By Sam Peters
Despite the recent news that ransomware payments decreased in 2024, ransomware is a trend that isn’t going anywhere. Unfortunately, attackers are merely adapting their techniques to ensure they remain disruptive and lucrative.
According to the National Cyber Security Centre’s (NCSC) Annual Review 2024, ransomware attacks continue to pose the most immediate and disruptive threat to the UK’s critical national infrastructure.
The Government’s 2025 initiative to extend the ransomware payment ban to public sector organisations, councils, schools, the NHS, and critical infrastructure providers to make them unattractive to cybercriminals is a bold but polarising move in tackling cybercrime. Ransomware operators have capitalised on a “pay-and-forget” culture for too long, reaping profits with little consequence.
Cutting off the financial incentives sounds like a decisive blow. But will this ban really deter the attackers?
What is the ransomware payment ban?
The Home Office is currently carrying out a three-month consultation on three proposals:
- A targeted ban on ransom payments for public sector organisations and critical national infrastructure providers
- A requirement for private organisations to report payment intentions before proceeding
- And mandatory incident reporting for all victims enhancing the intelligence available to UK law enforcement agencies. This will enable law enforcement to identify emerging ransomware threats and focus their investigations on the most active and harmful ransomware groups.
While these measures aim to deter attacks and improve intelligence-sharing, they also present challenges.
A complete, although targeted, ban on ransom payments for public sector organisations is intended to remove cybercriminals’ financial motivation. However, without adequate investment in resilience, these organisations may be unable to recover as quickly as they need to, putting essential services at risk.
Many NHS healthcare providers and local councils are already dealing with outdated infrastructure and cybersecurity staff shortages. If they are expected to withstand ransomware attacks without the option of paying, they must be given the resources, funding, and support to defend themselves and recover effectively.
A payment ban may disrupt criminal operations in the short term. However, it doesn’t address the root of the issue – the attacks will persist, and vulnerable systems remain an open door. Cybercriminals are adaptive. If one revenue stream is blocked, they’ll find other ways to exploit weaknesses, whether through data theft, extortion, or targeting less-regulated entities.
The requirement for private organisations to report payment intentions before proceeding aims to help authorities track ransomware trends. However, this approach risks delaying essential decisions in high-pressure situations. During a ransomware crisis, decisions must often be made in hours, if not minutes. Adding bureaucratic hurdles to these critical moments could exacerbate operational chaos.
Similarly, if an organisation needs urgent access to its systems to maintain critical services, a delay caused by regulatory reporting could increase the damage. There is also the possibility that some businesses may avoid disclosure, undermining the intended benefits of the policy. Also, who foots the bill for the operational chaos if payment is denied?
Mandatory reporting of ransomware incidents is also an important step in building a clearer understanding of the threat landscape. However, fears remain about how organisations will respond. Many may be concerned about regulatory scrutiny or reputational damage, which could lead to underreporting. If this policy is to be effective, the Government must ensure that reporting mechanisms offer practical support rather than retributive consequences.
Resilience is key
Resilience is the key here. Rather than focusing solely on banning payments and implementing regulatory reporting, organisations should prioritise preventing attacks and ensuring they have robust recovery strategies. However, without the proper funding and support, under-resourced organisations won’t just struggle to avoid attacks; they’ll also flounder in recovery.
Leveraging a framework or guidelines to integrate security into their daily operations is therefore key for public sector bodies. Using such tools they can strengthen their defences by systematically identifying vulnerabilities and reducing the likelihood of falling victim to an attack.
One of the most critical aspects of resilience is business continuity. Businesses need to place a significant focus on incident response planning, ensuring that organisations have a clear and tested strategy for restoring services. This is especially key for public sector organisations that cannot afford extended disruption. By having a set recovery plan, organisations can avoid being forced into the difficult decision of whether to pay a ransom simply to get back online.
Yet many public sector bodies simply lack the staffing, expertise, or funding to adopt these strategies at scale. Without significant investment in cyber resilience, the ban might feel like the Government is tying public sector organisations’ hands behind their backs.
So, if this ban comes into effect, what other options does the Government have to support public sector organisations?
Further initiatives
The Government could assist with developing cyber expertise and supporting these businesses instead of relying on overstretched and underfunded bodies to manage ransomware response on their own. One way to do this is to enhance the UK Cyber Cluster Collaboration (UKC3) initiative. This would increase the support these regional cybersecurity support hubs can offer by pooling cybersecurity professionals to assist multiple councils, schools, or NHS trusts rather than each trying (and failing) to build their own team.
Similarly, the Government could also establish a Cyber Civil Defence initiative that engages vetted cybersecurity professionals who can volunteer to assist in national or regional cyber emergencies—like that of voluntary organisations supporting emergency response like St John Ambulance. This could be structured as a public-private partnership, tapping into the expertise of private-sector security firms that handle ransomware incidents.
Public sector bodies also often face slow, bureaucratic procurement processes that prevent them from quickly obtaining the necessary cybersecurity tools. The Government could create pre-approved cybersecurity solution frameworks (similar to the G-Cloud procurement model), allowing organisations to deploy vetted security solutions rapidly without red tape.
Ultimately, the Government’s ambition is commendable, but ambition without actionable support risks failure. If this ban is to succeed, it must be paired with tangible investments in cybersecurity for the public sector: grants for modernising infrastructure, workforce training, and robust incident response resources.
Cyber resilience should not be an afterthought or compliance exercise but an integral part of organisations’ operations. Without this, the ban could backfire, punishing victims while leaving attackers largely unscathed.
Peters is the Chief Product Officer of ISMS.online