The UK government wants to make paying ransomware criminals significantly more complicated. For public sector bodies and critical national infrastructure operators, payments would be banned entirely. For everyone else, you'd need to ask permission first.
If that sounds dramatic, it should. Because the alternative has been paying criminals billions of pounds a year in the hope they'll play nice and give your data back. Spoiler: they often don't.
The government's three-pronged approach includes:
The consultation, which ran from January to April 2025, received strong support. 72% of respondents backed the targeted ban. 63% supported mandatory reporting. The government has now published its response and confirmed its intention to legislate.
Here in the UK, the total cost of cybercrime to the UK economy is estimated at £21 billion annually. Even more concerning, UK ransom demands have more than doubled, and recovery costs are rising.
The ban would target the business model that fuels cyber criminals' activities and makes the vital services the public rely on a less attractive target for ransomware groups.
David Newson, our Enterprise Cyber Security Sales Specialist, puts it clearly:
"The Government's proposal [...] sends a clear signal that cyber resilience, preparedness, and accountability must take precedence over reactive financial responses to cyber incidents."
At Intercity, this aligns with how we believe effective cyber security should be delivered. Non-payment is the end position, but achieving it requires strong preventative controls, continuous monitoring, early detection, effective incident response, and proven recovery capabilities. This reinforces the value of managed security services like Managed SOC and virtual CISO that provide sustained visibility, strategic leadership, and timely response.
The government continues to urge organisations across the country to strengthen their ability to maintain operations in the event of a successful ransomware attack. This includes having offline backups, tested plans to operate without IT for an extended period, and a well-rehearsed strategy for restoring systems from backups.
Here's where to start:
Assess your readiness – Can you operate without IT for an extended period? Do you have offline backups? Have you tested your recovery process recently?
Strengthen your defences – Use proven frameworks like Cyber Essentials. Implement continuous monitoring, endpoint detection and response, and security awareness training.
Plan for incident response – Define clear roles, establish decision-making protocols, and rehearse your response.
Engage leadership – Cyber risk is business risk. Ensure senior leaders understand the threat landscape and the investment required to reduce it.
Work with the right partner – This requires sustained capability, skilled people, mature processes, and integrated tooling.
The proposed ban promotes cyber resilience, accountability, and long-term risk reduction. We believe this approach will lead to more resilient public services, reduced impact from ransomware incidents, and a stronger cyber security ecosystem for the UK.
But it only works if organisations take it seriously. The proposed ban would remove payment as an option. What remains is preparation, prevention, and resilience.
Are you prepared to recover your business without paying?