Hospitals and other public health bodies, public sector organisations such as councils and schools, and operators of critical national infrastructure (CNI) will be among those organisations officially forbidden to pay off cyber criminal ransomware gangs under proposals introduced today by the Home Office.

The measures are set to be introduced following a lengthy national debate, and public consultation, on the ransomware threat to the UK.

The Home Office said that roughly 75% of all the various bodies and individuals who responded to the consultation expressed support for a ban.

Cyber extortion costs the country millions of pounds every year, and recent incidents have highlighted the severe operational, financial and life-threatening risks it presents.

“Ransomware is a predatory crime that puts the public at risk, wrecks livelihoods and threatens the services we depend on,” said security minister Dan Jarvis.

“That’s why we’re determined to smash the cyber criminal business model and protect the services we all rely on as we deliver our plan for change.

“By working in partnership with industry to advance these measures, we are sending a clear signal that the UK is united in the fight against ransomware,” said the minister.

The government’s proposed Cyber Security and Resilience Bill is set to include regulatory provisions covering both datacentre operators and larger IT service providers.

A ban on ransomware payments by UK government departments will be extended to cover organisations such as local councils, schools and the NHS should new government proposals move forward.

The UK government says that enforced cyber incident and ransomware reporting for critical sectors of the economy will help to build a better picture of the threat landscape and enable more proactive and preventative responses.

In the Cyber Security and Resilience Bill introduced in the King’s Speech, the UK’s new government pledges to give regulators more teeth to ensure compliance with security best practice and to mandate incident reporting.

At the same time, organisations not in scope of the ban will be required to notify the government through a yet-to-be described channel if they intend to pay a ransom.

The Home Office said these businesses would then receive advice and support from the relevant authorities.

They will also be told if making a payment will risk breaking the law by funding previously sanctioned cyber criminal gangs.

The government is additionally pressing ahead with mandatory ransomware reporting methods that it hopes will better equip the authorities with the intelligence needed to hunt down ransomware gangs and disrupt them, where possible.

Co-op CEO Shirine Khoury-Haq, who is still dealing with the aftermath of a Scattered Spider ransomware attack on her organisation’s systems, welcomed the government’s focus on the issue.

“We know first-hand the damage and disruption cyber attacks cause to businesses and communities,” she said. “What matters most is learning, building resilience and supporting each other to prevent future harm. This is a step in the right direction for building a safer digital future.”

Attractive targets for cyber crime Ultimately, the Home Office hopes its ban will target the business model fuelling cyber crime, and make the UK’s public services a less attractive target for ransomware gangs. These gangs are often motivated to attack critical sectors because they know an organisation like a hospital or a water company cannot risk operational downtime in the same way a business can, and as such are more likely to give in to their demands.