The UK government on Tuesday proposed an order that would forbid all government agencies and other government entities from making any ransom payments, regardless of circumstances. But security experts were skeptical that the measure would work in any meaningful way.
The government statement, the result of a months-long public consultation, was explicit. “Public sector bodies and operators of critical national infrastructure, including the NHS [National Health Service], local councils, and schools, would be banned from paying ransom demands to criminals under the measure,” the statement said.
It said that the proposed ban would not, for now, cover private companies, but that it would still require them to report their intention to make such payments.
“Under the proposals, businesses not covered by the ban would be required to notify the government of any intent to pay a ransom,” the statement said. “The government could then provide those businesses with advice and support, including notifying them if any such payment would risk breaking the law by sending money to sanctioned cyber-criminal groups, many of whom are based in Russia.”
It was not immediately clear what actions would be needed for the proposals to take effect, nor what the timing would likely be. The full report on the consultation merely said, “The Government intends to continue to develop these measures in collaboration with industry, and guidance and other supporting and clarifying documents will be made available.“ UK officials involved in the proposal did not immediately respond to a CSO request for comment.
Ransomware attacks are one of the top concerns for enterprise CISOs, as major attacks are seemingly revealed every few days.
Can govt officials stand firm?
Security specialists applauded the UK initiative, but most doubted that it would ultimately make much of a difference.
Chet Wisniewski, a field CISO at security vendor Sophos, said that he will be “fascinated to see what the outcome will be,” but he is skeptical it will amount to much.
Wisniewski said his skepticism was based on the resolve of UK politicians to hold firmly to the policy when horrible things start to happen.
“Will politicians have the nerve to hold firm if [attackers] shut down hospitals?” Wisniewski asked, stressing that the rule could work only if government officials “stick to their guns. When one of those incidents happens, they will cave.”
Tim Rawlins, a senior adviser at cybersecurity consulting firm NCC Group, said the UK move might have the unintended impact of not so much reducing ransomware attacks as moving them away from government entities.
“A payment ban for public sector and critical infrastructure organizations could unintentionally shift the threat toward smaller, less resilient organizations, or potentially drive payments underground,” Rawlins said.
There is also the risk that agencies and critical infrastructure operations could try to get around the requirement by either hiding the payments or labeling them as something else, such as cybersecurity consulting.
Businesses often want to pay ransom
Fred Chagnon, principal research director at Info-Tech Research Group noted that, from a business continuity perspective, it can make sense to pay the ransom.
“Paying the ransom can sometimes be the quickest and least damaging path to restoring operations, especially if backups are compromised or recovery is prohibitively slow. While paying may inadvertently fund further criminal activity, for a victimized organization, it often represents a pragmatic business decision to minimize downtime, financial loss, and reputational damage,” he said.
However, he added, “policies that penalize victims will inadvertently lead to underreporting of incidents, driving payments underground, and hindering intelligence gathering and law enforcement efforts. It’s also a punitive measure on victims already suffering financial loss.”
Robin Brattel, CEO of Lab 1, a data intelligence vendor, argued that there is also the issue of group compliance. The ban may ultimately work, but only if just about everyone cooperates.
“Some threat actors will test the model to see if it holds. Once one organization gives in, others may follow. The challenge is for everyone to stay unified. If that happens, there’s a chance that money-hungry threat actors will stop focusing on these victims,” Brattel said. “However, hackers and state actors won’t disappear. Initially, we could see an uptick in attacks, but there’s a chance that they may subside over time.
“We agree with the principle [of the proposal], but the reality is very different and more complex. When a public institution is effectively under siege, with operations frozen and sensitive data held hostage, it can trigger unpredictable and desperate responses.”
Brattel added that time is never on the side of the victim.
“Attackers are not working to a deadline. They can afford to wait. If they don’t receive payment, they’ll likely release the data, regardless of who it impacts—patients, students, or local residents,” Brattel said. “That kind of pressure can push even well-meaning institutions to seek unofficial or indirect ways to meet ransom demands.”
Another security specialist also doubted that the ban would ultimately make much of a dent in UK ransomware attacks.
“The government is admirable in its efforts to crack down on ransomware by trying to cut off the funding to hackers, however, these groups won’t allow themselves to be the ones held to ransom,” said Rob Jardin, chief digital officer at NymVPN.
“If the best solution to the issue is to just turn around and say to the hackers ‘we’re not giving into your demands anymore,’ don’t be surprised if they double down and try to expose more data and make a business selling it on the dark web,” he said.