The United Kingdom has unveiled plans to prohibit public sector bodies and critical national infrastructure operators, including the National Health Service (NHS), local councils, and schools, from paying ransom demands to cybercriminals.
The decision, announced on Tuesday, comes in response to a wave of high-profile ransomware attacks that have targeted vital British institutions. From the devastating “WannaCry” attack in 2017 that brought the NHS to a standstill, to the British Library’s refusal to yield to ransom demands in 2023, the UK has faced escalating cyber threats with serious operational and financial consequences.
“We’re determined to smash the cybercriminal business model and protect the services we all rely on,” said Security Minister Dan Jarvis. “This is a clear message: the UK stands united against ransomware.”
Ransomware is a form of malicious software that infiltrates computer systems, encrypts data, and demands payment for its release. According to government estimates, such attacks cost the UK economy millions of pounds annually and pose life-threatening risks. A recent cyberattack on the NHS was cited as contributing to a patient’s death, highlighting the human cost of cybercrime.
To strengthen national resilience, the UK will introduce a ransomware payment prevention regime and a mandatory incident reporting framework. While private businesses won’t be banned from paying ransoms, they will be required to notify authorities before doing so. This will allow the government to offer guidance, while also helping law enforcement gather critical intelligence to track and disrupt cybercriminal networks.
Major British companies, including Marks & Spencer and the Co-op Group, have also been targeted in recent months, raising alarms about cybersecurity preparedness in the private sector.
With these new measures, the UK is aiming to deter cybercriminals, protect public infrastructure, and promote a more coordinated response to the growing ransomware threat.
