Imagine a major NHS trust faces another cyberattack, unable to treat patients or dispatch ambulances. Its only way out is paying a ransom to restore services and save lives. But there’s a problem: a new law that bans UK public bodies from making such payments. Should a public institution be forced to stand idly by, […]
Imagine a major NHS trust faces another cyberattack, unable to treat patients or dispatch ambulances. Its only way out is paying a ransom to restore services and save lives. But there’s a problem: a new law that bans UK public bodies from making such payments. Should a public institution be forced to stand idly by, even at the cost of human lives? This is the critical public interest dilemma.
This scenario is not far from reality under the UK government’s new consultation to ban public bodies from paying ransomware. For government departments, such a ban is already in effect, but under the new proposal, it would also apply to schools, NHS trusts, councils, and critical national infrastructure networks.
On the surface, this may seem like a step toward curbing cybercrime. The argument is clear: paying organised criminals funds their operations—extortion, drugs, trafficking, and money laundering—and incentivises further attacks. A ban would, in theory, make these organisations less appealing to ransomware gangs. However, the real-world implications are far more complex.
Unintended consequences
The first issue to consider is the unintended material impact of banning ransom payments. In some cases, the cost of pausing operations can outweigh the cost of paying the ransom and restoring services. The longer recovery efforts drag on, the more widespread the damage becomes, both financially and in terms of public trust. Ultimately, I would suggest, institutions should be allowed to make commercial decisions based on their unique situation.
Consider Florida, one of the two US states that currently prohibit ransom payments. A recent test of the ban occurred when North Miami suffered a cyberattack that disrupted public services. As the city could not pay the demanded ransom, recovery efforts were prolonged, and some services were still down two weeks later. While the goal may have been to curb cybercrime, the fallout from extended service disruption can cause greater harm than simply paying the ransom.
Anatomy of a ransomware attack
Another issue is that ransomware is a global problem, with cybercriminals operating across borders. It demands a global response, akin to the collaboration seen during the fight against terrorism or the pandemic. Governments must impose severe fines, sanctions, and even consider drastic measures to make cybercrime unprofitable. For example, cutting internet access for countries that host criminal operations could spark public outrage against these bad actors and disrupt their activities.
Due to the cross-border nature of ransomware attacks, a ban imposed by a single nation may do little to deter cybercriminals. Effective deterrence would require a coordinated international ban, but such an approach is not currently feasible.
The issue runs deeper still. A blanket ban on payments could drive ransomware payments underground, as organisations quietly pay through consultants or other third parties to avoid penalties. This lack of transparency would blind intelligence agencies to the scale and nature of cyber threats, ultimately leaving the UK more vulnerable.
Additionally, the critical infrastructure supply chain might shift blame and avoid reporting, further eroding visibility and response capabilities. This lack of accountability could create a dangerous situation where the true scale of the problem remains hidden, allowing cybercriminals to operate unchecked.
A forward-thinking approach
A good example of how to approach ransomware without a ban comes from Australia. In the past, its government considered banning ransom payments for cyberattacks but later decided against it. Instead, it launched a national cybersecurity strategy with initiatives like a ransomware playbook for businesses, mandatory attack reporting, and a ‘no-fault, no-liability’ reporting system to encourage businesses to disclose ransomware payments without fear of prosecution. These efforts aim to strengthen national defences before considering a ransom payment ban.
The Australian government chose to do the hard work first and their strategy of focusing on prevention, employee cyber hygiene, and post-incident support, took a view that we should address cybersecurity through preparation and collaboration.
Tackling ransomware isn’t about reacting to attacks; it’s about staying ahead of them. Techniques like TDIR (Threat Detection, Investigation, and Response) help spot threats early, giving organisations a fighting chance to stop attacks before they cause chaos. Good cyber hygiene is equally critical; keeping software updated, training staff to recognise phishing attempts, and locking down sensitive data can make all the difference.
Then there’s AI, which can now sift through mountains of data to spot unusual activity, predict vulnerabilities, and even automate responses to threats. Together, these tools create a strong, proactive defence against ransomware.
The UK needs bold, coordinated action to dismantle criminal networks and protect critical services without compromising public safety. Cybercrime is an endemic problem, and only comprehensive, global measures will turn the tide.
