CFOtech UK - Technology news for CFOs & financial decision-makers
United Kingdom

Guides

#
artificial intelligence
#
data analytics
#
digital transformation
#
fintech
#
health technologies

Search

Locked computer with chains uk government buildings police tape protection
#
Ransomware
#
Phishing
#
Advanced Persistent Threat Protection

UK moves to ban ransomware payments for public sector groups

Wed, 23rd Jul 2025
Author image
By Shannon Williams, Journalist

The UK government has announced a proposal to ban public sector organisations and critical national infrastructure (CNI) companies from making ransomware payments, as part of its broader strategy to combat the growing threat posed by cybercriminals. The decision comes in response to a continued increase in ransomware attacks both within the UK and globally, putting immense pressure on entities that provide essential services including healthcare and education.

Adam Blake, founder and chief executive of UK cybersecurity start-up ThreatSpike, characterised the move as "a good first step," but cautioned against assuming it will provide a comprehensive solution to the challenge. "The number of ransomware attacks has only been climbing in Australia despite similar measures," he noted, referencing the experience of another jurisdiction that has imposed similar restrictions.

Blake explained that while the UK's policy has the potential to remove the direct financial incentive for attackers to target specific entities, it leaves gaps. "Entities like schools and hospitals rely heavily on non-public sector businesses, such as managed IT companies who could also be targeted, and they are very likely to pay to recover systems," he said. Blake predicts that some will attempt to circumvent the restrictions, and cautioned that if the policy is to be effective, "companies like MSPs [Managed Service Providers] also need to be restricted from making ransom payments." He further observed, "It's very unlikely they will be classified as critical national infrastructure under this current policy."

Blake stressed that countering ransomware requires a multi-layered, ongoing cybersecurity effort: "It's not about a single measure; rather, it requires consistent endeavour across the entire infrastructure." He warned that even a single vulnerability exposes organisations to attack, given the wide attack surface and the size of most institutions. "A high-profile vendor might be targeted with ransomware because someone accessed a VPN and found a password lying around in a text document on a file-sharing service. Equally, someone could exploit infrastructure that hasn't been patched or maintained. Additionally, employees bringing devices to the workplace can enable hackers to access, for example, the victim's Teams account, facilitating internal phishing of other staff."

Tim Rawlins, a senior adviser and director of Security at cybersecurity consultancy NCC Group, echoed the sentiment that simple solutions are unlikely to address the complexity of the ransomware challenge. "We support the UK Government's determination to disrupt the ransomware threat. However, as the consultation rightly highlights, this is not a straightforward issue," Rawlins stated. He warned that a ban could have unintended consequences. "A payment ban for public sector and critical infrastructure organisations could unintentionally shift the threat toward smaller, less resilient organisations, or potentially drive payments underground."

Rawlins called for additional support mechanisms, stating, "The proposed payment authorisation scheme must reflect the realities of cyber incident response and provide appropriate and timely support for victims." He also welcomed measures for enhanced reporting, saying it could "help build a clearer picture of the threat landscape," but stressed the need for new requirements to align with existing frameworks to avoid regulatory confusion. Rawlins concluded, "Further work is needed to model the impact of the proposals, design future-proof solutions, and develop a broader resilience strategy that supports prevention, recovery, and intelligence sharing across the economy."

Both experts agree that the government's move, while significant, is only the beginning of a broader process. Industry stakeholders suggest that authorities must focus not just on restricting payments, but also on building a resilient digital infrastructure, improving incident response procedures, and ensuring that organisations of all sizes have access to necessary support and intelligence.

The proposed legislation signals a shift in the UK's approach to ransomware by targeting the root economic incentives and aiming to protect essential public services. However, experts remain cautious, emphasising the need for a holistic, adaptive strategy that keeps pace with the evolving tactics of cybercriminals.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
UK pushes for AI leadership but must unlock unstructured data
osapiens to invest EUR €35 million in UK expansion, create 150 jobs
UK business leaders cautious on AI due to cost & security fears
UK public sector hotlines surpass banks for caller frustration
UK firms see Windows 11 move as chance to adopt AI PCs

Top stories

Why deep tech venture capitalists have resilience in the face of global tariffs
Nexer Enterprise Applications names Chris Braisby Operations Director
Major rise in global email impersonation threats
NetSuite adds AI translation to workflows for seamless teamwork
Small UK accounting firms split between cloud & in-house IT