Panda SecurityUK public sector organizations and critical infrastructure operators will be banned from paying ransomware demands under groundbreaking new legislation designed to disrupt the cybercriminal business model.
Security Minister Dan Jarvis announced in July 2025 that the government will proceed with the world’s first national ban on ransomware payments by public bodies, following a consultation where nearly three-quarters of respondents supported the measure. The ban will prohibit hospitals, schools, local councils, and operators of critical national infrastructure from making ransom payments to cyber criminals, marking a significant escalation in the UK’s fight against ransomware.
Key takeaways
The legislation represents a comprehensive three-pronged approach:
- A targeted payment ban for public sector bodies
- Mandatory reporting requirements for ransomware incidents
- A payment prevention regime requiring private businesses to notify the government before making ransom payments.
How the ban should work
The ban specifically aims to make public sector organizations less attractive targets for ransomware groups by removing their primary financial motivation. “We’re determined to smash the cybercriminal business model and protect the services we all rely on,” stated Security Minister Dan Jarvis. Central government departments are already banned from using taxpayer funds to pay ransoms.
Under the new law, the National Health Service (NHS), local councils, schools, and operators of critical national infrastructure will also be banned from making ransomware payments. This comprehensive coverage reflects the reality that these organizations handle essential services that millions of citizens rely on daily. The UK government claims that citizens overwhelming support a ban.
The WannaCry legacy
The 2017 WannaCry attack on the NHS serves as a stark reminder of ransomware’s potential devastation. The global cyberattack affected at least 80 NHS trusts across England and 603 primary care organizations, including 595 GP practices. The attack led to 19,000 cancelled appointments and cost the NHS an estimated £92 million through service disruptions and recovery efforts.
During the week-long disruption, infected hospitals experienced a 6% decrease in total admissions, with emergency admissions down 4% and elective admissions falling 9%. While no increase in mortality was directly attributed to the attack, the incident highlighted the life-threatening risks posed by ransomware to healthcare systems. The WannaCry incident has been hugely influential in the creation of this newly proposed ban.
Sadly, the dangers of ransomware persist. In 2023, the British Library suffered a devastating attack in October 2023 by the Rhysida ransomware group. The hackers demanded 20 Bitcoin (approximately £600,000) for the return of stolen data. When the library refused to pay, the criminals auctioned the data on the dark web, including employee passport scans and HMRC employment contracts.
Do bans work?
Only two U.S. states, North Carolina and Florida, have enacted similar ransomware payment bans for government entities, making it difficult to assess whether the new policy will work. North Carolina’s 2021 law was the first of its kind, prohibiting state and local governments from paying ransoms and even restricting communication with attackers.
Data from North Carolina shows mixed results. In the first half of 2022, two cities, two counties, two school districts, three colleges, and one state agency were hit with ransomware, but none paid the attackers. Rates of attack have fluctuated since the law came into force, making it hard to determine whether the ban has been effective in deterring criminals.
Expert skepticism and concerns
Cybersecurity professionals have raised significant concerns about payment bans. Industry analyst Forrester warns that “while banning organizations from providing ransomware payouts sounds good in theory, it is a disaster in practice”. Critics argue that organizations typically pay ransoms only when they have exhausted all other options, not out of preference.
A particularly troubling finding from IT Pro research revealed that while 96% of UK business leaders support a payment ban, 75% admitted they would still pay a ransom if it meant saving their business – even at the risk of penalties. This gap between principle and practice highlights the complex reality organizations face when confronted with crippling cyberattacks.
The broader legislative framework – comprehensive reporting requirements
Alongside the payment ban, the government is developing mandatory incident reporting requirements to provide law enforcement with better intelligence for tracking down perpetrators and supporting victims. This reporting regime aims to bring ransomware attacks “out of the shadows” and maximize intelligence available to UK law enforcement agencies.
The legislation will also establish a ransomware payment prevention regime for organizations not covered by the ban. Private sector businesses will be required to notify the government of their intention to pay ransoms, allowing authorities to provide guidance and warn if payments might violate sanctions against criminal groups, many of whom are based in Russia.
International implications
The UK’s comprehensive approach positions it as a global test case for ransomware payment restrictions. While the previous administration resisted calls for a national ban in the United States, international cooperation is increasing, with a U.S.-led alliance of over 40 countries pledging not to pay ransoms.
The success or failure of the UK’s policy will likely influence similar legislative efforts worldwide. If effective in reducing attacks on covered organizations without causing disproportionate service disruptions, other nations may adopt similar measures.
Watch this space
The UK’s bold approach to ransomware represents a significant policy experiment that could reshape how nations combat cybercrime. While the effectiveness remains to be proven, the legislation sends a clear message that the UK is committed to disrupting the financial model that fuels the global ransomware epidemic.
