Following a public consultation, on 22 July 2025, the UK government announced proposals to push forward with a partial ban on ransomware payments. The ban would prohibit public sector bodies, including local councils, schools and the NHS, and critical national infrastructure (CNI) operators from paying ransom demands to regain system and data access in the case of a ransomware attack. While as of yet unconfirmed, such proposals are likely to cover instances of data theft extortion, a growing trend among cybercriminal groups. Entities not covered by the payment ban would be required to notify the government of their intent to pay a ransom, with the government to provide ‘advice and support’ to victims, while also emphasising that payments to sanctioned groups would be classed as breaking the law. The proposals also set out the development of mandatory reporting requirements regarding ransomware infections.
On the one hand, banning ransom payments is an important step in breaking the chain of criminal financing. The majority of ransomware attacks are financially motivated, with groups compromising victims, deploying ransomware and demanding a ransom in exchange for restored system and data access. Designating large sectors of UK society as ‘no-go’ zones for payments effectively removes the potential for financial gain through targeting these sectors.
In turn, it is a realistic possibility that this ban would de-incentivise financially motivated targeting of covered sectors – in this case reducing the threat posed by ransomware to the most critical areas of UK industry and society.
It is also important to consider the intelligence benefits of introducing a reporting requirement mandating victims to report ransomware incidents and provide technical data to authorities. Doing so could improve visibility into various statistics, such as the frequency of ransomware attacks, highly targeted sectors, the most active strains or groups or the most common initial access vectors. This data can then be used to bolster awareness of ongoing campaigns and provide relevant tactical intelligence, enhancing future legislative processes, coordinating law enforcement activity against malicious actors and bolstering sharing of best practices within the wider community.
Prior evidence also shows that in some cases, paying a ransom demand does not guarantee safe return of data or system access. There have been multiple examples of ransomware groups or individual affiliates receiving a ransom payment and doubling down to ‘re-extort’ the victim, either demanding more money or purporting to re-infect the victim via a different strain or pseudonym. This was the case with Change Healthcare, which suffered two consecutive ransomware attacks via the ALPHV and RansomHub strains in early 2024, believed to have been conducted by the same affiliate. Paying the ransom could also signal to other groups that a victim is willing to pay, potentially encouraging further targeting.
However, there are some potential issues with the proposals as they stand. It could be argued that these proposals are merely formalising what is largely the de facto position of the UK government: that state bodies are not going to pay ransoms. Following this logic, knowledge that a certain target will not pay up should preclude a ransomware infection in the first place. Numerous government and public sector entities in the UK, ranging from local councils to the British Library, have been impacted by ransomware in recent years, suggesting that underlying assumptions that a certain organisation will not pay do not translate into a reduced ransomware threat.
To some extent, ransomware groups are already discriminatory in their targeting, particularly the more established and ‘professional’ operators. Leaked chat logs from the Black Basta ransomware group following the May 2024 affiliate attack on Ascension Health show individual members raising concerns about the impact on patients and the potential for law enforcement involvement following targeting of CNI. These leaks indicate that targeting discretion may be informed less by profit and more by the potential consequences of an incident, for both the victims and the operators themselves. However, it is still the case that despite this discretion, these groups continue to operate and target a wide array of victims, causing considerable damage and disruption outside of government and CNI.
In this sense, a partial payment ban formalising this understanding that CNI is ‘off-limits’ may well disincentivise targeting of these particular sectors but could push ransomware actors to target those not affected by the ban, with these operations potentially just as damaging and costly (and in some cases even more so) as attacks on public sector and CNI entities. For example, the recent Scattered Spider-linked ransomware attacks against UK retailer M&S caused widespread disruption and operational delays, with M&S expecting financial losses of over GBP 300 million. This displacement effect will not see a wholesale reduction in ransomware attacks impacting UK entities but could potentially incentivise attacks against other sectors, which may be less resilient and less prepared for malicious cyber activity.
There is conversely a case to be made that, given the opportunistic nature of much ransomware activity, OCGs, operators or affiliates may simply be unaware of payment ban legislation and will target designated entities regardless. Lacking more concrete definitions, ransomware operators are also unlikely to take stock of whether a potential victim is going to be considered CNI under payment ban terms and will likely push ahead with compromise and follow-on ransomware deployment regardless.
While much ransomware activity is financially motivated, ransomware can also be a political tool: as evidenced by Russia-based groups’ relentless ransomware targeting of Ukrainian entities, state actors or patriotic OCGs can and do exploit ransomware for wider state-aligned objectives. Payment bans will not deter ransomware attacks driven by such motivations.
The proposals further risk leaving victims in limbo, in which they are either prohibited from paying a ransom or risk facing legal repercussions but provided with no alternative means to recover from the ransomware attack. Paying a ransom is by no means an ideal option: it finances criminal and malicious activity, encourages further ransomware attacks and leaves the victim at risk of potential legal repercussions, while the ransom itself can cost organisations large sums of money. Furthermore, it is absolutely the case that cutting off the financial pipeline for ransomware operators is an important part of disrupting the wider ecosystem and should be a priority. However, in the short term, banning this option without providing realistic alternatives for recovery risks reduces victims’ ability to effectively recover from ransomware attacks and may prolong disruptions and financial losses.
Some cybercriminal groups are also sanctioned by Western governments; in some instances, this could actually disincentivise victims from disclosing and reporting ransomware incidents, reducing the veracity and efficacy of the ransom payment disclosure and mandatory reporting plans and minimising the subsequent intelligence value of these programmes. Given historical instances, it is also possible ransomware groups could leverage mandatory disclosure laws as additional pressure on victims to pay a ransom demand. Furthermore, there is also a question to be raised as to whether intelligence and law enforcement agencies will be able to effectively process and exploit this increased data without additional resources.
Ultimately, a ban is an attempt to provide a legal solution to what is largely a sociocultural and technical problem. A more holistic solution could take a ‘whole of society’ approach – as called for in the UK’s latest Strategic Defence Review – while providing effective interim measures and support to avoid victims falling through the net.
Such measures to disrupt the ransomware ecosystem could include bolstering general cyber hygiene, awareness and resilience, minimising the ability of ransomware operators to compromise networks in the first place, while also emphasising the utility of robust and up-to-date backups to assist recovery in the event of an infection. Another useful step could be the provision of additional resources and expansion of partnerships with the UK’s international allies to identify and arrest operators, seize and dismantle ransomware infrastructure and provide victims with free decryptors, while continuing to leverage sanctions and other tools against facilitatory intermediaries, such as the cryptocurrency exchanges and mixers often used to launder ransom payments.
Banning ransomware payments is an important first step in breaking the chain of ransomware and cybercriminal financing. Mandatory reporting, robust intelligence collection and the resources to process and action this intelligence are also critical to understanding the size, scale and scope of the ransomware problem, an integral step to devising and enacting future measures to continue addressing the ransomware threat. However, this partial step risks creating a displacement effect, funnelling ransomware towards uncovered areas of society and industry, leaving these entities highly vulnerable.
