Following their consultation on the ransomware proposal, the UK has decided to ban ransomware payments for certain groups and set new reporting requirements for all.
On July 22, 2025, the United Kingdom (UK) home office and National Cyber Security Centre (NCSC) shared that the UK government was upping its efforts to fight ransomware, a problem costing their economy “millions of pounds each year, with recent high-profile ransomware attacks highlighting the severe operational, financial, and even life-threatening risks.” The most consequential part of the news story was the announcement of a plan to ban ransomware payments by public sector organizations, along with critical infrastructure operations.
The ransomware ban is part of the official response to the UK’s ransomware proposal, which was open for the public to comment on from mid-January to early April of this year. The consultation identified ransomware as a prolific security and economic problem in the UK, and offered several solutions with varying levels of specificity, from a total ban on ransomware payments to a ban on only some groups. Outside of banning these payments, the other proposals included creating a regime to prevent ransomware payments, and mandating reporting of ransomware incidents or payments - again with different allowances for all organizations or unique groups.
Now that the commenting has finished, it appears that the second proposal listed in the ransomware consultation (banning critical infrastructure organizations like councils, schools, and the National Health Service (NHS) from paying ransomware payments) was extremely popular, with 72% of respondents voicing their support - although there were less than 300 responses in total. The other measures that gathered majority backing were mandated reporting of ransom payments to the government, allowing the government to offer advice - specifically, discouraging the transaction.
The mandated reporting will not just include ransom payments, but also ransomware incidents. This may “equip law enforcement with essential intelligence to hunt down perpetrators and disrupt their activities, allowing for better support for victims” - something that must have been appealing to responders, as this new requirement as the commenters “showed strong support” for a protective reporting regime.
Underscoring these efforts, the UK government is continuing to share their advice for protection against serious damage from a successful ransomware attack. The NCSC recommends four main actions:
1. Make regular backups: Organizations should backup their most important files consistently, checking that these backups are kept offline and offsite. The backups should already be scanned for potential malware, on devices that are also regularly updated (safe from exploitable vulnerabilities). There should be several copies of the backups, spread across different locations and storage types for maximum protection in the case of an attack.
2. Prevent malware from being delivered and spreading to devices: On your devices, first filter out malicious files and messages or emails, block malicious websites, regularly inspect content. To prevent ransomware threat actors from spreading through your organization, disable remote desktop protocol (RDP) services, use Multi-Factor Authorization, check that VPNs meet NCSC guidelines, patch known vulnerabilities, and make sure that authenticating accounts are low privilege. Similarly, malware spread can be limited by staying up to date with user permissions, software versions, and obsolete platforms.
3. Prevent malware from running on devices: In addition to taking the previous steps, organizations should give cybersecurity education and training to employees, manage devices so only approved, secure applications are on company devices, disable autorun for mounted media, and stop macros through a User Mode Code Integrity (UMCI) policy that enforces a PowerShell Constrained Language mode. Ensure that inbound connections are disabled on enterprise firewalls.
4. Prepare for an incident: Create a comprehensive incident management plan that will be available without computer systems, including an internal and external communication strategy, protocol for a ransomware attack, instructions for operating without IT for an extended duration of time, along with clear legal obligations. It’s critical to exercise the plan to clarify staff roles and assess the recovery rollout.
UK officials, like Security Minister Dan Jarvis, have celebrated the upcoming ban: “Ransomware is a predatory crime that puts the public at risk, wrecks livelihoods and threatens the services we depend on. That’s why we’re determined to smash the cyber criminal business model and protect the services we all rely on as we deliver our Plan for Change. By working in partnership with industry to advance these measures, we are sending a clear signal that the UK is united in the fight against ransomware.”
Jarvis’ comments about ransomware are not overblown. In the UK, ransomware incidents have had devastating effects. A BBC article on one recent ransomware incident that sank a 158-year-old company (leaving 700 people unemployed) shared that the country weathered nearly 19,000 ransomware attacks in 2024. Earlier this year, a series of ransomware attacks on three major retail companies resulted in hundreds of millions of pounds lost in stock market value as sites buffered and shut down at Marks & Spencer, the Co-op, and Harrods. One ransomware attack across several NHS hospitals even led to one patient’s death. Ransomware incidents in critical infrastructure spaces have been a concern for a while, with even reporting requirements appearing in the policy paper for the UK’s new 2025 Cyber Security and Resilience Bill.
Now, leaders in essential organisations and retail are supporting the new changes. Chief Executive of the British Library, Rebecca Lawrance, approved of the new reporting requirements and ransom ban: “The British Library, which holds one of the world’s most significant collections of human knowledge, was the victim of a devastating ransomware attack in October 2023. The attack destroyed our technology infrastructure and continues to impact our users, however, as a public body, we did not engage with the attackers or pay the ransom. Instead, we are committed to sharing our experiences to help protect other institutions affected by cyber-crime and build collective resilience for the future.”
The CEO of Co-op, Shirine Khoury-Haq, also brought the company’s recent hack into her comments: We know first-hand the damage and disruption cyber-attacks cause to businesses and communities. That’s why we welcome the government’s focus on Cyber Crime. What matters most is learning, building resilience, and supporting each other to prevent future harm. This is a step in the right direction for building a safer digital future.”
Though the consultation response document didn’t specify any dates for the rollout of the new policies, the UK’s new ransomware ban and reporting mandates will be well-received by a number of industry leaders when they are enacted.