The U.K. government is considering banning ransomware payments to make critical industries “unattractive targets for criminals.” It would apply to all public sector bodies and critical national infrastructure, which includes NHS trusts, schools, local councils, and data centres.
Currently, all government departments nationwide are banned from paying cyber criminals to decrypt their data or prevent it from being leaked. This rule intends to protect the services and infrastructure the British public relies on from financial and operational disruption.
The health sector is classified as CNI, so withholding ransomware payments could impact patient care. According to Bloomberg, the attack on pathology company Synnovis last June, which led to months of NHS disruption, resulted in harm to dozens of patients, with long-term or permanent damage in at least two cases.
SEE: Number of Active Ransomware Groups Highest on Record
Organisations must also report ransomware attacks within three days
On top of the ban, the proposed legislation will make it mandatory for organisations to report ransomware attacks within 72 hours of becoming aware of it. This is so law enforcement remains up-to-date on whom is being targeted and how which aids their investigations into organised crime groups and enables them to publish helpful advisories.
The Home Office also wants to instate a ransomware payment prevention regime involving educating businesses on responding to a live threat and criminalising unreported payments. It is hoped that this will both increase the National Crime Agency’s awareness of attacks and reduce the number of payouts made to hackers, especially in exchange for data suppression.
On Jan. 14, the Home Office opened a consultation on these three proposals, which will run until April 8. Ultimately, the goal is to reduce the sum of cash criminals extract from U.K. companies and boost understanding of the ever-changing ransomware landscape to aid prevention and disruption efforts.
“These proposals help us meet the scale of the ransomware threat, hitting these criminal networks in their wallets and cutting off the key financial pipeline they rely upon to operate,” security minister Dan Jarvis said in a press release.
The proposed approach to improving the country’s cyber security appears to echo that of the U.S. The federal government mandates compliance with its cyber security initiatives for federal agencies and regulated industries, hoping other businesses will voluntarily follow suit.
Blanket ban could disproportionately impact small businesses and non-critical sectors
Within the documentation outlining the proposals, the Home Office acknowledges the potential for the legislation to disproportionately impact small and micro-businesses “which cannot afford specialist ransomware insurance, or clean up specialists.”
These SMBs will have less employee capacity during an attack to engage with the government and meet reporting deadlines. As a result, they may feel that the only option to retain their business is to pay to decrypt data.
SEE: 94% of Ransomware Victims Have Their Backups Targeted
Alejandro Rivas Vasquez, the global head of Digital Forensics and Incident Response at security firm NCC Group, said in a statement that the blanket rule could create “unfair and administrative burdens that become complex and unmanageable” for smaller businesses.
He said: “Instead of a one size fits all approach, we’d recommend the government explore a less burdensome obligation that could be applied to smaller businesses, or focus on incentivising businesses to improve their security posture, rather than punitive action.”
Vasquez added that applying the ban only to public sector bodies and CNI could impact other industries. “A blanket ban could place a larger target on sectors not included in the ban, such as manufacturing, which doesn’t currently fall under the scope,” he said. Manufacturing was the second most targeted industry for ransomware last year, after services, and saw a 71% year-on-year increase.
Furthermore, the legislation would not impact hackers who are motivated by factors other than money. As Vasquez said: “In geopolitically motivated attacks, which can be launched by nation states, ransomware is a tool to cripple critical national infrastructure and steal sensitive data – money is not the objective. Banning payments would be futile in stemming such attacks – the hackers would already have the data they need.”
U.K.’s cyber risks are ‘widely underestimated’
In December, Richard Horne, head of the U.K.’s National Cyber Security Centre, warned that the country’s cyber risks are “widely underestimated.” He said that hostile activity had “increased in frequency, sophistication, and intensity,” largely from foreign actors in Russia and China.
According to the NCSC’s Annual Review 2024, the agency handled 430 incidents this year compared to 371 in 2023. Of these, 13 were “nationally significant” ransomware incidents threatening essential services or the wider economy.
SEE: Microsoft: Ransomware Attacks Growing More Dangerous
The report called ransomware the most pervasive threat to U.K. businesses, especially in academia, manufacturing, IT, legal, charities, and construction.
According to the NCSC, the pervasion of generative AI has been found to increase the risk of ransomware by providing “capability uplift” to attackers. Amateur attackers can use it to craft social engineering materials, analyse exfiltrated data, code, and reconnaissance, which essentially lowers the barrier to entry.
+ There are no comments
Add yours