The British government is exploring the idea of forbidding ransomware payments to dissuade criminals from targeting critical industries. This measure would encompass all public sector entities and crucial national infrastructure, which encompasses NHS trusts, schools, local authorities, and data centers.
At present, all government departments across the country are barred from compensating cyber offenders to decrypt their data or prevent its exposure. This directive aims to shield the services and structure relied upon by the British populace from financial and operational disruptions.
The healthcare realm falls under the category of Critical National Infrastructure (CNI), therefore refraining from ransomware payments could have repercussions on patient welfare. According to Bloomberg, the assault on pathology firm Synnovis last June, which triggered months of NHS disruptions, led to injuries for numerous patients, resulting in long-term or irreversible impairment in at least two instances.
EXPLORE: Number of Active Ransomware Groups Hits Record High
Entities will also need to report ransomware assaults within three days
In addition to the prohibition, the proposed legislation will necessitate organizations to disclose ransomware incidents within 72 hours of discovering them. This step is crucial to ensure law enforcement is informed about the entities under attack, aiding in their investigations into organized criminal networks and enabling them to release useful advisories.
The Home Office aims to establish a scheme to prevent ransomware payments, involving educating businesses on tackling ongoing threats and criminalizing unreported payments. The objective is to enhance the National Crime Agency’s insight into attacks and curtail the number of ransoms paid to hackers, particularly in exchange for data suppression.
The Home Office initiated a consultation on these three propositions on January 14, which will run until April 8. Ultimately, the aim is to diminish the amount of money criminals extort from U.K. entities and enhance comprehension of the ever-evolving ransomware landscape to bolster prevention and disruption endeavors.
“These suggestions enable us to confront the magnitude of the ransomware peril, striking these criminal networks in their finances and severing the chief financial conduit they depend on to function,” stated security minister Dan Jarvis in a press release.
The proposed approach to ameliorating the nation’s cybersecurity strategy appears to mirror that of the United States. The federal government mandates adherence to its cybersecurity initiatives for federal agencies and regulated sectors, anticipating other businesses will opt in voluntarily.
Global prohibition could disproportionately affect small enterprises and non-essential sectors
As per the documentation outlining the propositions, the Home Office recognizes the potential impact of the regulation on small and micro-businesses, “which lack the resources for specialized ransomware insurance or cleansing services.”
During an attack, these SMBs may lack the workforce to engage with governmental bodies and adhere to reporting deadlines. Therefore, they might perceive paying for data decryption as the sole means to sustain their operations.
EXPLORE: 94% of Ransomware Victims See Their Backups Compromised
Alejandro Rivas Vasquez, the global head of Digital Forensics and Incident Response at security firm NCC Group, cautioned in a declaration that the blanket directive may introduce “unjust and administrative burdens that become intricate and unmanageable” for smaller enterprises.
He suggested, “Instead of a uniform approach, we advocate for the government to explore a less burdensome commitment tailored to smaller enterprises, or concentrate on incentivizing businesses to upgrade their security posture, rather than resorting to punitive measures.”
Vasquez pointed out that limiting the ban to public sector entities and CNI could have repercussions on other sectors. “A blanket prohibition may draw more attention to sectors outside its scope, like manufacturing, which is currently not included in the scope,” he indicated. Manufacturing was the industry second most targeted by ransomware last year, following services, with a 71% yearly surge.
Moreover, the legislation would not impact malevolent actors driven by motives other than financial gain. Vasquez remarked, “In politically inclined attacks, often orchestrated by nations, ransomware is a tool to incapacitate critical infrastructure and pilfer sensitive data – money is not the primary goal. Banning payments would prove ineffective in halting such attacks, as the hackers would have already acquired the necessary data.”
United Kingdom’s cyber vulnerabilities have been significantly underestimated
In December, Richard Horne, head of the U.K.’s National Cyber Security Centre, cautioned that the country’s cyber vulnerabilities are “significantly underestimated.” He highlighted that hostile actions had “escalated in frequency, complexity, and intensity,” primarily from foreign entities in Russia and China.
According to the NCSC’s Annual Review 2024, the agency managed 430 incidents this year, in contrast to 371 in 2023, 13 of which were ransomware incidents deemed “nationally consequential,” posing a threat to vital services or the wider economy.
EXPLORE: Microsoft: Ransomware Attacks Evolving into Greater Threats
The report identified ransomware as the most prevalent menace to British businesses, particularly in academia, manufacturing, IT, legal services, charities, and the construction sector.
According to the NCSC, the proliferation of generative AI has been found to elevate the risk of ransomware by offering “capability enhancement” to attackers. Novice assailants can utilize it to compose social engineering content, scrutinize exfiltrated data, code, and reconnaissance, therefore reducing the entry barrier.
About Author
