A Ransom Payment Ban Is Coming, But How Realistic Is It?

August 2025, Daryl Flack, Partner

Published on: SC Magazine

What was the result of the government consultation on banning ransom payments and how easy will it be to implement in practice?

When a ransom payment ban was first mooted earlier this year, it faced opposition across several fronts. It is a good idea in theory, with the intention of taking away the incentive for attackers to use the data-locking malware against critical services. 

Experts have pointed out that it could lead those hit by ransomware to cover up attacks, further fuelling the model and making the problem worse. At the same time, critical services could end up crippled, if they aren’t prepared for and resilient against attack. 

However, following a UK government consultation, the payment ban is now confirmed, impacting public sector bodies and operators of critical national infrastructure (CNI).

While private sector organisations are not subject to a ban, they will be required to notify the government before making ransom payments. In addition, all organisations will be subject to mandatory incident reporting – with an initial response required within 72 hours, and a full breakdown due within 28 days.

So, what was the result of the consultation and how easy will the ban be to implement in practice?

Consultation Results

The government submitted three proposals. The first was a targeted ban on ransomware payments for all public sector bodies and CNI. This received agreement from 72% of respondents, with 68% saying a targeted ban would be effective in reducing money flow to ransomware criminals.

The second proposal was for an economy-wide ransom payment prevention regime, with ransomware victims required to report their intent to pay to the government. Just under half of respondents (47%) agreed with the idea.

The third was for a threshold-based regime, which would require firms to meet certain criteria before needing to report. This received greater support, with 63% agreement.

There is precedent for mandatory ransomware reporting – Australia proposed reporting requirements in 2023, and the US is implementing similar measures through the Cyber Incident Reporting for Critical Infrastructure Act.

As it stands, the UK will be the only country with a legislated public sector ransomware payment ban, says James Watts, managing director, Databarracks. 

For private businesses, the legal option to pay a ransom remains, but the introduction of mandatory reporting “changes the calculation dramatically”, says Watts. “Organisations will think twice before paying ransoms, not because it’s illegal, but because of the reputational risk that comes with disclosing a breach and a payment.”

Pros And Cons Of A Ban

Experts are widely in favour of a ban. Among the pros, banning ransomware payments seeks to reduce the revenue stream for adversaries, says Ryan Hicks, VP threat intelligence Kroll. “If threat actors understand the public sector is unattractive in terms of financial gain, services that affect the UK population may become less of a target. For public sector organisations, this also could potentially reduce the taxpayer burden of supporting these payment costs.”

Increasing the reporting required by organisations could have the benefit of providing intelligence for use by UK agencies seeking to understand and eliminate ransomware, says Hicks. “Details such as the infrastructure used, vulnerabilities exploited and targets sought by these threat actors could provide valuable insight for takedown actions.”

By cutting off a revenue stream, the ban aims to “starve the machine that powers ransomware operators”, says Rob Dartnall, director of intelligence at SecAlliance. This mirrors the military logic that cutting off an enemy’s finances can inflict deeper, longer-term damage than direct confrontation, he says.

Dartnall compares this to his intelligence work, where disabling funding lines for terrorist cells dealt “lasting blows” to recruitment, weapon procurement and morale. “Applied to cybercrime, removing predictable ransom payouts has the potential to curb the attacker’s ability to acquire new tools, grow their network and reinvest in future campaigns.”

Yet despite the consultation, there are still issues with a ban as it is proposed. If a critical service is hit and they’re legally barred from paying, but don’t have the tools to recover, operations could stall – or worse, says Chris Boehm, field CTO at Zero Networks. 

There’s also the chance attackers will shift tactics: “More data leaks, more pressure,” he adds.

Working Within The Proposed Guidelines

The ban is coming, but how realistic is it for to work within the proposed guidelines? Experts say it will be a challenge, but not impossible.

For the private sector, particularly large and regulated firms, the requirements are “an added regulatory burden”, but “not insurmountable”, says Daryl Flack, partner at Avella Security. “The reporting expectations are reasonable and align with broader trends in security governance.”

The principle is “sound”, but the practical challenges are “significant”, says Watts. For some organisations, the choice will be between paying a ransom or ceasing operations – which simply isn’t viable, he says. 

It’s also important to remember that bans and mandatory reporting aren’t the only levers to disincentivise ransomware payments, says Watts. In the private sector, cyber insurance has proven to be “a powerful influence”, he says. “When insurers set terms that only cover losses if systems are restored without paying attackers, it steers businesses toward stronger resilience and away from payment as a default option.”

For the public sector, however, it’s a different story. “Legacy systems, tight budgets and chronic underinvestment in IT mean many organisations will face long and costly transformation programmes,” says Flack.

The real issue is that, foundationally, the success of this legislation will depend upon a single event: A large organisation notifying the government that they have to pay, as they don’t have any backups, says Chris Taylor, principal incident response analyst at NormCyber. 

If specific criteria must be met for payment, such as compromised backups, the legislation slightly changes adversary behaviour rather than disrupting the criminal market, he says. 

In this case, the ban would mean organisations need to recover from backups, which further incentivises attackers to corrupt them, Taylor says. “Without backups, the company will need to rebuild systems and accept that data is lost. This will have a significant impact on some organisations.”

To work within the proposed guidelines, public sector bodies need to be confident they can recover from a ransomware attack without making a payment. The only way to do this is through resilience, in the form of a baseline of preparedness, says Watts. “This includes secure, air-gapped and immutable backups and a recovery process that has been tested under pressure.”