The British government is preparing a strict ban on ransom payments for the entire public sector and critical infrastructure. This measure, which will concern in particular local communities, schools and the national health service (NHS), and marks a strategic turning point in the fight against ransomware. The objective is to make attacks not profitable for criminal groups by removing their main source of income.
British authorities are now considering ransomware as a direct national security threat. Rather than limiting itself to the management of the consequences, the United Kingdom chooses to tackle the root of the problem, namely the economic model of the attackers. By prohibiting payment, the government intends to break the financial incentive that pushes cybercriminals to target public services, often perceived as more vulnerable and inclined to yield quickly.
This strategy is accompanied by a new regulatory framework for the private sector. Companies remain authorized to pay a ransom, provided they point out any intention to do so. This obligation aims to verify that the funds are not paid to sanctioned entities, and to strengthen the authorities’ capacity to follow financial flows and identify responsible groups. A compulsory incident reporting system is also being deployed.
This development comes as several major institutions have recently been targeted by particularly substantial attacks. The NHS, already hit multiple times, remains on the front line. The distributor Marks & Spencer underwent a paralysis of its systems in April, while the British Library, the Co-OP channel or Harrods faced major incidents. These attacks illustrate an increasing sophistication of operating modes, with the use of virtualization infrastructure and double extortion techniques.
The United Kingdom profoundly changes the rules of the game, but this change implies a rise in prevention and resilience capacities, because without possible recourse to payment, public entities must have reliable backups, tested continuity plans and rigorous cyber hygiene.
It remains to be seen whether this approach will be followed by other European countries. In France, the payment of ransoms is not strictly prohibited, even if the authorities strongly advise against using it. European digital resilience regulations are strengthening, but without going to an explicit prohibition. The choice of the United Kingdom could thus serve as a life-size test of a rupture doctrine by hitting the wallet to cut the means of action of cybercriminals.
