Six Reasons Why the Government’s Ransom Payment Ban Won’t Work

Kate O’Flaherty finds that the government’s latest scheme to tackle ransomware would be difficult to enforce and may drive companies out of business.

The UK government has proposed a ban on ransomware payments for public sector organisations and those operating in critical infrastructure (CNI) sectors. It comes alongside a mandatory reporting requirement for ransom attacks to help boost threat intelligence for law enforcement.

The proposals have laudable aims. Lawmakers want to ensure that public money isn’t used to fund cybercrime, while making government and CNI organisations a less appealing target for threat actors.

However, similar bans have been proposed before, and many experts think they don’t work. Here’s why.

A ban won’t stop ransomware

Simply refusing to pay a ransom doesn’t make the problem go away for the victim organisations, says Jamie Akhtar, CEO and co-founder of CyberSmart. He cites the example of Hackney Council and the British Library.

“Both organisations bravely refused to pay, leading to months or years of disruption to their services,” he tells Assured Intelligence.

Meanwhile, a ban won’t be effective in deterring all types of ransomware attacks, Daniel Milnes, a partner at Forbes Solicitors tells Assured Intelligence.

“Not all adversaries are doing it for the money,” he says. “State-sponsored cyber-attacks, for example, often have wider objectives.”

“Any bid to tackle ransomware needs to be part of a wider global effort” Matthias Held

At the same time, ransomware is a highly structured criminal business, and criminals are unlikely to abandon their operations merely because payments are banned, says Amir Becker, senior vice president of global cyber services at Sygnia.

“On the contrary, this could escalate the stakes, prompting attackers to adopt more aggressive or innovative tactics to maintain profitability,” he tells Assured Intelligence.

And while the UK government can seek to remove the incentive, ultimately it’s impossible to control adversaries, says Jonathan Lee, director of cybersecurity strategy at Trend Micro. Organisations might not be individually targeted by ransomware gangs, but can still suffer from collateral damage, he argues. He cites the example of the NHS, which was hit by the WannaCry cryptoworm in 2017 as part of the fallout from the global attack.

“Unless such bans become global, ransomware will continue to be a weapon of choice, and many more organisations will be caught in the crossfire, with all the associated service disruption that follows,” Lee tells Assured Intelligence.

It could disrupt critical services

If an organisation is impacted by ransomware and is prohibited from paying, it could potentially put them out of business, argues Richard Breavington, partner and head of cyber and technology insurance at law firm RPC. This is especially true of CNI sectors, where service outages could be especially damaging.

“Because they rely heavily on access to their data, they could face severe consequences, including prolonged operational disruptions, financial losses and reputational damage, says Sygnia’s Becker.

“Ultimately, these organisations must deliver critical services to their customers, and if the only recourse to returning these critical services is paying the ransom, then they will have to do so,” adds Jeff Wichman, director of breach preparedness and response at Semperis.

Incident response just isn’t up to scratch

Some organisations – especially those in the cash-strapped public sector – are simply not prepared for serious security breaches. To be able to confidently refuse a ransom demand, they need to know that they can continue operating and accessing critical data and systems, even if they don’t pay up. That makes secure backups and proper incident response plans vital, says CyberSmart’s Akhtar.

According to the government’s own figures, just 22% of UK businesses and 19% of charities have a formal incident response plan.

“This leaves them ill-prepared in the event of a breach,” he says.

Organisations could cover up attacks

Victim organisations may also feel they have no choice but to cover up what happened – and make covert ransom payments. The mandatory reporting required for all ransomware incidents could make things worse.

“The risk here is that public disclosure may lead to some businesses feeling more inclined to cover up an attack,” says Dan Kitchen, CEO at Razorblue.

“It will leave some feeling they have no alternative but to conceal the payment” Will Richmond-Coggan

Will Richmond-Coggan, a partner specialising in cyber incident litigation at Freeths, agrees.

“While it will undoubtedly drive some responsible businesses to invest ahead of time in additional protections for their systems, it will also leave others feeling they have no alternative but to conceal the payment,” he tells Assured Intelligence.

In the end, driving these transactions underground will make them less visible.

“It then runs the risk of fuelling the very criminal economy that the government is ostensibly trying to stamp out,” Richmond-Coggan argues.

It’s difficult to enforce

A ban on critical sectors paying a ransom would be difficult to enforce – especially given the nature of CNI. Prosecuting organisations that pay ransoms to prevent catastrophic disruption or save lives presents “a complex legal and ethical dilemma”, says Matthias Held, technical programme manager at Bugcrowd.

“Moreover, the use of ransomware payments to track down perpetrators could be inadvertently hampered by these measures,” he tells Assured Intelligence.

It switches the focus from prevention

Banning payments changes the narrative about ransomware, focusing reactively on the aftermath rather than encouraging victims to proactively reduce risk, says Lee Cornish, penetration tester at OnSecurity.

“Criminals are unlikely to abandon their operations merely because payments are banned” Amir Beckern

“Effective ransomware defence demands proactive, technically focused strategies,” he tells Assured Intelligence. “For governments, this means prioritising international cyber operations to disrupt attacker infrastructure and dismantle ransomware-as-a-service (RaaS) networks.”

Strategies that could work better

A government-mandated ransomware payment ban is “a laudable idea”, but has to be coupled with improvements in baseline security, says CyberSmart’s Akhtar. In practice, this means cyber awareness training for all employees, properly backed up data, basic cybersecurity controls such as those prescribed by Cyber Essentials, and comprehensive incident response plans to minimise damage, he says.

Another way of boosting overall security is through regulation, says RPC’s Breavington. This is already happening to a large extent, he says, citing the example of the EU’s Digital Operational Resilience Act, the NIS2 Directive, and the Cyber Resilience Act.

Any bid to tackle ransomware needs to be part of a wider effort, according to Bugcrowd’s Held. Global task forces would help in this regard.

“International collaborations to disrupt ransomware ecosystems are crucial to combating the global threat,” he concludes.

The consultation is running until April 8, with the results and potential drafting of legislation earmarked for 2026. It’s a long way off, so the end result could look very different to what’s currently being considered.