Ransomware attacks account for a relatively small proportion of cyber attacks, the vast majority of which are phishing attacks, however, ransomware disproportionately targets larger businesses and public institutions and is seen as a rising threat, particularly in relation to critical infrastructure. Both the National Crime Agency and the National Cyber Security Centre (NCSC) have identified ransomware as a risk to UK national security.
One of the most high profile ransomware attacks impacting public services occurred in June 2024 when Synnovis, which supplies pathology services to a number of healthcare organisations and is co-owned by two major healthcare trusts and SYNLAB, suffered an attack which led to delays to over 11,000 outpatient and elective procedure appointments.
The government's Cyber security breaches survey 2025 concluded that the prevalence of ransomware among businesses increased significantly from under 0.5% in 2024, to 1% in 2025, equating to approximately 19,000 businesses in 2025 with ransomware attacks accounting for 7% of cyber crime targeting businesses (up from 2% in 2024). The survey also found that around half of businesses surveyed had a rule or policy not to pay ransomware demands but there was a high degree of uncertainty as to what to do in the face of a ransomware attack.
By the time the 2025 survey was published, a January 2025 consultation on three proposals to discourage ransomware attacks in the UK had already closed but the survey confirmed the government's concerns around growing prevalence of this type of cyber crime. The consultation asked for views on three key policy proposals intended to discourage cyber criminals from targeting the UK with ransomware, to ban certain types of payments, and to discourage others, while providing advice and guidance to help organisations conduct a cost/benefit analysis before deciding to make a payment.
The consultation asked for views around three key policy proposals.
- A targeted ban on ransomware payments for owners and operators of regulated-critical national infrastructure (CNI) and the public sector – this would expand the existing ban on ransomware payments by government departments and on payments to sanctioned individuals and organisations. The government also sought views on how to achieve the right balance of effective and proportionate measures to encourage compliance with the ban.
- A ransomware payment prevention regime – victims of ransomware not subject to the ban on payments would be required to engage with authorities and report their intention to pay before handing over money. Those authorities would then review planned payments, with a view to blocking payments to known criminal groups and sanctioned entities. This would also increase the National Crime Agency's awareness of live attacks and ransom demands, providing advice and guidance to victims before they respond.
- A mandatory incident reporting regime – to help maximise law enforcement agency intelligence and target investigations on the most damaging organised ransomware groups. The consultation asked for views on reporting thresholds, the nature of the required report, and deadlines for making reports which were proposed to be set at 72 hours.
The consultation was supported by the National Cyber Security Council which already operates a Ransomware Hub to provide guidance and advice on avoiding and dealing with ransomware attacks.
On 22 July 2025, the government published its response to the feedback on its consultation on ransomware legislative proposals. The consultation received 273 responses.
- A targeted ban on ransomware payments for owners and operators of regulated-critical national infrastructure and the public sector – there was majority support for this among respondents although there were mixed views on any exemptions to the ban and on widening the ban to Critical National Infrastructure (CNI) and public sector supply chains.
- A ransomware payment prevention regime – support for this was mixed, but overall, the first proposed measure involving an economy-wide payment prevention regime for any organisations and individuals not covered by the targeted regime, was narrowly preferred to the options of instigating a threshold approach or excluding individuals. Concerns were raised around how effective the regime might be, particularly around enforcement, but the government said these were focused around aspects of how the regime would work in practice, rather than about the concept of the regime itself.
- A mandatory incident reporting regime – this also gained majority support. Again concerns were raised around threshold requirements and what those might be.
As a result, the government will proceed with all three legislative proposals and it plans to clarify scope in guidance. In response to some of the feedback, it will also consider the best approach to penalties, in particular, for supply chains.
Interestingly, protecting data from ransomware attacks was cited as a key factor by the Court of Appeal in its recent decision in DSG Retail Ltd v The Information Commissioner. The case revolved around whether DSG Retail Ltd had failed to implement appropriate security measures to protect data that was ultimately stolen by hackers. DSG argued that as the stolen data was not personal data in the hands of the attackers (who would have been unable to identify individuals from it), there had been no requirement to protect it. The Court of Appeal held that the data was personal data in the hands of DSG and that therefore, DSG had to comply with data protection law in relation to it. The Court said that to hold otherwise would be to create a gap in protection of personal data as it would mean there would be no obligation to protect certain types of data from ransomware and other attacks, even though theft of that data might harm individuals regardless of whether or not the hacker could identify them from the stolen data.
What does this mean for businesses?
If the government goes ahead with its plans, it will become the first to introduce a partial ban on ransomware payments although many governments actively discourage them, in particular Australia and the USA.
It remains to be seen whether the proposed ban will discourage ransomware attacks on essential services. There are also concerns that a ban which does not cover the wider supply chain will be ineffective and that banning payments in certain areas will lead to an increase in attacks targeting other sectors.
More businesses are likely to be impacted by reporting requirements than by the proposed ban. It remains to be seen whether the requirements will apply to all ransomware attacks, what information will be required and by when, but there are also questions around funding for responding to these notifications. If the aim is to help organisations decide how to respond to ransom demands on a case by case basis, there will need to be quick turnaround. While it's currently unclear which services would deal with notifications, responses to the consultation emphasised the need for a sector approach to guidance which may take time to develop.
Ultimately, for those not subject to a ban, the decision about whether or not to pay a ransom demand is a difficult one. Not only do payments go to criminals, but payment may encourage further attacks. In addition, a 2024 Cybereason study suggested that while 84% of organisations pay ransom demands, less than half of those that pay get uncorrupted data back when they do. On the other hand, some organisations face an existential threat if they refuse to pay and see no alternative but to respond to demands. Tailored guidance and support is likely to be welcomed but the effectiveness of the government's plans will take time to establish and much will depend on detail and delivery.
