The UK government has announced plans to make ransomware payments illegal from the public and critical infrastructure sectors.
It’s an old and hairy chestnut. How can you make ransomware unattractive to criminals without either making it impossible or unprofitable? Both are unlikely without intervention. Government has tried the former by requiring security standards from organizations. That approach hasn’t worked. Now the UK is attempting the latter by making payment illegal in those areas it can control, namely the public sector and the critical infrastructure.
“Public sector bodies and operators of critical national infrastructure, including the NHS, local councils and schools, would be banned from paying ransom demands to criminals under the measure,” announced the UK government on July 22, 2025.
This requirement is being supported by expanded regulations. Organizations not covered by the ban will be required to notify the government “of any intent to pay a ransom”. This is likely to be expanded into full mandatory reporting to “equip law enforcement with essential intelligence to hunt down perpetrators and disrupt their activities.”
Security Minister Dan Jarvis commented, “We’re determined to smash the cybercriminal business model and protect the services we all rely on.” But the security practitioners’ views range from ‘a good and necessary step’ to ‘it’s not likely to have much effect’.
Scott Walker, CSIRT manager at Orange Cyberdefense, is enthusiastic almost to the point of gung ho. “These new measures… are exactly what the industry has been waiting for… a new ransomware payment prevention scheme, and an enhanced ransomware instant reporting regime.”
Walker suggests, for the critical national infrastructure, “We must make them less attractive targets… As with most illegal criminal activity, the perpetrators are motivated solely by money; remove the motive, and you remove the incentive.”
However, Juliette Hudson, CTO at CybaVerse, points out that not all ransomware attacks are motivated by money. “In the current geopolitical landscape, it’s safe to say that not all ransomware attacks are directly motivated by money. In some cases, nation state actors are targeting critical infrastructure motivated purely to gather intelligence or cause societal harm. A payment ban will do nothing to thwart these attacks.”
Similarly, if geopolitics doesn’t improve, it’s easy to see adversarial nations attacking critical infrastructure with the specific intent to cause damage, perhaps disguised as a ransomware that goes wrong (effectively a wiper). If the attack is classified as criminal ransomware, it would fail the legal litmus for an act of war – even though it is an act of war. (The UK’s position is that it has the right to respond kinetically to an act of cyberwar.)
Ransomware attacks against the critical infrastructure would not be eliminated but could become more dangerous because of the ban.
Kevin Robertson, CTO at Acumen Cyber, is equally doubtful. “Organizations shouldn’t see this change in legislation as an improvement in defenses. It will have little impact. No payment ban will ever stop ransomware,” he says. It could even be counterproductive. “It could create an underground economy where organizations pay demands but don’t report them, or global organizations pay demands from locations outside the UK.”
One of the biggest problems in cyber is unintended consequences. Resources are finite. Filling in one hole may require digging another to provide the materials. Most organizations have genuinely attempted to solve the ransomware problem through cybersecurity but have been unable to fill all the holes. The need for a ban on ransom payments is a recognition of this failure.
The problem is a ban is likely to have its own unintended consequences. Organizations do not pay ransoms because they wish to give money to criminals — they do so for very pragmatic reasons. Those pragmatic reasons will continue regardless of government requirements. Companies that haven’t paid ransoms before this legislation will continue their practice, not because of the law but because that is what they choose to do.
But companies that would have paid ransoms are now left between a rock and a hard place. “The reality is that many organizations have historically chosen to pay ransoms out of a pragmatic desire to resume operations quickly while minimizing costs,” comments James Neilson, SVP International at OPSWAT. “The new measures therefore risk criminalizing such victims while they are dealing with an attack or leaving them compliant but facing long-term disruption or denial of operations at significant cost. That’s an uncomfortable position for organizations to be in.”
The need to pay the ransom is not affected by the illegality of doing so. Some organizations will double down on finding loopholes in the law or hidden ways of paying off criminals to protect their business — morally if not actually themselves becoming criminals in the process.
Even if the law’s intention is successful, the likely effect would simply divert criminal attention toward the less regulated areas of business while not preventing attacks on CNI from nation state (and probably more elite) attack groups. “Ransomware attackers are not going away, but they may redirect their focus,” warns Neilson.
The ransomware threat is like a pack of cards comprising many individual influences. Legal regulation of the response to these cards may shuffle the pack, but it does not eliminate any of the cards. The only way to change the pack is to add new cards rather than shuffle the existing pack.
This is hard. “If the government wants to talk the talk, it must also walk the walk,” suggests Trevor Dearing, “It therefore needs to ensure that organizations are ready for when an attack strikes. That means having necessary backups and ensuring all organizations have solid recovery plans and risk assessments which are kept up to date.”
This is still just shuffling the pack. Cybersecurity solutions have never worked. Security is like a sieve. There are always gaps somewhere. Attackers are fluid and will always find a hole.
One option would be to provide additional financial resources to victims that do not pay – it would be like insurance without the insurance industry but with the government backstop that insurers have asked for but failed to get. That is almost certainly politically impossible.
The sum total of all moving parts in the ransomware problem suggests that ultimately businesses should be left to do the best they can without the government interference that effectively just muddies the waters. A ban is just political flag waving.
“While banning organizations from providing ransomware payouts sounds good in theory, it is a disaster in practice,” says Forrester’s principal analyst Allie Mellen.“If an organisation is paying a ransom, it is because they have no other option, not because they want to… To ban it outright is unrealistic and detrimental to the organizations they look to protect.”
Related: Marks & Spencer Expects Ransomware Attack to Cost $400 Million
Related: Armenian Man Extradited to US Over Ryuk Ransomware Attacks
Related: Compumedics Ransomware Attack Led to Data Breach Impacting 318,000
