A ransomware attack is already a board-level crisis. A ransomware payment ban would remove the last ‘escape hatch’ many businesses quietly rely on. Read on to see how you think you might stack up against this.
The UK government wants to make paying ransomware criminals significantly more complicated. For public sector bodies and critical national infrastructure operators, payments would be banned entirely. For everyone else, you'd need to ask permission first.
If that sounds dramatic, it should. Because the alternative has been paying criminals billions of pounds a year in the hope they'll play nice and give your data back. Spoiler: they often don't.
What's being proposed?
The government's three-pronged approach includes:
- A targeted ban on ransomware payments
Public sector organisations (including local councils, schools, and the NHS) and regulated critical national infrastructure operators would be prohibited from paying ransoms. This would extend an existing ban on central government departments.
- A payment prevention regime
Organisations not covered by the ban would need to notify the government before making any ransomware payment. Authorities would assess whether the payment risks breaching sanctions or terrorism financing rules and may intervene accordingly.
- Mandatory incident reporting
All UK organisations would need to report ransomware incidents within 72 hours of becoming aware of them, with a full report due within 28 days.
The consultation, which ran from January to April 2025, received strong support. 72% of respondents backed the targeted ban. 63% supported mandatory reporting. The government has now published its response and confirmed its intention to legislate.
Ransomware hasn't slowed down
Here in the UK, the total cost of cybercrime to the UK economy is estimated at £21 billion annually. Even more concerning, UK ransom demands have more than doubled, and recovery costs are rising.
The ban would target the business model that fuels cyber criminals' activities and makes the vital services the public rely on a less attractive target for ransomware groups.
Effective cyber security
David Newson, our Enterprise Cyber Security Sales Specialist, puts it clearly:
"The Government's proposal [...] sends a clear signal that cyber resilience, preparedness, and accountability must take precedence over reactive financial responses to cyber incidents."
At Intercity, this aligns with how we believe effective cyber security should be delivered. Non-payment is the end position, but achieving it requires strong preventative controls, continuous monitoring, early detection, effective incident response, and proven recovery capabilities. This reinforces the value of managed security services like Managed SOC and virtual CISO that provide sustained visibility, strategic leadership, and timely response.
The next steps for your business
The government continues to urge organisations across the country to strengthen their ability to maintain operations in the event of a successful ransomware attack. This includes having offline backups, tested plans to operate without IT for an extended period, and a well-rehearsed strategy for restoring systems from backups.
Here's where to start:
Assess your readiness – Can you operate without IT for an extended period? Do you have offline backups? Have you tested your recovery process recently?
Strengthen your defences – Use proven frameworks like Cyber Essentials. Implement continuous monitoring, endpoint detection and response, and security awareness training.
Plan for incident response – Define clear roles, establish decision-making protocols, and rehearse your response.
Engage leadership – Cyber risk is business risk. Ensure senior leaders understand the threat landscape and the investment required to reduce it.
Work with the right partner – This requires sustained capability, skilled people, mature processes, and integrated tooling.
Our take
The proposed ban promotes cyber resilience, accountability, and long-term risk reduction. We believe this approach will lead to more resilient public services, reduced impact from ransomware incidents, and a stronger cyber security ecosystem for the UK.
But it only works if organisations take it seriously. The proposed ban would remove payment as an option. What remains is preparation, prevention, and resilience.
Are you prepared to recover your business without paying?
