The Home Office has proposed a targeted ban on ransomware payments for all public sector bodies, and for owners and operators of regulated critical national infrastructure.
It has included a proposal in a new consultation on efforts to reduce ransomware attacks, saying it is aimed at making essential services an unattractive target for cyber criminals.
This goes beyond the current principle that central government departments cannot make ransomware payments.
The department is also seeking views on how to achieve the right balance of effective and proportionate measures to encourage compliance with the proposed ban.
The consultation document says the move is aimed at breaking the business model of cyber criminals, citing data from a National Crime Agency operation against the Lockbit network that was broken last year.
Prevention and reporting
It includes two other proposals, one to develop a new ransomware payment prevention regime that would require any victim not covered by the ban to let the authorities know of any intention to pay a ransom, and to provide them with support and guidance, including a discussion of other options.
Any information provided by the talks could be fed into intelligence to support operational activity against the criminals.
The third proposal is the creation of a new incident reporting regime, which could make it a mandatory requirement for suspected victims. This reflects Home Office polling that showed 81% of the public believe that businesses should report an attack, and other research showing that businesses sometimes do not report them.
It also comes from an understanding that the current underreporting leaves a substantial gap in the intelligence picture.
Greatest threat
Announcing the consultation to Parliament, Minister of State for Security Dan Jarvis described ransomware as the greatest organised cyber crime threat and risk to UK national security and said: “The targeted ban will protect the systems that the UK relies on every day for our most critical and essential services. We are making a strong statement to these criminals that there is no financial gain in disrupting the core of our economy.”
He added: “We are seeking to build on existing resilience and disruption strategies, including sanctions, where the UK has already sanctioned 36 ransomware criminals, and our work with the international Counter Ransomware Initiative, where the UK led a commitment from 48 countries and two international organisations that their governments would not pay ransoms.”
The consultation will be open until 8 April.
