The End of Ransom Payments?

June 2026, Daryl Flack, Partner

Published on: Teiss

Daryl Flack at Avella Security describes how organisations should prepare if ransomware payments are made illegal in the UK.

The UK Government is taking an increasingly hard line on ransomware. Following its ransomware consultation and subsequent response, the Government has committed to introducing legislation designed to reduce ransom payments, increase incident reporting and disrupt the business model that fuels cyber extortion.

The move reflects growing concern that ransomware has evolved from an IT security issue into a national resilience challenge, affecting public services, critical infrastructure and private sector organisations alike. While the planned restrictions are initially focused on public sector organisations and operators of Critical National Infrastructure (CNI), the implications extend far beyond those sectors. Organisations across the economy will face greater scrutiny over how they prepare for, respond to and recover from ransomware incidents.

For many business leaders, this raises an uncomfortable question: what happens when paying the ransom is no longer an option?

From consultation to legislation

The Government’s response to its ransomware consultation largely confirmed the direction set out in the original proposals.

The rationale is straightforward: organisations delivering essential services should not be funding criminal enterprises, particularly where disruption could have widespread societal consequences.

One of the most significant developments, however, is the proposed ransomware payment prevention regime for organisations outside the scope of the ban. Rather than introducing an immediate economy-wide prohibition, the Government intends to require organisations and individuals to notify authorities before making a ransomware payment.

This would allow the Government to provide guidance, identify potential sanctions issues and gather valuable intelligence on the evolving ransomware threat landscape. Alongside this, mandatory ransomware incident reporting is expected to improve visibility of attacks, support law enforcement investigations and provide policymakers with a clearer picture of the threat facing UK organisations.

Taken together, these measures signal a shift away from reactive crisis management and towards a more proactive approach centred on resilience, accountability and transparency.

The benefits and risks of restricting payments

A ban on ransom payments within critical sectors sends a strong signal that the UK will not support the business model of cyber-criminal groups. Combined with improved reporting, it should provide law enforcement and policymakers with greater visibility of the threat landscape while encouraging organisations to invest in recovery capabilities rather than viewing payment as a contingency plan.

However, there are potential unintended consequences.

Not every organisation currently has the resilience required to absorb a major ransomware attack without considering payment. In some circumstances, particularly where backups are unavailable, incomplete, or compromised, paying may still appear to be the only viable route to restoring critical services quickly or at all.

Without that option, outages could be prolonged and the operational, financial, and reputational fallout significantly more severe. There is also a risk that restrictions could drive payments and incident reporting underground if organisations fear regulatory scrutiny, reputational damage or lengthy service disruption.

Why do organisations continue to pay?

Understanding these challenges helps explain why, despite the risks and growing regulatory scrutiny, many organisations continue to pay ransoms today.

When critical systems are unavailable, customer services are disrupted and financial losses are mounting by the hour, paying a ransom can appear to be the quickest route back to normal operations. In sectors where downtime directly impacts public services, healthcare, manufacturing or logistics, the pressure to restore services rapidly can be immense.

However, paying does not always work.

Many organisations discover that decryption tools are slow, unreliable or ineffective. In some cases, attackers disappear entirely after receiving payment. Others provide keys that only partially restore systems, leaving victims facing lengthy recovery efforts despite having paid substantial sums.

The assumption that payment guarantees recovery remains one of the most persistent myths surrounding ransomware.

Lessons from the British Library attack

The 2023 cyber-attack against the British Library offers a sobering example of what recovery can look like when organisations are forced to rebuild rather than pay.

Following a sophisticated ransomware attack, services remained disrupted for an extended period while systems were restored and infrastructure rebuilt. Researchers, readers and staff experienced months of disruption, access to digital collections was severely affected, and recovery costs ran into millions of pounds.

The incident demonstrates that even well-resourced organisations can face lengthy and costly recovery efforts following a ransomware attack. It also highlights the broader impact cyber-incidents can have when essential services are disrupted.

In sectors such as healthcare, emergency services and critical infrastructure, prolonged outages can have consequences that extend far beyond financial losses. In some cases, the inability to recover quickly can directly affect public safety and wellbeing.

A future where payment is not an option

Whether or not payment restrictions eventually expand beyond the public sector and critical infrastructure, organisations should assume that future ransomware response will be subject to greater scrutiny, reporting obligations and restrictions on payment.

Preparation starts with resilience by design.

Organisations should invest in secure, offline or air-gapped backups that are regularly tested and protected from attacker access. They should deploy comprehensive monitoring and alerting capabilities, alongside Endpoint Detection and Response (EDR) solutions that can identify malicious activity before attackers achieve their objectives. Strong network segmentation remains one of the most effective ways to contain a breach and limit the spread of ransomware.

Equally important is incident response preparedness. Organisations should retain specialist incident response expertise and regularly test response plans through tabletop exercises and simulations. These exercises help both technical teams and senior leadership understand their roles during a crisis and expose weaknesses before a real incident occurs.

Supply chain risk must also be addressed. Many ransomware attacks now exploit trusted third parties, including managed service providers (MSPs), software suppliers, and IT partners. Organisations should assess inherited risks, strengthen supplier assurance processes and ensure that critical vendors meet appropriate security standards.

Finally, organisations should begin preparing for new reporting and governance requirements now. To build the operational resilience needed to respond decisively under pressure, recover critical services quickly and maintain stakeholder confidence.

Resilience by design

The Government’s plans represent one of the most significant shifts in the UK’s approach to ransomware to date. 

While the transition may be challenging, particularly for resource-constrained public-sector organisations, they should no longer assume that paying a ransom will remain a viable, last-resort recovery option.

The organisations that emerge strongest will be those that have invested in preparation, tested their recovery capabilities and embedded resilience throughout the business.