The increased prevalence of ransomware attacks is forcing the UK, along with many other countries, to explore mitigation tactics. One option is for a targeted ransomware payment ban to negate cybercriminals’ funding mechanism.
In 2024, global ransomware attacks increased by 11% from the previous year (opens a new window). According to Microsoft (opens a new window), ransomware remains a top cybersecurity concern for most businesses, with a 2.75x year-over-year increase in human-operated ransomware-linked encounters observed in its Digital Defense Report 2024 (opens a new window).
The UK’s proposed ransomware payment ban
In 2025,the UK Government launched a consultation (opens a new window) on three measures to help reduce payments to cybercriminals and increase ransomware incident reporting. The hope is that by refusing to pay ransom demands, the threat actors’ business models become unsustainable as the ban will render the UK, and its essential infrastructure, as “unattractive targets”.
Currently, a ban for ransom payments exists for central government departments, but this could be expanded to include every public sector body, as well as private sector organisations that are considered vital for critical national infrastructure (CNI). Industries falling under the CNI banner include defence, finance, energy, food, transport, and water.
The UK’s decision may have been influenced by numerous high-profile attacks on public bodies and CNI, across the world. Two prominent examples are:
In 2024, NHS England suffered the theft of 400GB of patient data. The confidential information — being managed by pathology testing organisation Synnovis — was stolen in a ransomware attack (opens a new window) by Qilin, a cyber-criminal group.
In 2021, cybercriminals conducted a ransomware attack on the US’ Colonial Pipeline — a critical piece of CNI. Ultimately, after the attackers threatened the supply of oil to the US’ East Coast, a ransom of $4.4 million was paid — a decision the CEO recognises was “controversial (opens a new window)”, although a large percentage of ransom was eventually reclaimed.
The UK is not the only country seeking to reduce ransom payments to cybercriminals. In November 2023, at the third annual Counter Ransomware Initiative (CRI), a majority of the attending government representatives from 48 countries signed a pledge against paying ransoms to hackers (opens a new window).
What would a payment ban necessitate?
A ban on ransomware payments would be a significant intervention — requiring large oversight and rapid responsiveness from a public body.
In advance of any payment ban, organisations will have to be confident of their ability to protect their business and to respond to any attack without the need for a decryption key. This includes implementing measures, such as:
Strong defensive and resilience policies
Comprehensive recovery procedures
Streamlined and rapid incident response plans
However, despite improved mitigation, the speed at which the online threat landscape is evolving could still see businesses fall victim to malware attacks with ransom demands. If CNI or emergency services are prohibited from paying extortion demands, this could place lives in danger as systems and services go offline.
It is unlikely a targeted ban will reduce the overall number of ransomware attacks. Accordingly, there is concern a ban could intensify the number of attacks on organisations that are not affiliated with CNI or the public sector.
Rejecting payment demands
While legislation may force companies to ignore extortion demands, there is already precedent of organisations opting to ignore ransomware payment requests.
In the US, mortgage lender LoanDepot was attacked by a ransomware group (opens a new window) in 2024. The company refused to pay the $6 million ransom demand — opting instead to pay recovery costs that were projected to reach up to $17 million — a choice primarily motivated by concerns about funding criminal groups with potential geopolitical ramifications. LoanDepot introduced outside (opens a new window) digital forensic and cybersecurity experts to investigate and remediate the attack and requested that customers instead use telephone or mail to make or send payments. To keep customers up to date with an evolving situation, LoanDepot issued bulletins via a new, dedicated website.
Britain’s National Cyber Security Centre believes that the British Library “should be applauded (opens a new window)” for its refusal to pay an extortion fee during a 2023 ransomware attack. Historically complex network topology had enabled attackers to compromise more systems, and reliance on legacy infrastructure significantly lengthened the time required to recover from the attack. However, the British Library decided (opens a new window) on a digital infrastructure rebuild and phased restoring of systems. To achieve this, these legacy systems required either migration to new versions, substantial modification, or complete rebuilds.
In 2021, Japanese multinational Fujifilm (opens a new window) resisted an extortion demand from a ransomware gang after an attack on its servers. Fujifilm immediately established a special task force (opens a new window), including external experts, and shut down all networks and servers to determine the scale of the issue. Ignoring ransom demands, the firm opted to instead rely on backups to restore operations.
Building resilience against extortion demands for all businesses
Regardless of proposals from national authorities to ban paying ransomware demands, all businesses can focus on building and enhancing their cyber hygiene and protection capabilities.
Implementing best-practice measures reduces the risk of falling victim to a ransomware attack and enables organisations to resume operations more easily after an attack, without paying a ransom.
Recommended steps include:
Establishing backups for company networks and systems
Physical, external, and cloud-based backups can be vital for preventing data loss in case of attack and facilitating a quicker recovery in case of breach. These need to be well-tested and prevent attackers from overwriting them.Developing an incidence response plan
This should aim to identify incidents early and manage the effects efficiently to minimise the operational and financial impact.Improving employee education
Staff should be trained and empowered to repel cyber risks and threats, such as phishing and business email compromise attacks.Implementing multi-factor authentication (MFA)
Introduction of MFA can make infiltration of your organisation’s email, cloud system, or network much more difficult for threat actors.Building network segmentation
This increases the difficulty for an attacker to achieve their goal once they have penetrated the network, as their point of entry may not allow reaching the sensitive data or critical asset that is being targeted.Installing threat detection tools
Security tools and systems can supplement employee efforts for detecting and blocking malicious attempts from threat actors.
Acting with us
No matter possible payment legislation, building resilience within your business against ransomware threats is key.
Lockton can provide support for organisations looking to improve cyber security protocols and enhance their resilience. Securing cyber insurance can be a key step in achieving this. Policies can indemnify potential losses, and also cover associated incident response fees.
For more information on how to mitigate ransomware risks, contact a member of Lockton’s Cyber & Technology Practice (opens a new window).