UK Government Considers Nationwide Ban on Ransomware Payments by Critical Infrastructure Operators
The UK government has launched a consultation to assess the possibility of implementing a ban on ransomware payments for operators of critical national infrastructure.
Unveiled by the Home Office on January 14, the proposal suggests implementing a “targeted ban” that would encompass sectors such as energy, healthcare, and local councils, expanding on the existing prohibition for government departments.
Ransomware attackers frequently demand cryptocurrency as payment. Similar bans have been contemplated by other countries, including Australia and the United States, as a means to combat cybercriminal activities.
UK Plans to Cut Cybercriminal Funding for National Security
UK Security Minister Dan Jarvis stated that the proposal aims to enhance national security by cutting off financial resources for cybercriminals.
“These proposals help us tackle the magnitude of the ransomware threat, impacting these criminal networks financially and severing the key financial pipeline they rely on to operate,” said Jarvis.
The Home Office clarified that the proposed measures would make essential services less appealing as targets for cyberattacks.
Additional elements of the proposal include establishing a system to prevent ransomware payments by providing victims with guidance and mechanisms to block payments to known criminal groups and sanctioned entities.
A mandatory reporting framework for ransomware incidents is also being considered to enhance law enforcement’s ability to track and dismantle repeat offenders.
The consultation follows a series of high-profile cyberattacks in the UK.
In January 2023, the Royal Mail experienced a ransomware attack that disrupted international shipping operations, while a breach in August 2022 at Advanced Computer Software Group exposed the personal data of nearly 83,000 individuals.
According to the Home Office, such incidents have had “devastating impacts” on public services.
The National Cyber Security Centre (NCSC) reported managing 430 cyber incidents in the year ending August 2024, including 13 nationally significant attacks that caused severe harm to essential services or the economy.
The 2024 NCSC Annual Review identified ransomware attacks as the most immediate and disruptive cyber threat.
Notable incidents included a June 2024 attack on Synnovis, which resulted in delays to medical procedures, and an October attack on the British Library that compromised its online systems.
The consultation, scheduled to run until April 8, underscores the increasing global effort to address ransomware threats.
Australia and the U.S. have also explored bans on ransomware payments.
UK Introduces Crypto Legislation
In September, the UK government introduced a new bill aimed at clarifying the legal status of digital assets, including non-fungible tokens (NFTs), cryptocurrencies, and carbon credits, as “things” and “personal property” under the nation’s property laws.
The UK has been among the countries that have intensified regulatory efforts following some high-profile bankruptcies last year.
The Financial Conduct Authority (FCA) oversees crypto activities, with a focus on anti-money laundering measures and consumer protection.
Last year, the FCA implemented new rules that require crypto firms to register with the financial regulator and have their marketing materials approved by an FCA-authorized firm.
Key updates include exchanges providing clear warnings to customers about the risks associated with crypto investments.
The FCA has warned that failure to comply can result in criminal charges, including unlimited fines and up to two years’ imprisonment, for domestic and overseas exchanges operating in the UK.
