Public sector organisations are set to be banned from making ransom payments to cyber criminals under new proposed legislation.
Under the measures, public sector bodies, including the NHS – as well as operators of critical national infrastructure (CNI) such as hospitals, schools and councils – would be banned from paying attackers for the return of stolen data.
The aim of this measure is to make public services a less attractive target for criminals. Nearly three-quarters of respondents to a public consultation supported the policy.
The changes also mandate businesses not falling under the umbrella of CNI to inform the government if they intend to pay a ransom.
This would enable the government to provide them with advice and support, and to intervene to stop payments being made to sanctioned cyber crime groups – many of which are based in Russia.
A regime for mandatory reporting is also in development, which would provide law enforcement officers with greater intelligence to disrupt the activities of perpetrators and support victims.
Security Minister Dan Jarvis said: “Ransomware is a predatory crime that puts the public at risk, wrecks livelihoods and threatens the services we depend on.
“That’s why we’re determined to smash the cyber criminal business model and protect the services we all rely on as we deliver our Plan for Change.
“By working in partnership with industry to advance these measures, we are sending a clear signal that the UK is united in the fight against ransomware.”
Ransomware is malicious software used by cyber-criminals in order to steal or encrypt users’ data and extort money from them.
The government is also urging businesses across the country to bolster their security and have contingency plans in place for ransomware attacks such as offline data backups and protocols for operating without IT services.
Ransomware attacks not only put pressure on the finances of public sector organisations delivering vital services, but have also brought the delivery of those services to a standstill.
The death of a patient at a London Hospital in June was linked to a ransomware attack on Synnovis, an NHS partner organisation that managed labs for the health service.
Patient data was stolen from Synnovis during the attack, which slowed the delivery of care to patients and the administration of other vital services.
A spokesperson for the King’s College Hospital NHS Foundation Trust said that a contributing factor to the patient’s death was “a long wait for a blood test result” as a result of the attack.
Another recent cyber attack took place against the Co-op in April, during which the personal details of all 6.5 million of the organisation’s members were stolen.
The BBC reported that the retailer managed to disconnect its systems from the internet before ransomware could be deployed.
Marks and Spencer and Harrods were also hit by similar attacks in the early months of this year.
Cyber security and other technologies such as AI have been highlighted as areas for development in the government’s 2025 National Security Strategy, which aims to develop the UK’s capabilities in these areas alongside its allies.
