Director Dominic Holden examines the recent Home Office consultation on cyber attacks and banning ransom payments by public bodies and critical infrastructure operators, and discusses the potential impact of such reforms on SMEs, in Law360.
Dominic’s article was published in Law360, 9 April 2025.
On 14 January 2025, the Home Office opened a consultation on proposals to ban ransom payments by publicly owned bodies and operators of critical national infrastructure that have or may have suffered a ransomware attack[1]. The consultation runs until 8 April 2025, and the government seeks input from potential compliance stakeholders, industry, research, and the public.
The overall aim is to tackle the multi-billion-pound cybercrime industry, and the specific objective is potentially to make vital infrastructure like hospitals and the National Grid an unattractive prospect for hackers.
Yet, these proposals are not without their flaws.
The below article examines these plans, explores the development of the ransomware industry, and discusses how such reforms could impact UK businesses.
What is ransomware?
Ransomware is a type of malware that attempts to unlawfully encrypt files on a host computer system. Once infected, critical IT networks can become crippled and inoperable. The hacker then promises to provide the key to unlock the files in return for money, typically in cryptocurrency.
These attacks can be particularly harmful due to the associated financial losses, theft of potentially sensitive data and intellectual property, as well as significant business/service disruption and reputational damage.
Growing threats
One of the key triggers for this consultation exercise appears to have been the Synovis ransomware attack in June last year, which caused severe damage to the NHS with the postponement of over 10,000 outpatient appointments and around 1,700 elective procedures in London.[2]
Ransomware attacks are a growing threat. Over a period of twelve months which ended in August 2024, the UK’s National Cyber Security Centre’s (NCSC) became involved in managing 430 cyber incidents including 13 separate ransomware incidents which were “deemed to be nationally significant and posed serious harm to essential services or the wider economy”. According to the National Crime Agency, the number of UK victims appearing on ransomware data leak sites has also doubled since 2022[3].
As a result, ransomware is viewed by the National Crime Agency as one of the most serious organised cybercrime threats to the UK’s national security.
These attacks have now become highly profitable. In 2024, one study revealed that UK respondents paid an average of £870,000 with two organisations admitting to paying £10m-£20m in ransoms[4]. According to Sophos (which specialises in endpoint security), the median global ransomware payment made by victims over the past couple of years has also increased by 400% up from $400,000 to $2 million. Meanwhile the recovery costs to victims of a ransomware attack have also increased from $1.82 million to $2.73 million – a rise of around 50%[5].
Whether the ransom is paid or not, regulators and customers will very likely need to be notified of the attack under existing legislation, leading to the threat of an investigation, fines, claims and significant damage to an organisation’s reputation as their customers and suppliers learn of the attack.
The question of how to meet this threat faces governments across the globe.
Exploring the Home Office proposals
Banning ransomware payments
The idea of banning ransomware payment by certain organisations could be an effective deterrent to reduce ransomware attacks, with hackers looking elsewhere – hopefully overseas – for easier pickings that are permitted to pay out. The policy would follow the long-standing principle of the UK Government not to pay ransoms for its citizens taken hostage by terrorists.
However, a ban could be damaging to businesses. Paying a ransom can often be the fastest and most cost-effective way for an organisation to recover from these attacks.
The alternative to non-payment is trying to reset and restore an organisation’s system from backup (assuming regular backups exist) and a potentially catastrophic data loss. The business disruption that follows can be ruinous, both financially and reputationally.
According to Veeam’s 2024 Ransomware Trends Report, 96% of security professionals surveyed said that their backup repositories had been targeted, while a mere 15% were able to recover their data without paying a ransom[6].
That said, paying a ransom can be a risky business. The same report found that 27% of those organisations who had paid the ransom, were still unable to recover their data. In other words, while paying up might seem to offer a quick solution, there is no guarantee that it will resolve the problem.
‘Double dipping’ poses a further risk for victims. In such cases, a ransom is paid only for a further attack to follow a few days later. Or, even worse, an additional ransom is demanded to avoid the hacker publishing the compromised data or selling the information to the highest bidder.
This poses the question of whether the Government’s proposed limited ban goes far enough.
The focus on publicly owned bodies and operators of critical national infrastructure is a good start, given the obvious disruption that stems from the paralysis of these organisations. However, the policy risks hackers moving their attention away from these organisations, focusing their efforts on private companies who would still be permitted to pay a ransom. This could be particularly devastating for SMEs – which make up around 99.9% of the UK economy, but who lack the resources to mount an effective defence against, and response to, a ransomware attack[7].
A limited ban is not the only measure under consideration.
Reporting of all ransomware attacks
The mandatory reporting of all ransomware attacks by companies that meet a certain threshold is also proposed. This proposal is similar to that which has already been proposed in the Cyber Security and Resilience Bill, which is due to be put to Parliament this year.
The purpose of the reporting is to assist law enforcement agencies by giving them a better understanding of the scale and nature of attacks, in order to identify patterns and improve responses to such attacks, and stop them from spreading.
This would appear to be an obvious ‘win’. The more up-to-date information available, the better the future decision-making on how to combat the threat.
The question which then arises, however, is whether the Government will properly resource the authorities who will receive this data, to allow them to take effective steps to respond.
Decision to pay a ransom
Finally, the Home Office proposes that the decision to pay a ransom could be left to the authorities.
The idea of the authorities needing to approve (or not) the payment of ransoms, is likely to be unworkable. It assumes a level of dynamism and responsiveness from Government authorities that is unlikely to be achieved in practice. Taking this decision out of the hands of those who know the organisation and the data at risk best, would seem to be ill-advised.
It also remains to be seen how the Government proposes to enforce legislation against the payment of ransoms. Criminalising the victims of a ransomware attack for making a ransom payment would seem to be unduly punitive given that these organisations are the innocent parties in this situation.
The Government may consider substantial fines to be a more appropriate sanction in line with current legislation around data, such as the UK General Data Protection Regulation/Data Protection Act 2018.
Conclusion
It is clear that the time has come for decisive action to be taken in the battle against ransomware attacks, and the Home Office’s initial focus on critical infrastructure and the public sector is a welcome first step.
However, the consultation is light on detail as to the how the Government intends to enforce compliance, and around the resources that will be available to ensure the reporting of ransomware attacks informs an effective strategy to prevent these attacks from occurring and spreading.
If a limited ban on ransom payments is introduced, it is incumbent on the Government to ensure that support will be provided to soften the increased business interruption that will invariably follow in the private sector.
While these proposals rumble throughout Westminster, there are still steps businesses can take to improve their chances of avoiding an attack, or ensure they are able effectively to deal with one when it comes.
Training staff to identify potential ransomware and other cyber-attacks along with regular system checks, backups and patching, can be essential in mitigating against these threats. Cyber insurance can also provide valuable support and resources to deal with the consequences of an attack, along with a robust incident response plan which deals with how the business can operate in the face of a ransomware event.
For more information on our services relating to technology disputes, please see here
[1] https://www.gov.uk/government/news/world-leading-proposals-to-protect-businesses-from-cybercrime
[2] https://www.england.nhs.uk/london/synnovis-ransomware-cyber-attack/latest-media-statement-on-synnovis-cyber-attack/#:~:text=As%20a%20result%20of%20the,St%20Thomas’%20NHS%20Foundation%20Trust.
[3] https://www.gov.uk/government/news/world-leading-proposals-to-protect-businesses-from-cybercrime#:~:text=The%20NCSC%20managed%20430%20cyber,services%20or%20the%20wider%20economy.
[4] Over Half of Breached UK Firms Pay Ransom – Infosecurity Magazine
[5] https://assets.sophos.com/X24WTUEQ/at/9brgj5n44hqvgsp5f5bqcps/sophos-state-of-ransomware-2024-wp.pdf
[6] https://www.primesys.co.uk/wp-content/uploads/2024/10/Veeam-2024-ransomware-trends-report.pdf
[7] https://www.gov.uk/government/statistics/business-population-estimates-2023/business-population-estimates-for-the-uk-and-regions-2023-statistical-release