For as long as there’s been ransomware, there’s been a debate about whether or not victims should pay the bill. There are good arguments on both sides: on the one hand, ransom payments reward criminality and fund more crime; on the other, ransomware is an existential threat for many organisations and, when the victims are hospitals or other essential public services, paying to make the problem go away can be a matter of life and death.
New recommendations from the Home Office seem to place the UK government firmly in the ‘no payment’ camp. In proposals currently under consultation, the Home Office suggests banning ransom payments in the public sector.
The government seeks to “affirm a non-payment position as a public and binding commitment”. This, the Home Office says, will “cement the UK and our essential infrastructure as an unattractive target to criminals”. It argues that one of the most effective ways to prevent ransomware attacks is to make clear that criminal gangs won’t profit from targeting the public sector.
The proposals also include a ransom-payment-prevention regime to guide and advise victims, and mandatory reporting for ransomware incidents to keep UK law enforcement informed of the attack landscape.
By refusing to pay ransom demands, the threat actors’ business model becomes unsustainable
These policies would cover every public sector body, as well as private sector organisations that are considered critical national infrastructure. Such designations stretch across 15 industries, including defence, finance, energy, food, transport, water and, most recently, data centres.
Responses from the security industry have been mixed. Some welcome the plans, while others warn that, despite their good intentions, the proposals could produce more harm than good.
“Law enforcement has made incredible headway in targeting and successfully disrupting some of the biggest ransomware groups,” says Dr Gareth Owenson, co-founder and CTO of Searchlight Cyber. However, there are “structural limitations” to what can be achieved by targeting one group at a time, he says, particularly as those groups often operate outside the legal reach of the UK and its allies.
Searchlight Cyber’s annual ransomware report, for instance, found that even though authorities have redoubled their efforts to shut down cybercrime groups, the victim count in 2024 was up compared with the previous year.
Owenson argues that a new approach is needed to change the economics for ransomware groups. “By refusing to pay ransoms, the threat actors’ business model of targeting UK public sector organisations becomes unsustainable – it’s the exact same rationale as the existing policy not to pay ransom demands for physical hostages. This is not an activity we want to encourage or fund.”
Legacy IT a major vulnerability
It is no secret that many public sector organisations have faced funding shortfalls, leading to underinvestment in IT and slow progress on cybersecurity.
This vulnerability is acknowledged by the National Cyber Security Centre (NCSC), the public body that provides cybersecurity guidance in the UK. Although it backs the ban, the NCSC warns that organisations must “strengthen their ability to continue operations in the face of the disruption caused by successful ransomware attacks”. And it’s not just about having backups in place; organisations must also reinforce their operational resilience and enhance testing for business-continuity plans.
“Chronic underfunding, privatisation and ageing infrastructure are the names of the chickens that are coming home to roost in our national critical infrastructure,” says Ian Thornton-Trump, chief security officer at Inversion6, a cybersecurity company.
“No one wants to pay ransoms to cybercriminals,” he adds. “But if it restores services that prevent or reduce injury and death, are we really going to lock the chequebook away?”
This is not an activity we want to encourage or fund
Questions such as this shift the ransom-payment debate away from law and order and into the realm of ethics.
Kirsty Paine is field CTO at Splunk, a software company. She says the best defence against ransomware is to create isolated backups frequently and continually test restoration capabilities from those backups. Organisations should also ensure robust cyber-hygiene practices to prevent attackers from gaining access in the first place. These include patching vulnerabilities, implementing multi-factor authentication, investigating anomalous activity and managing network access.
“The list goes on,” Paine says. “Regardless, some organisations will struggle to do this thanks to time, talent and budget constraints. If an organisation is already struggling, a ransom-payment ban won’t magically increase the budget or skills of the teams that put these recovery processes in place.”
Instead of debating whether ransoms should ever be paid, we should be asking why some critical systems, such as those in the healthcare sector, are so vulnerable. That’s according to Jonathan Lee, UK cybersecurity director at Trend Micro, an IT security company.
“Austerity-driven underinvestment in cybersecurity has made hospitals easy targets and ransomware groups know it,” Lee says. “Governments can’t just issue statements condemning ransom payments – they need to back that up with action.”
Ransomware ban: what’s the potential for blowback?
Hard-line manoeuvres can sometimes backfire. Cybercriminals are, broadly speaking, opportunists; they too innovate, iterate and develop their methods.
In recent years, cybercrime gangs have combined tried-and-tested ransomware attacks with other forms of extortion, such as stealing sensitive data and threatening to release it if ransoms are not paid.
Authorities must therefore consider second-order effects, says Paine. “Cybercriminals are flexible, so they go where the money is and with what works,” she says, adding that an outright ban could divert criminals to other wealthy countries that have not enacted payment bans, or lead them to pursue different types of attacks.
If it restores services that prevent death, are we really going to lock the chequebook away?
“A ban on ransom payments could incentivise criminals to blackmail individuals or customers of a targeted organisation rather than the organisation itself,” Paine warns. “It could even give rise to a whole new market of cybercriminal activity that we can’t imagine at the moment.”
According to Adam Brown, managing security consultant at Black Duck, an application security platform, criminals may ignore the ban initially but eventually shift their focus to private sector organisations that are legally allowed to pay.
Ransom payments are a quick fix for compromised systems. If such payments are no longer permitted, firms may struggle to restore their operations after an attack, and the effects of prolonged downtimes will be “difficult to stomach,” Brown says. “Criminals could also double down, releasing stolen data in response to a lack of ransom payment and making the impact worse than it would be without the ban.”
Moreover, it’s unlikely the ban would deter attackers who are backed by nation states, because their motives are not typically financial. Brown adds: “I have not found any reports stating that payment bans have an effect on ransomware attacks – only that stronger security controls do.”
Could a ban on payments really work?
No legislative decisions will be made until after April, when the Home Office consultation closes.
The topic is complicated but almost everyone would agree that paying ransoms is undesirable – the question is whether a hard-line ban would help reduce ransomware attacks.
“Ultimately, allowing hospitals to be held hostage by cybercriminals is unacceptable,” argues Lee. “The conversation can’t just be about whether to pay, it needs to be about preventing that choice from ever being necessary in the first place.”
But eliminating digital vulnerabilities in the public sector is no small task. One possible solution, Lee says, is to create a national cyber-emergency-response force that specialises in critical public infrastructure. This task force would both mitigate attacks when they happen and proactively assess and secure systems “before they become easy prey”, he explains.
As Lee puts it: “Hospitals can’t afford to be left stranded when ransomware locks down patient records and shuts down life-saving equipment.” In a world of ever-expanding attack surfaces, more resources – not fewer recovery options – may be key to slowing the tide of attacks against cash-strapped hospitals and local authorities.
For as long as there’s been ransomware, there’s been a debate about whether or not victims should pay the bill. There are good arguments on both sides: on the one hand, ransom payments reward criminality and fund more crime; on the other, ransomware is an existential threat for many organisations and, when the victims are hospitals or other essential public services, paying to make the problem go away can be a matter of life and death.
New recommendations from the Home Office seem to place the UK government firmly in the ‘no payment’ camp. In proposals currently under consultation, the Home Office suggests banning ransom payments in the public sector.
The government seeks to “affirm a non-payment position as a public and binding commitment”. This, the Home Office says, will “cement the UK and our essential infrastructure as an unattractive target to criminals”. It argues that one of the most effective ways to prevent ransomware attacks is to make clear that criminal gangs won’t profit from targeting the public sector.
