Public Sector Off Limits: UK Introduces Ransomware Payment Ban and Reporting Regime

Milica Starinac | 8 August 2025

Summary

• The United Kingdom (UK) government has announced a plan to ban ransomware payments by public institutions and critical national infrastructure (CNI) operators, alongside new incident reporting requirements and support for targets navigating the legal risks of ransom payments.

• These measures aim to strengthen the deterrence and defence capabilities of the public sector and CNI, and remove financial incentives for targeting them, thereby also making attribution more likely in cases of state-sponsored hybrid operations disguised as ransomware. 

• In the short term, UK public institutions and CNI operators are likely to update their cyber protocols and insurance policies to comply with the upcoming ban and reporting requirements. Over time, politically motivated ransomware attacks may be increasingly treated as hostile state activity, prompting a shift towards diplomatic or offensive cyber responses towards perpetrators.

Following public consultations with stakeholders and cybersecurity experts, the UK government has announced new measures to combat ransomware, the most serious cybersecurity threat the country faces. The Minister of State for Security, Dan Jarvis, said on 22 July that the public supports strengthening policies against cyber criminals, including banning public institutions and private CNI operators  from paying ransom. The government will establish a “ransomware payment prevention regime”, which will assist actors not covered by the ban in responding to this widespread cyber threat — including warning the targets when paying ransom might be a criminal offence if the perpetrator is under government sanctions, as many cyber criminal groups based in Russia are. The third measure will address mandatory reporting of ransomware incidents. Although the threshold for this measure has yet to be set, it aims to support law enforcement in obtaining a clearer intelligence picture regarding cybercrime.

Ransomware is recognised as the biggest cyber threat in the UK and a threat to national security, as the number of ransomware incidents has been increasing in the past couple of years. A National Crime Agency report found that by 2023, 89% of fraud incidents were cyber-enabled, as well as that the number of UK ransomware victims on data leak websites has doubled since 2022. One of the main ransomware targets in the UK is the National Health Service (NHS), which was a victim of several attacks, including the WannaCry attack in 2017 and an attack by a Russian-based group Qilin, in 2024, which resulted in one patient dying due to delayed blood test results. Other notable incidents include attacks on the British Library in 2023, as well as several attacks on local councils, such as in Manchester or Leicester. The private sector falls prey to cybercriminals even more often — major UK retailers, such as M&S, Harrods, and Co-op, have also been targeted recently. These attacks compromise public services, harm the economy, and endanger private information, but the consequences could be even harsher when it comes to CNI, which the new measures aim to address. Even though public institutions rarely pay ransom to hackers, this measure is likely to have a deterrent effect on those attackers whose main goal is profit. 

However, there could be more to ransomware attacks than illicit enterprise. Russia is known to be using cyber and other hybrid attacks, which fall below the threshold of conventional war to sabotage and threaten various targets in the West, particularly transport, government, and CNI. Strengthening measures for reporting ransomware and removing the financial incentive for attacking CNI could ease the attribution process behind ransomware attacks, whose primary objective is often political rather than financial. Five Eyes allies, such as Canada and Australia (which recently adopted a similar mandatory reporting regime for ransom payments), may follow the UK’s lead in implementing the ban. Public discussions are currently considering such measures, while the US is unlikely to implement a similar policy after a failed attempt in 2023. Other NATO allies such as Germany, will likely also consider implementing bans on ransom payments for attacks on CNI and the public sector as the alliance continues to strengthen its cyber defence capabilities, which was recognised as an issue of high salience at the latest NATO summit in The Hague. Moreover, the new 5% GDP defence spending pledge entails that the countries should aim to reach the threshold of spending 1.5% of GDP on defence-related capabilities, improving resilience and infrastructure, including cyber. This will likely prompt the UK, as well as other NATO allies, to allocate significant funds to enhancing cyber defence and deterrence capabilities in the years to come.

Forecast

• Short-term (Now - 3 months)

  • The UK government is highly likely to codify the aforementioned measures into law and establish related protocols, clarifying reporting procedures and thresholds. This will likely improve transparency, with an increase in reported ransomware incidents.

  • CNI operators and public institutions, which will be affected by the ban, are highly likely to start updating their cybersecurity protocols and insurance policies, particularly if they include paying ransomware as a fallback option.

• Medium-term (3-12 months)

  • With the adoption of the new measures, ransomware groups whose main objective is profit will likely be deterred from targeting the public sector, but are unlikely to target the private sector. Moreover, they will increasingly demand payment methods which are harder to trace, such as blockchain and cryptocurrencies, due to the increased risk that mandatory reporting will bring. 

  • There will likely be an increased demand for consultancy services related to cyber incident response, insurance and compliance.

• Long-term (>1 year)

  • The UK government is likely to allocate more funds to the public institutions to help strengthen cyber defence, in line with the new NATO guidelines on increasing defence spending, including cyber defence and deterrence. 

  • Without a clear financial motive, ransomware attacks on public institutions and CNI will likely be perceived increasingly as malicious state-sponsored hybrid operations, possibly leading to the UK employing cyber diplomacy or offensive cyber capabilities to respond to such operations from third countries such as Russia.