The Home Office has revealed the proposed details of a new national regime, including the ability to block payments planned by individuals and businesses, and mandatory reporting of successful attacks
The government is planning a raft of new anti-cybercrime measures including a total ban of all public sector bodies making ransomware payments.
This payment ban – which would expand a current prohibition applied across central government and would also cover non-public organisations that own and operate critical national infrastructure – is one of three key proposals that have this week been put out for public consultation.
That feedback process, led by the Home Office, is seeking input on “whether essential suppliers to these sectors should also be included” in legislation making it illegal to fulfil payment demands.
Consultation documents add: “We are also seeking views on how to achieve the right balance of effective and proportionate measures to encourage compliance with the proposed ban, ranging from criminal penalties (such as making non-compliance with the ban a criminal offence) or civil penalties (such as a monetary penalty or a ban on being a member of a board). The Home Office welcomes views on other measures that could be used to encourage compliance with the ban.”
Also among the proposed actions is a new “ransomware-prevention regime”, in which all other victims not covered by the payment embargo would be legally required “to engage with the authorities and report their intention to make a ransomware payment before paying over any money to the criminals responsible”.
Related content
- King’s Speech: New laws propose ICO reform and mandatory ransomware reporting
- Capita admits possible compromise of customer data during cyberattack
- Cyber Security Week: Analysis – how and where are attackers getting in?
Having done so, the person or organisation would then be offered “support and guidance, including the discussion of non-payment resolution options”, according to Home Office consultation documents. The proposals also include giving authorities the power to review – and, if necessary, block – payments that it is believed “could go to criminals subject to sanctions designations, or in violation of terrorism finance legislation”.
“If the proposed payment is not blocked, it would be a matter for the victim whether to proceed,” the consultation guidance says.
The third of the planned measures is the introduction of a legal requirement for victims to report ransomware incidents. The Home Office is “exploring whether this should be economy-wide, or whether it should only impact organisations and individuals meeting a certain threshold”.
If such a threshold is applied, government would still “encourage all victims of a ransomware incident to report through the same mechanism”.
The Home Office is inviting responses to the process until 5pm on 8 April.
Security minister Dan Jarvis said: “Driving down cybercrime is central to this government’s missions to reduce crime, deliver growth, and keep the British people safe. With an estimated $1 billion flowing to ransomware criminals globally in 2023, it is vital we act to protect national security as a key foundation upon which this government’s Plan for Change is built. These proposals help us meet the scale of the ransomware threat, hitting these criminal networks in their wallets and cutting off the key financial pipeline they rely upon to operate. Today marks the beginning of a vital step forward to protect the UK economy and keep businesses and jobs safe.”
Government claims that ransomware attacks on UK targets are “carried out largely by Russian-affiliated criminal gangs”.
During the 12-month period to August 2024, the National Cyber Security Centre led the response to “13 ransomware incidents which were deemed to be nationally significant and posed serious harm to essential services or the wider economy”, the government said. The intelligence agency responded to an overall total of 430 attacks and other incidents during the year.
The founding chief executive of the NCSC Ciaran Martin last year called on the UK government to introduce legislation criminalising the act of paying ransomware demands.
Recent public sector victims of significant ransomware attacks include two major London hospital trusts, the National Records of Scotland, Leicester City Council, NHS Dumfries and Galloway, and the University of the West of Scotland.