UK Government Proposes Ban On Ransomware Payments For Critical Infrastructure

According to Cointelegraph, the UK government has initiated a consultation to consider a nationwide ban on ransomware payments by operators of critical national infrastructure. This proposal, announced on January 14, aims to extend the existing ban on government departments to include public sector bodies and essential services such as energy, health services, and local councils. The move is part of a broader effort to protect national security by cutting off financial resources to cybercriminals. UK Security Minister Dan Jarvis emphasized the importance of these measures in safeguarding national security and economic prosperity. He stated that the proposals are designed to address the scale of the ransomware threat by disrupting the financial networks that cybercriminals depend on. The Home Office outlined that the proposals aim to make essential services less attractive targets for cybercriminals by implementing a ransomware payment prevention regime. This would involve providing victims with advice and guidance, as well as blocking payments to known criminal groups and sanctioned entities. Additionally, the proposals include a mandatory reporting regime for ransomware incidents to assist UK law enforcement agencies in targeting frequent offenders. The consultation period is set to run until April 8. The Home Office highlighted the severe impact of recent cyberattacks on key infrastructure, such as the January 2023 attack on Royal Mail, which halted international shipping, and the August 2022 attack on health service software provider Advanced Computer Software Group, which exposed personal data of nearly 83,000 individuals. The National Cyber Security Centre (NCSC) reported managing 430 cyber incidents in the year ending August 2024, including 13 significant incidents that posed serious threats to essential services or the economy. The NCSC's 2024 Annual Review identified ransomware attacks as the most immediate and disruptive threat. Notable incidents included a June 2024 attack on pathology laboratory Synnovis, which delayed medical procedures, and an October 28 attack on the British Library's online systems. The UK is not alone in considering such measures. In 2023, Australia debated the legality of ransomware payments following a cyberattack on consumer lender Latitude Financial. The United States was also exploring similar bans around the same time. These international considerations reflect a growing recognition of the need to combat the financial incentives driving ransomware attacks.