The UK government is moving forward with plans to ban public sector organizations and critical national infrastructure operators from paying ransom demands to cybercriminals. This measure aims to deter cybercriminals by targeting their business model and making essential public services less appealing targets. The proposal has garnered significant support, with almost three-quarters of respondents to a government consultation backing the ban.

The ban will apply to critical services such as the National Health Service (NHS), local councils, and schools, all of which have been targets of ransomware attacks in recent years. Recent high-profile ransomware attacks have highlighted the severe operational, financial, and even life-threatening risks associated with these incidents, costing the UK economy millions of pounds annually. For example, a cyberattack on King's College Hospital NHS Foundation Trust last year was found to be a contributing factor in a patient's death.

In addition to the ban, the government is developing a "payment prevention regime". Businesses not covered by the ban will be required to notify the government of their intention to pay a ransom. This will allow the government to provide advice and support, including informing businesses if their payments could violate laws regarding transfers to sanctioned cybercriminal groups, many of whom are based in Russia.

Furthermore, the government is developing a mandatory reporting system for ransomware incidents. This system aims to provide law enforcement with essential information to track down attackers and support victims. Businesses subject to this regime will be expected to make an initial report of an incident within 72 hours. However, it remains unclear whether these reporting obligations will extend to other forms of cyber incidents, such as phishing, and whether they will apply economy-wide or only to businesses of a certain size or in specific sectors.

These measures are part of a broader effort to enhance the UK's cyber resilience. The Cyber Resilience Bill, expected to enter Parliament this year, will give regulators more extensive enforcement powers and expand the types of organizations in scope of the legislation, including datacenters and Managed Service Providers (MSPs). Under the law, the government will have the power to order regulated entities to implement specific security improvements. Failure to comply, such as by not downloading patches for widely exploited vulnerabilities, could result in daily fines of £100,000 or 10 percent of turnover should a digital breach occur.

While the government's proposals have been welcomed, some questions remain about their effectiveness and scope. For example, it is unclear whether the ban on ransom payments will lead cybercriminals to seek other ways to monetize attacks on public sector and critical infrastructure organizations. There are also concerns about how these organizations will recover from attacks if they cannot pay a ransom and lack technical restoration options. The government has acknowledged the need for clarity on which organizations will be subject to the ban, including whether it will extend to suppliers.

Despite these uncertainties, the UK government is determined to "smash the cyber criminal business model" and protect essential services. By working with industry and implementing these new measures, the UK aims to send a clear signal that it is united in the fight against ransomware.