Peter Villiers

Director of Cyber Risk

Last year, the UK government announced its proposal for a ransomware payment ban. The legislation will prohibit government-linked organisations, public bodies, schools and CNI from paying ransom demands.

While welcomed by many, the move has undoubtedly sparked intense debate across the cyber community.

The major concern is that the ban won’t tackle the root of the problem, with the government mistaking a moral stance for a security outcome, risking it becoming a mere distraction rather than a genuine solution.

The Ransomware Payment Ban

Under the proposed legislation, UK-regulated entities would be prohibited from paying ransoms to cybercriminals, or, at minimum, required to report any intent to pay to authorities.

The aim is to deter criminals by cutting off their primary source of income and to provide greater transparency around ransomware incidents.

However, the proposal has clear limits.

Most UK organisations will not be legally banned from paying demands, which will result in only a small reduction in profits for threat actors.

Furthermore, it also doesn’t address the fact that not all ransomware attacks today are financially motivated. State-sponsored threat actors and hacktivists often carry out attacks motivated by destruction, purely to cause harm to a target or country. The proposed ban will do little to tackle these events.

This ultimately means that while the policy is well-intentioned, its impact is likely to be limited.

The Government may be better to focus their efforts on educating organisations on how to be resilient in the forms of secure backups, incident response planning and identity access management so that paying ransoms becomes less commercially attractive.

The realities of modern and broken ransomware

Ransomware-as-a-Service (RaaS) models have lowered the barrier to entry for wannabe attackers, enabling even unskilled actors to launch ransomware campaigns. The result?

Messy, partial and operationally ineffective ransomware deployments.

Encryption tools are often misconfigured or deployed prematurely by actors, leading to file corruption, incomplete encryption, and most importantly, unreliable decryption.

This means even when victims pay, decryptors often fail or corrupt data due to poor coding or broken key management.

This was a hard won lesson for a victim of the Hazard ransomware group which, as reported by the Register, struggled to get systems back online after purchasing a faulty decryptor.

Paying, therefore, gives no guarantee of restoring business operations. For unprepared organisations, it can merely delay the inevitable system rebuild.

Perhaps this is a stronger message that will drive a deterrence on paying, while also acting as a catalyst to improve defences?

Organisations should be cognizant that paying is no guarantee to system availability. In reality when ransomware is deployed and they have no way to reinstate access to systems via their own controls and backups, then, in the vast majority of cases, a complete rebuild is required.

Protecting against ransomware

To make a meaningful impact, the focus must shift from payment prevention to attack preparation.

True resilience won’t come from outlawing payments but from removing the very conditions that make payment seem like the only way out. The ban may make headlines, but only education, shared intelligence and engineered resilience will change outcomes.

As a result, organisations must move away from the ‘to pay or not to pay’ conundrum and focus their efforts on preparedness, prevention, response and recovery.

This involves hardening defences through security tooling, training staff on the techniques criminals use to compromise organisations, as well as improving visibility to ensure all enterprise assets are up to date and covered by the security posture.

It is also essential to run backups, which should be scheduled according to the specific operations of the organisation, while it is also critical to run incident response planning and table top exercising to not only rehearse responses to ransomware and other cyber attacks, but to also improve resilience against them and safeguard recovery.

This must be continuous with the mindset being that not all attacks can be prevented, but their impacts can be lessened with the proper defences and well-oiled incident response planning.

Paying ransoms won’t improve resilience

It’s time we shift the conversation on ransomware.

Ransomware isn’t sustained by the ability to pay, it’s sustained by the lack of resilience that makes paying seem rational.

While the UK’s ransomware payment ban is symbolically powerful, it is not enough to counter the threat.

Cybercriminals don’t fear legislation; they exploit the operational desperation of victims, and until we fix that dependency, banning payments is not a deterrent, it’s just a distraction.

Instead of chasing policy solutions, the UK government should focus on raising awareness and educating organisations that resilience isn’t about paying ransoms, it’s about rigorous efforts in preparedness, prevention, response and recovery.