On 14 January 2025, the Home Office opened a public consultation (the "Consultation") on proposals seeking to address the growing threat and impact of ransomware in the UK.
The UK Government details three specific proposals in the Consultation to tackle the problem of ransomware in the UK:
1. a ban on ransomware payments being made by public sector bodies and owners and operators of Critical National Infrastructure ("CNI"), such as energy supply, water supply, transportation, health, and telecoms;
2. the introduction of a ransomware payment prevention regime; and
3. the implementation of a ransomware incident reporting regime.
What is ransomware?
The Home Office defines 'ransomware' as:
"A type of malicious software ("malware") that infects a victim's computer system(s). It can prevent the victim from accessing system(s) or data, impair the use of system(s) or data and/or facilitate theft of data held on the victim's networked systems or devices. A ransom is demanded (normally payment of cryptocurrency) from the victim to regain access to the system(s); for data to be restored; or for data not to be published on criminal-operated data leak websites."
The Home Office definition is consistent with the definition adopted by the main industry bodies, such as ISO, ENISA, and NIST.
The WannaCry incident in 2017 is one of the most high profile recent examples of a ransomware attack. This attack infected around 230,000 computers in over 150 countries within a matter of hours. The ransomware in this case encrypted files on the infected computers and demanded payment in Bitcoin for access to be restored. Victims were given a deadline to make payment on threat of the ransom amount doubling or files being permanently locked. The overall financial impact of the incident was estimated at around $4 billion in losses.
Is ransomware a problem in the UK?
In short, yes.
The UK's National Cyber Security Centre published a white paper concerning ransomware in 2023 in which it identified ransomware as the most significant, serious, and organised cyber crime threat facing the UK. Similarly, the UK National Crime Agency has also identified the deployment of ransomware as the greatest cyber, serious and organised crime threat to the UK, highlighting the threat to CNI and national security.
In the Consultation document, the Home Office explains that "ransomware is considered the greatest of all serious and organised cyber crime threats, the largest cyber security threat, and is treated as a risk to the UK's national security by the National Crime Agency (NCA) and the National Cyber Security Centre (NCSC)".
The Home Office goes on to note that "in 2023, incidents of ransomware attacks reported to the Information Commissioner's Office reached their highest level since 2019, and private sector reporting to the National Crime Agency indicates that the number of UK victims appearing on ransomware data leak sites has doubled since 2022".
What do the Proposals intend to achieve?
If enacted, the Proposals intend to assist the Home Office in achieving the following three overarching aims:
(i) reduce the amount of money flowing to ransomware criminals from the UK (thereby deterring criminals from attacking UK organisations);
(ii) increase the ability of operational agencies to disrupt and investigate ransomware actors by increasing its intelligence around the ransomware payment landscape; and
(iii) enhance the UK Government's understanding of the threats in this area to inform future interventions, including through cooperation at an international level.
What are the Proposals?
Proposal 1: Targeted ban on ransomware payments for all public sector bodies, including local government, and for owners and operators of CNI, that are regulated, or that have competent authorities.
This would see the UK adopting a position that goes beyond the current principle that central government departments must not make ransomware payments, by imposing a prohibition on all organisations in the UK public sector (including local government), and CNI owners and operators, from making ransomware payments.
There are 13 'national infrastructure' sectors (e.g., chemicals, civil nuclear, communications, energy, finance, transport, etc.). The UK Government defines CNI as the elements of national infrastructure, the loss or compromise of which could result in "a) [m]ajor detrimental impact on the availability, integrity or delivery of essential services - including those services whose integrity, if compromised, could result in significant loss of life or casualties - taking into account significant economic or social impacts; and/or b) [s]ignificant impact on national security, national defence, or the functioning of the state".
There is no discussion in the Consultation document on the downstream or collateral impact that such a prohibition could have. For example, by implementing a targeted ban in this way, what might the potential impact be on other economic operators not subject to a ban (e.g., could there be an increase in attacks targeted at such entities, and/or could the threat to individuals / small business be further increased)? The responses to the Consultation may draw this out and/or the UK Government may address the possible impact in a future publication.
Proposal 2: A new ransomware payment prevention regime to cover all potential ransomware payments from the UK.
Organisations and individuals that fall victim to ransomware (save for those covered by the ban set out in Proposal 1) would be required to notify the authorities of their intention to make a ransomware payment (within 72 hours of the ransom being sought) before sending funds to the criminals responsible, to be followed with a full report within 28 days. The authorities would then review the notification to determine whether the proposed ransomware payment should be blocked (e.g., where the payment could go to criminals subject to sanctions designations, or in violation of terrorism finance legislation).
The Consultation document briefly discusses the possibility of imposing criminal and/or civil penalties for non-compliance, such as in circumstances where an organisation that has fallen victim to a ransomware attack makes payment after being told not to by the relevant authority. There may be pushback on this specific point if such an approach is adopted, as it could result in a scenario where the only party involved in a ransomware attack that faces sanctions is the victim (since it is typically extremely difficult to identify and/or apprehend or sanction the attackers).
Proposal 3: A ransomware incident reporting regime.
Suspected victims of ransomware would be required to notify the authorities of a ransomware incident, even if the victim has no intention to pay the ransom. The Home Office is exploring whether this should be economy-wide, or whether it should only impact organisations and individuals meeting a certain threshold (e.g., possibly where the demanded ransom exceeds a certain GBP amount).
Overlapping legislation
Organisations covered by the Proposals are already required to report qualifying personal data breaches to the UK Information Commissioner's Office ("ICO") under the UK General Data Protection Regulation, and may also be required to submit notifications to the ICO under the Network and Information Systems Regulations 2018 and the Privacy and Electronic Communications Regulations (depending on the nature of activities carried out). At this point, it is unclear how the Proposals are intended to interact with these existing requirements.
What happens next?
The Consultation closes at 5pm on 8 April 2025, and a response paper will be published in due course. Please contact John Timmons or Joe Devine if you have any questions, or if you require assistance with submitting comments in response to the Consultation.
Sulaiman Iqbal (White & Case, Trainee Solicitor, London) contributed to the development of this publication.
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2025 White & Case LLP
