UK to Ban Ransom Payments for Public Sector and Critical Infrastructure in Fight Against Cybercrime
The British government has announced its preparation for a bold and decisive move in the fight against cybercrime—a sweeping ban on ransom payments following ransomware attacks. This new prohibition will apply to public sector organizations and critical infrastructure entities, including local councils, schools, and the publicly funded National Health Service (NHS).
The decision stems from the mounting threat posed by ransomware, which not only inflicts economic damage amounting to tens of millions of pounds annually but also disrupts the operation of essential public services. Authorities emphasize that by stripping cybercriminals of financial incentives, they aim to undermine the very business model that sustains cyber extortion. Such measures are intended to make public institutions and socially vital organizations less appealing targets.
Under the proposed plan, if enacted, all public bodies will be categorically barred from making any payments to attackers. While private companies will not be directly subject to the ban, they will be required to notify the government of any intent to pay a ransom. Additionally, they must consult official sanctions lists to ensure that no illicit payments are funneled to criminal organizations.
At the same time, a mandatory reporting system is being developed for all organizations affected by ransomware. Its objective is to equip law enforcement with the data necessary to trace attacks and assist impacted institutions. The mechanism will also strengthen collaboration with industry partners and enhance coordination under the so-called “Plan for Change” aimed at reforming the nation’s cybersecurity framework.
The proposal builds upon public consultations held in January, during which the government first floated the idea of banning ransom payments and instituting mandatory reporting. It received strong backing from relevant agencies, including the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA), both of which have identified ransomware as the preeminent threat in the UK’s digital domain.
The urgency of the issue is underscored by a series of high-profile attacks in recent years. Among the most notorious incidents were the crippling of the NHS and the cyber assault on the British Library. In April 2025, Marks & Spencer was added to the list of victims after threat actors wielding the DragonForce ransomware disabled VMware ESXi virtual machines, forcing the retailer to suspend online orders and disrupting operations across 1,400 stores.
Other major UK retailers have also been affected. Co-op confirmed a data breach involving current and former loyalty program members, while Harrods was compelled to restrict internal online access following an attempted breach of its corporate network. These cases have further galvanized support for the ban and highlighted the far-reaching consequences of such attacks—from logistical breakdowns to direct threats to human life.
Should these measures be adopted, the United Kingdom would become one of the first nations to take such a resolute stance in dismantling the ransomware payment model at the state level. Yet, the effectiveness of such a policy will depend heavily on international coordination, as the vast majority of cyber threats transcend national borders.
