Will the UK’s Ransomware Payment Ban Work?

The notion of making ransomware payments an illegal act has been a heavily discussed topic in cybersecurity for a number of years now.

Proponents of such a move point to the need to destroy the ransomware business model, thereby disincentivising attacks.

Critics argue that criminalising ransomware victims, who may be faced with a stark choice between paying an extortion demand to restore services or going out of business, is unfair and unlikely to work in any case.

Globally, various government guidance strongly advises against paying ransom demands, none to date have issued an outright ban.

However, in 2025 the UK government took a big step forward, proposing a ban on ransomware payments by public sector and critical national infrastructure (CNI) organisations. This covers a range of organisations, including schools, hospitals and transport.

This measure is designed to make critical services unattractive targets for ransomware actors, preventing the type of tragic disruption caused by the 2024 attack on NHS pathology provider Synnovis.

The ban was confirmed as going ahead in July 2025, with the UK government stating that three-quarters of respondents to a public consultation expressed support for the proposals.

The cybersecurity community will be watching with interest over the coming years to understand the effects of the partial ban – whether it will serve its purpose of protecting essential services from the pervasive threat of ransomware, or if it will cause unintended impacts that worsen the problem.

Supporters of the UK’s partial ban point to the fact that extortion payments fuel the ransomware model, driving the incentive for malicious actors to continue attacks.

In an article for Infosecurity Magazine, Stuart Reed, UK director, Orange Cyberdefense, noted: “Ransomware payments essentially fund cybercrime, and this is why ransomware attacks are becoming more common. There is no doubt that paying out leads to more attacks.”

Former CEO of the UK National Cyber Security Centre (NCSC), Ciaran Martin, publicly argued in favour of a ransomware ban in 2024. He noted that attacks are fuelled because there is no legal barrier to ransomware victims paying and then claiming back the expense on insurance.

As such, making payments illegal would, in theory, make attacks on impacted industries unprofitable for ransomware actors.

Another argument in favour of a full or partial ban is the significant evidence that making payments does not guarantee the restoration of victims’ system or data.

A Cybereason study found that less than half of firms that paid a ransom demand got their data and services back uncorrupted.

The same report also found that 78% of organisations that paid a ransomware demand were hit by a second ransomware attack, often by the same threat actor.

Imposing a ban could prevent ransomware victims from making a substantial payment that may do nothing to alleviate their situation, while helping fuel further attacks.

In addition to viewing the notion of punishing ransomware victims further with legal sanctions as undesirable, some experts have highlighted practical flaws with the UK’s proposed payment ban.

It is argued that these flaws could make the ban ineffective and potentially have unforeseen negative consequences.

One consideration with the UK’s approach is the risk of creating a “two-tier” system, in which organisations not covered by the ban become more desirable targets.

Such a reality could make some organisations with limited cybersecurity resources, such as SMEs, more exposed to ransomware attacks.

Experts have also pointed out that the reality for many victims of ransomware is that they have a choice between paying the attackers to restore systems or face devastating consequences such as going out of business.

In the case of critical sectors like healthcare and energy, which will be covered by the UK’s ban, there could be a genuine threat to human life from system outages.

In an article for Infosecurity Magazine discussing the UK’s proposed ban, Andrew Rose, CISO at SoSafe, wrote: “If that disruption means the firm will be unable to sustain themselves, will they be allowed to fail? Similarly, if an organisation is responsible for providing life-saving or critical public services, does the government bear some responsibility in ensuring operational continuity? Many of these questions remain unanswered.”

Additionally, despite the ban, many victims may still feel they have no option but to pay given the existential threat of not doing so.

This could result in victims finding ways around the ban to make payments, such as using third-party intermediaries to handle payments or “mislabelling” ransomware incidents to avoid regulatory penalties.

This would not only undermine the effectiveness of the ban but also push attacks underground and outside the visibility of governments and law enforcement.

This in turn could have severe consequences for cybersecurity intelligence, meaning less visibility into attack patterns, techniques and emerging threats, inadvertently benefiting cybercriminals in the long run.

The UK’s plan to ban public sector and CNI organisations from making ransomware payments represents a bold move in the fight against this pervasive threat.

Countries around the world have shied away from issuing outright bans to date, despite strongly advising against payments and having other restrictions in place, including sanctions.

This is due to the reality that many victims face when they are hit with a ransomware demand, where paying may be the only viable option.

Governments and the cybersecurity community will be watching closely to see the impact of the UK’s partial ban, once it comes into force.

If it proves successful in reducing attacks on critical industries, pressure is likely to grow for similar measures in other jurisdictions, and even wider application.

ADVERTISEMENT

Enjoyed this article? Make sure to share it!

Looking for something else?