UK Moves to Ban Ransomware Payments for Public Sector Bodies, Criminalizing Extortion Compliance
Ddos 
Ransomware continues to inflict substantial damage each year on businesses, educational institutions, government agencies, and other organizations. After data is encrypted, many victims opt to pay the demanded ransom in hopes of obtaining a decryption key. However, yielding to such extortion not only legitimizes but also incentivizes further criminal activity.
In response, the UK government is currently drafting new legislation that would make it illegal for public sector bodies—including the NHS, local councils, and schools—to pay ransoms to cybercriminals. Under the proposed law, any such payment would constitute a criminal offense and carry significant legal repercussions.
By legally prohibiting public institutions from paying ransoms, the government aims to dramatically reduce the appeal of targeting them in the first place. If hackers know there is no financial gain to be had—even in the event of a successful breach—they may be deterred from attacking these entities altogether. Legal constraints could thus serve as a powerful disincentive for extortion attempts against UK public services.
Outside the public sector, many British companies have also suffered crippling losses due to ransomware attacks. The government now mandates that before any ransom is paid, affected businesses must notify the appropriate authorities. Government bodies will then provide guidance and support, including legal counsel on the risks of ransom payments. For instance, transferring funds to sanctioned individuals—many of whom reside in Russia—may itself constitute a violation of international law.
Whether such mandatory measures will ultimately curb ransomware attacks against UK organizations remains to be seen. There is also the looming risk of retaliatory actions from threat actors, such as exfiltrating sensitive data and using it as leverage. The public release of such confidential or personal information could, in some cases, inflict even greater harm than the encryption itself.
Related Posts:
- Senate Bill to Classify Ransomware Extortion as Terrorism
- Researchers discover the first IoT worm that capable of surviving device reboots
- NHS Supplier Fined £6M for Data Breach After Ransomware Attack
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
