The Government has now launched its consultation (the Consultation), which proposes an ‘entirely new approach’ to ransomware, aimed at ‘disrupting the business model of the ransomware gangs’. The consultation ends on 8 April 2025.
Background
The Home Office has defined ransomware as the use by threat actors of malware to (i) prevent (including by means of encryption) the victim from accessing their systems or data, (ii) impair the use of systems or data, and/or (iii) facilitate theft of data held on the victim’s systems or devices. The threat actors then demand a ‘ransom’ for the return, non-destruction and/or non-publication of this data, though payment of the ransom does not guarantee that outcome.
By way of indication of the scale of this activity, a Chainanalysis paper in 2024 estimated that ransom payments of over $1bn were made from victims globally in 2023. The Cyber Security Breaches Survey 2024 found that half of businesses reported experiencing at least one cyber-attack, and also that nearly half of businesses have a policy not to pay ransoms. Given the scale of this issue, the Consultation considers ransomware ‘the greatest of all serious and organised cyber crime threats’ and ‘the largest cyber security threat’.
Proposed approach
The Consultation seeks feedback on three proposals, namely the introduction of:
- A targeted ban on ransomware payments for all public sector bodies and for owners of critical national infrastructure which are regulated or have competent authorities (CNI). This would go further than the Government’s current principle, that ‘central government departments’ cannot make ransomware payments. The Consultation is also seeking views on whether (i) to expand this to ‘essential suppliers’ to these sectors, and (ii) breach should be a criminal or civil offence.
- A ransomware payment prevention regime. This would require victims (who fall outside the ban) to engage with authorities and report their intention to make a ransomware payment before making such a payment. Once this report is made, the victim would receive support and guidance (including discussing non-payment options), and the authorities would review the proposed payment ‘to see if there is a reason it needs to be blocked eg where it could go to criminals subject to sanctions designations, or in violation of terrorism finance legislation’. If it was not blocked, the victim would then have the choice as to whether to proceed with payment. Again, the Consultation seeks views on the best way to ensure compliance with this regime, including whether to impose criminal and/or civil penalties ‘especially where a payment is made after the victim has been told it has to be blocked’, and whether to apply a threshold in terms of organisation or ransom size.
- A ransomware incident reporting regime for victims. This would require victims to:
- within 72 hours, file an initial report which specifies: if a ransom demand has been received, if the organisation can recover from existing resilience measures, and if the ransomware group is identifiable.
- within 28 days, file a full report with further details including the vector of access, if resilience measures have been implemented, and any further details on the attack.
Again, the Consultation invites views as to whether a threshold should be applied (with others encouraged to voluntarily report through the same mechanism).
Next steps / takeaways
The Consultation has the laudable aim of seeking to disincentivise expensive and potentially devastating attacks on public bodies. However, it remains to be seen how effective this is, particularly given certain threat actors have non-financial motives (eg state-sponsored intelligence gathering), and whether this inadvertently leads to an increased number of attacks on private organisations.
Helpfully, the Consultation adopts a pragmatic approach to certain issues– such as:
- seeking to streamline reporting obligations to ensure victims only need to report a ransomware incident once (as far as possible), and seeking to discourage payments; and
- somewhat unusually, creating a hierarchy among criminal enterprises in seeking to stop payments to the worst offenders (those targeted by sanctions or terrorist financing legislation).
In other areas, industry feedback may encourage a more realistic focus on the ‘art of the possible’ in the immediate aftermath of a ransomware attack. An element of flexibility in the reporting timelines would likely be desirable, particularly if criminal penalties are to be introduced. In this regard:
- while the Consultation suggests that multiple reports may not be needed for organisations in scope of the Network Information System Regulations, if a ransomware attack affected personal data, victims will be faced with notifications to the ICO on similar 72 hour timeframes, as well as notifications to affected data subjects ‘without undue delay’.
- the Home Office may need to accept that victims of complex attacks that are in crisis mode may not fully understand the background to the attack within 28 days, for the ‘full report’, and may therefore not be in a position during that timeframe to identify or implement resilience measures or provide additional useful information that might help with the Home Office’s intelligence gathering efforts.
Finally, the Home Office indicated it will work with the Department for Science, Innovation and Technology to ensure their proposals are ‘aligned and complementary’ to those in the anticipated Cyber and Security Resilience Bill. It remains to be seen what that Bill will entail, and how the proposals will interact.