to be 'world-leading', and it is important to consider the UK proposals in the context of measures in place, or being considered, in other jurisdictions.

The targeted ban proposed is harmonious with the 2023 statement from the International Counter Ransomware Initiative ("CRI"), a group of countries including the UK and US. The statement confirmed a self-imposed prohibition from signatories that the "relevant institutions under [the respective] authority of [the signatories] national government should not pay ransomware extortion demands."

However, a ban on these payments being enshrined in legislation is currently rare, with formal measures limited to some US states, such as North Carolina and Florida; these measures implemented partial bans prohibiting state agencies from paying ransoms. At the federal level in the US, proposals to ban the payment of ransomware demands, were rejected by the former Director of the Cybersecurity and Infrastructure Security Agency under the previous Biden administration. There are no indications of the direction of travel under the new Trump administration.

In April 2024, the Ransomware Task Force for the Institute for Security and Technology, made up of cybersecurity experts, expressed the view that any outright ban would create more harm than good. Furthermore, the group challenged the benefits of even limited bans, such as the government-imposed bans introduced by the CRI statement, as not demonstrating a clear decrease in attacks against those entities. However, the group acknowledged that any approach to limiting ransomware payments would require a multi-year approach involving preparing the ecosystem, deterrence and finally a payment prohibition likely starting with public entities. The proposed approach by the UK corresponds to some of these proposals.

In Australia, the government recently introduced a package of cyber security legislation, directed at addressing gaps in regulation, including the introduction of mandatory ransomware reporting for certain businesses to report ransom payments. The Cyber Security Act, mandates that a 'reporting business entity' must make a report within 72 hours of making the ransomware payment (or becoming aware a payment has been made). A 'reporting business entity' is a business exceeding AU$3 million in turnover, and is not a commonwealth or state body, meaning these measures are consistent with Australia being a signatory to the CRI statement referred to above.

A cyber re-insurance scheme?

The consultation does not discuss issues around cyber insurance, and this may be the subject of future discussions. The Joint Committee of the National Security Strategy report on ransomware proposed that "the Government should work with the insurance sector to establish a re-insurance scheme for major cyber attacks, akin to Flood Re…" In response, the previous government noted that intervention into insurance markets would not be considered at that time due to the impact on competition. It was suggested that any intervention would be limited to strengthen and growing the commercial cyber insurance market through work such as the release of anonymised cyber breach data.

However, recent commentary from Lockton Reinsurance has raised this question again. At the current time, the UK Government's focus is on this consultation, but future discussions on this issue may occur.

Next steps

What is clear is that the UK proposals are pioneering. Governments worldwide will be closely following this consultation and any further steps by the UK Government in legislating for these (and other) proposals to tackle ransomware. The UK is taking the most proactive measures seen to date, and although success is unlikely to be measurable for several years, any success will likely encourage other CRI partner nations to follow suit.

The consultation closes on 8 April 2024, and we would encourage readers to consider providing their feedback on the consultation, which can be done via the consultation website.

This article has been co-authored by Patrick Hill, Hans Allnutt & Emilia Varbanova.

[1] National Cyber Security Centre, Annual Review 2024, page 16

[2] Chainanalysis