U.K. Government’s Ransomware Proposals: Destruction or Disruption of Cybercrime Business Models?

Following a public consultation program earlier this year, the U.K. Government has banned named public sector bodies and Critical National Infrastructure (CNI) operators from paying ransom demands to cybercriminals, with local councils, schools, and hospitals all falling within the initiative’s mandate. The foregoing consultation spanned from January to April 2025, with the Home Office publishing a response to the consultation on July 22 that outlined the feedback received on various ransomware proposals. The consultation covered three ransomware proposals, including a targeted ban on ransomware payments, a payment prevention scheme, and a mandatory incident reporting framework, and forms part of the government’s wider push toward mitigating the financial and operational impact of ransomware attacks on the United Kingdom’s economy.

Banning operators of CNI and public sector bodies conveys a strength that pushes against the primary targeting tactics that underpin most ransomware groups’ business models: preying on fear to leverage financial gain. As cyber ransomware groups tend to be mercenaries, driven primarily by financial motivations, it follows that by reducing the funding base from which they can illegally draw, bans on ransomware payouts will render the ransomware business model unsustainable. Following the U.S.-led October pledge in 2024 to refuse ransomware payments, the year-over-year increase in ransomware attacks slowed and ransom payments declined, lending weight to the prospective effectiveness of the United Kingdom’s newest policy. Yet, ransomware attacks are becoming more frequent despite fewer companies paying up, suggesting a less than directly proportional relationship between refusing to pay and less success for ransomware groups, running against the idea that refusing to pay can dismantle this cybercrime business model.

Additionally, with only public sector bodies and CNI operators subject to the government’s latest mandate, private sector bodies are likely to persist in paying ransoms, strengthening the notion that the newest policy may only disrupt and not destroy this cybercriminal business model. This is also problematic given the rising privatization within the United Kingdom, and the increasing convergence between services offered by public and private sector bodies. Without clear parameters on whether those in breach of the ban will be subject to civil or criminal penalties, whether the extent of those penalties will be tailored based on organization size or turnover, or whether individuals heading up organizational security will be held personally accountable, it becomes increasingly complex to assess the potential effectiveness of the new ban at this stage.

On top of this, cybercriminals are notoriously innovative and adaptable. The ban may divert them toward businesses not subject to the government’s refusal to pay mandate, leading to more attacks on private sector businesses, or incentivizing them to spin up entirely different attack types or target methods, i.e., blackmailing individuals rather than businesses. Thus, while attacks may decrease within the public sector, the ban is unlikely to reduce the number of businesses across the United Kingdom that are subject to ransomware attacks or to destroy the ransomware business model.

Consequently, the United Kingdom’s newest strategy has the potential to disrupt ransomware business models, yet it is unlikely to destroy these entirely. Rather, the communicative power of the United Kingdom’s strategy holds its real power for public bodies and critical infrastructure, beyond its potential to reduce ransomware. Where ransomware is used as a means of ideological warfare, these attacks remain loaded with symbolic significance, particularly when critical infrastructure and high-priority targets are attacked. Alongside strong reporting obligations and cybersecurity measures, the greatest weapon in the government’s arsenal is countering this with symbolic defiance, which is well communicated via the United Kingdom’s newest refusal to pay mandate.

The communicative effect of the U.K. ban depends on the subset of cybercriminals involved in any ransomware attack and the psychology driving them. Mercenary interests drive many cybercriminals, but it would be a mistake to make this the sole motivating factor. A desire to disrupt systems for the sake of personal grievances, retribution, power and control, and ideological beliefs, rather than for financial purposes remains prevalent among ransomware criminals, especially state-backed or hacktivist groups. As a result, reduced financial gain may have a limited impact on the prevalence of state-sponsored ransomware attacks, which are an increasingly significant threat to states’ CNI. Understanding ransomware attackers’ psychological motivations and tactics will help organizations develop more effective security awareness training and incident response plans to bolster the ban's effectiveness.

Additionally, to aid compliance with the ban and the associated mandatory reporting regime and new requirements to notify the government of an intent to pay a ransom fee, vendors in the public and CNI sectors should avail of the support and guidance proffered by the U.K. Government and National Cybersecurity Centre. To truly destroy the ransomware business model, a payout ban alone will be insufficient. The U.K. government has indicated that further measures will be required to optimize cyber resilience throughout U.K. services, including enhanced cybersecurity awareness and training. However, with budgetary limitations still a major obstacle, delivering on this will be another ballgame entirely. As vendors await clarification on the particularities of the prospective ransom payout ban, the United Kingdom has taken an important symbolic step forward in the battle against ransomware and cybercriminals, which should not be discounted or underestimated.