The UK government is set to prohibit public sector organisations from paying ransoms to cybercriminals, as part of a broader effort to deter ransomware attacks and strengthen national cyber
resilience. Under the new policy, private businesses will also be required to notify authorities if they intend to comply with hackers’ demands.
Announced by Home Office security minister Dan Jarvis, the move is intended to send a strong signal to global cybercriminal networks that “the UK is united in the fight against ransomware.” The policy follows high-profile attacks in recent years, including a major 2023 breach at the British Library and incidents affecting NHS hospitals in London.
The government said nearly 75% of responses to a recent consultation supported the proposal. As a result, organisations such as the NHS, local councils, and schools—alongside other operators of critical national infrastructure—will be barred from paying ransoms.
While experts note that UK public bodies rarely pay ransoms, the government aims to eliminate any ambiguity in its stance. Alan Woodward, a cybersecurity expert at the University of Surrey, said the move is largely symbolic but important for communication: “This puts hackers on notice—many might not have known the UK doesn’t pay, and now they will.”
For private sector firms not subject to the ban, any intention to pay ransoms must be reported to the government. The Home Office said this will allow officials to offer guidance, including warnings about potential violations of sanctions laws—many ransomware gangs are linked to sanctioned entities in countries like Russia.
Minister Jarvis emphasized the policy’s goal to disrupt the financial incentive behind ransomware. “We want to smash the cybercriminal business model,” he said. “By working with industry, we’re making it clear the UK will not tolerate these attacks.”
According to industry data, ransomware gangs extorted over $1 billion globally in 2023. UK officials argue that refusing to pay ransoms removes the profit motive that fuels this type of cybercrime. As noted in the government’s consultation, criminal gangs calculate their ransom demands based on victims’ perceived willingness to pay.
Jonathon Ellison, director of national resilience at the National Cyber Security Centre (NCSC), called ransomware a “serious and evolving threat.” He urged all organisations to bolster their cyber defences using frameworks like Cyber Essentials and services such as the NCSC’s free Early Warning system.
“These new measures will help disrupt the criminal ecosystem harming our economy,” Ellison said. “Organisations must stay vigilant and prepared to respond, recover, and maintain continuity in the face of attacks.” Photo by jaydeep_, Wikimedia commons.