If you can’t beat them, ban them.
The UK is clamping down against ransomware attacks by proceeding with a ban that would forbid public sector organizations and critical infrastructure operators from paying ransoms.
The proposed ban would prevent local councils, schools, and the National Health Service (NHS) from paying ransom demands requested by cybercriminals. Additionally, businesses excluded from the ban would be required to report plans to pay a ransom demand to the government. The UK government hosted a public consultation for the proposal between January and April of this year.
In a statement, Security Minister Dan Jarvis called ransomware a “predatory crime that puts the public at risk.”
“That’s why we’re determined to smash the cybercriminal business model and protect the services we all rely on,” he said.
Hard times. The move comes as the UK’s public sector has been at the center of several high profile ransomware attacks over the last couple of years. In 2023, the British Library was the victim of a ransomware attack hurled by the Rhysida ransomware group. In 2024, the Qilin cybercrime group launched a ransomware attack against Synnovis, a pathology service provider that several NHS organizations “primarily in South East London” rely on, which contributed to the death of a patient.
Sophos’s 2025 State of Ransomware in the UK report found that the median ransom demand was about $5.4 million last year, while the median payment was $5.2 million.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Collateral damage. While well-intentioned, NCC group director and senior advisor Tim Rawlins told IT Brew that the new measures could have some unintended consequences, such as redirecting cybercriminals to more vulnerable targets.
“If you decide critical national infrastructure is not going to pay [and the] public sector is not going to pay, where do the bad guys go?” Rawlins said. “They’re going to go to the millions and millions of smaller, less well-defended, less well-protected organizations that are out there.”
“There’s other issues. Will it drive payment underground? I think the answer is going to be yes because nobody wants to pay a ransom,” he said.
Monkey see, monkey do? While Rawlins said that the UK’s recent efforts to combat ransomware could have a few repercussions, he wasn’t opposed to seeing the measures replicated in other countries.
“Why not?” Rawlins said. “If it can be proven to work, then absolutely we can see everybody else jumping on the bandwagon.”
However, he said those looking to follow suit should expect to answer the same questions the UK will likely need to work through following the ban.
“Are you going to make it every company?” Rawlins said. “Are you going to have an exceptions process? How are you going to manage that exceptions process?”