“It’s easy to say that no one should ever pay a ransom”
Juliette Hudson, CTO, Cybaverse
The government is clearly hoping these actions will have an impact on the ransomware economy and make it harder for threat actors to monetise from the UK.
By introducing a formal payment ban on government-linked organisations, this should in theory make them less attractive to money-motivated attackers. However, given that this is only on a subset of the types of threat actors targeting these organisations, it will never diminish the threat entirely.
In the current geopolitical landscape, it’s safe to say that not all ransomware attacks are directly motivated by money. In some cases, nation state actors are targeting critical infrastructure motivated purely by gathering intelligence or cause societal harm. A payment ban will do nothing to thwart these attacks.
The movement to mandate private organisations to report payments is interesting, as it also should in theory put organisations off paying.
Paying demands is bad PR. It doesn’t reflect well on an organisation’s reputation, so making organisations report payments to governments could put them off paying in the first place out of the fear of negative publicity.
Now that this data will be held by the government, it will be likely be covered by Freedom of Information requests. While the government won’t ever disclose individual names of businesses, it could still make organisations nervous about getting caught up in such requests.
The information that will be provided to private sector organisations intending to pay will also be helpful, as it will better educate them on the impacts of paying, and how it could expose them to more attacks in the future.”
It’s easy to say that no one should ever pay a ransom, and while that’s much harder to put into practice during a real-world incident, especially under pressure, it remains the stance we should strive for if we want the best chance at disrupting these groups long term.
However, in practice, the decision to pay a ransom is rarely black and white. For many organisations, particularly in critical services like healthcare, transport, or utilities, downtime can have life-threatening consequences. When all recovery options are exhausted and systems are offline, leadership may be faced with the grim reality that paying is the fastest, or only, way to restore essential services.
In those scenarios, the government’s payment ban on public-sector entities can be both a safeguard and a constraint. It prevents public money from funding criminal enterprises, but it also demands that these organisations have extremely robust resilience and recovery plans in place. This policy shift will only succeed if it’s supported by increased funding, stronger incident response capabilities, and mandatory testing of business continuity plans across government-affiliated entities.
Softcat’s Paul Fleming warned the move could have “unintended consequences”. See final page for more…
