On January 14, 2025, the UK government unveiled a proposed framework aimed at combating the rise of ransomware attacks by implementing a payment prevention and reporting regime. This would require companies to not only report all ransomware incidents, but also to declare whether they intend to pay a ransom. The government also announced that it proposes to ban public bodies and infrastructure providers from making ransom payments to cyber attackers. A public consultation is open until April 8, 2025.
The move reflects rising concerns about ransomware attacks and their use to cause widespread disruption to public services. The consultation cites estimates that cybercriminals received more than $1 billion from their victims globally in 2023, and notes that a record number of ransomware cases were reported to the UK Information Commissioner’s Office in that year.
The Proposals
The key proposals subject to public consultation include:
- Expansion of the existing ban on ransomware payments by government departments. In 2023, members of the Counter Ransomware Initiative (including the UK) released a joint statement confirming that central government funds should not be used to pay ransomware demands. The proposal goes a step further by suggesting a codified ransomware payment prohibition to all companies in the UK public sector, as well as to owners and operators of critical national infrastructure. The government aims to make these companies less appealing targets for threat actors. The ban does not extend to private entities, but it remains to be seen what impact the proposals could have on companies that collaborate or act as service providers to the public sector.
- Companies to notify intent to pay ransom.If taken forward, companies would be required to report their intention to pay a ransom to the government. The government aims to use this information to support major investigations, provide better support to victims, and prevent payments in breach of sanctions or terrorism finance legislation. The consultation calls for views on whether this requirement should apply economy-wide including smaller businesses, charities, and individuals, or whether a higher threshold should be set. This is a noteworthy development, especially in light of regulatory and legislative guidance discouraging companies from paying ransoms.
- Companies to report all ransomware incidents.Companies and individuals would be required to report ransomware attacks to government authorities, regardless of whether they intend to pay the ransom. The Home Office is considering whether this requirement should only apply to companies and individuals meeting a certain threshold.
The consultation does not specify what the reporting periods under the proposed new legislation would be. However, it does note that work is ongoing with the Department for Science, Innovation, and Technology to ensure that the proposals are aligned with the upcoming Cyber Security and Resilience Bill. It will also work with other government departments to ensure there is no conflict with the NIS Regulations.
Similar Developments in the EU
There are signs that ransomware is also being treated as a priority across the EU, with several recent developments addressing the topic:
- The EU Council raised awareness about the prevalence of ransomware, referencing a recent high-profile enforcement action against large scale ransomware by Interpol (here). The Council has issued guidance on how ransomware should be addressed under existing legislative frameworks.
- On January 15, 2025, the European Commission unveiled a comprehensive action plan aimed at enhancing the cybersecurity of hospitals and healthcare providers across the EU with a particular focus on addressing ransomware attacks (here).
- National cybersecurity authorities across Europe, such as the Dutch National Cyber Security Centre, have updated or issued new guidance on handling ransomware incidents (see the Dutch National Security Centre Ransomware Factsheet).
Next Steps
The UK government is accepting comments on the proposal until April 8, 2025. We encourage businesses interested in the proposed initiative to submit comments. Wilson Sonsini routinely advises companies on submitting public comments on policy and legislative initiatives in the area of data, privacy, and cybersecurity. In addition, Wilson Sonsini clients who believe they may be experiencing any kind of cybersecurity incident anywhere in the world can contact our experts 24/7 at our incident response hotline, which can be reached at either 32-2-2745777 or 1-650-849-3030.
For more information, please contact Demian Ahn, Cédric Burton, Nikolaos Theodorakis, Tom Evans, Laura Brodahl, or another member of the firm’s data, privacy, and cybersecurity practice.
Claudia Chan contributed to the preparation of this Wilson Sonsini Alert.