Fraud Management & Cybercrime
,
Geo Focus: The United Kingdom
,
Geo-Specific

Labour Government Also Backs Ransomware Payment Clearance and Reporting

Akshaya Asokan (asokan_akshaya) •
July 22, 2025    

UK Government Set to Impose Ransomware Payment Ban
Image: Shutterstock

The British government vowed Tuesday to proceed with a proposed ransomware payment ban for critical infrastructure organizations such as the National Health Service and to press forward on a mandate for other businesses to notify authorities in advance of paying out a ransom.

See Also: 2023 Ransomware Preparedness: Key Findings, Readiness and Mitigation

It remains an open question how the government intends to enforce those measures.

The Labour government of Prime Minister Kier Starmer floated earlier this year a raft of new policies about ransomware. Digital extortion driven by cryptolocking software has caused disruptions to medical blood supplies and to international shipping by the Royal Mail. The government in January opened a public consultation that garnered more than 300 responses, mainly from organizations (see: Under Discussion: UK Mandatory Ransomware Incident Reporting).

“We’re determined to smash the cybercriminal business model and protect the services we all rely on,” said Security Minister Dan Jarvis. “We are sending a clear signal that the U.K. is united in the fight against ransomware.”

In its analysis of the responses, the government said roughly three quarters of respondents agreed with a critical infrastructure ransomware payment ban. More than 80% of critical infrastructure operators support it, it said.

Security experts have given the proposed payment ban mixed reviews, in some cases arguing that a ban should be matched with funding to create more national resiliency. In a February workshop convened by the Royal United Services Institute, some said a ban is less likely to deter hackers from attacking British targets since ransomware attacks are mostly opportunistic in nature (see: UK Home Office Ransom Ban Proposal Needs More Clarity).

A major question ahead of the government is whether to allow exceptions to ban for cases where the presence of cryptolocking malware would harm national security or public health. A plurality of respondents said they support exceptions, although the 43% of exception supporters is nearly the same percentage as the 40% of respondents who said they don’t support one. The government said it “will consider this feedback.”

The government is similarly in considering feedback mode when it comes to enforcement of a ban. Possibly include from civil to criminal penalties for noncompliance although neither option attracted a majority of support. A plurality – 44% – said they support civil penalties, 31% said they support criminal, while 37% they support another, undefined penalty described as “other.”

“The government will continue to explore the most appropriate and proportionate penalties,” is the official response.

Slightly fewer than half of respondents said they support new regulation requiring ransomware victims to notify the government in advance of paying out a ransom. Authorities under the proposal would review the proposed payment for violations of existing sanctions or anti-terrorism financing statutes.

What the government calls the “payment prevention regime” would also face thorny questions about enforcement, including whether individual executives should be held responsible for non-compliance. Just over half of respondents supported civil penalties and 64% said only the organization, not individuals, should suffer consequences. The government said it will “explore the most proportionate approach.”

One area where the government said it doesn’t have to study alternatives is a proposed 72 hour requirement for all victims of ransomware to notify the government of the attack. The government has long complained that it lacks insight into the extent of ransomware in the private sector and calls a new reporting mandate necessary for building resilience.

Critics have called a 72 hour threshold unreasonable and said the first days after a cyberattack should be dedicate to response rather than reporting. But three quarters of respondents said a three day window is actually reasonable. “Therefore, the government will keep 72 hours as the suggested reporting timeframe.”

It is unclear when these measures will come into effect. A recent government survey found that ransomware incidents “significantly increased” between 2024 and 2025 (see: Ransomware Incidents on the Rise in the UK).