Ransomware – new government proposals

In January 2025, the government announced a proposal to introduce legislation attempting to limit the rising threat of ransomware attacks against organisations in the UK. The proposals include banning ransom payments to criminals by public sector bodies and the introduction of new mandatory reporting and payment prevention regimes for the private sector.

Increased attacks

Cybercrime is increasingly sophisticated often run by organised criminal gangs, many of which are based in Russia. In recent years there has been a dramatic increase in ransomware attacks globally, where malicious software encrypts the victim’s data or locks them out of their systems. A copy of important client and proprietary data is also stolen, and the attackers then demand ransom payments in return for access to the system or data, and to prevent confidential data being published on websites run by the criminals. This ‘double extortion’ technique means that companies are vulnerable even if they can restore systems from back-ups.

Another notable development has been the rise of ransomware as a service (RaaS), a business model where ransomware tools are sold on the black market to affiliates, who gain access to computers and then share the spoils with more sophisticated players who negotiate the ransom payments. Payment demands run from hundreds of thousands to many millions of pounds.

Why pay the ransom demands?

Ransom attacks can bring businesses to the point where they are facing financial ruin, leaving client relationships and reputations wrecked. Decisions need to be taken quickly against a ticking clock. The Information Commissioner’s Office (ICO), law enforcement agencies and sector regulators have always discouraged ransom payments on the grounds that they incentivise more of the same illegal activity (the ICO and the National Cyber Security Centre have previously written to the Law Society and Bar Council explaining their position). Despite this, it is hardly surprising that firms feel compelled to make payments to protect their clients and get their businesses functioning again.

The proposals

The government has made three main proposals.

1. A targeted ban on ransomware payments for all public sector bodies and critical national infrastructure (CNI). This expands the existing ban on ransomware payments by government departments. The idea is to make key national organisations unattractive targets for ransomware criminals.
2. The introduction of a ransom payment prevention regime. This would include notifying an intention to pay the ransom before actually doing so. This would allow law enforcement to review the proposed payment to see if there is reason to block it (such as breached sanctions), as well as increasing the National Crime Agency’s awareness of live attacks and any financial demands attached to them.
3. A mandatory reporting regime for ransomware incidents. This would provide intelligence to law enforcement agencies to warn of emerging threats and target investigations into organised ransomware groups.

Will they work?

Although well-intentioned, these proposals won’t prevent cyber-attacks. Even if there is a complete ban on payments by the public sector and CNI, it will not prevent criminal gangs from capitalising on data theft by selling it on to facilitate other serious crime, such as credit / debit card fraud, identity theft, hacking bank accounts, and so on.

While a complete ban on the public sector and CNI paying ransomware demands may result in the redirection of attacks against businesses in the private sector, law firms will continue to be a prime target. There is evidence too that ransomware gangs have shifted their focus to small and medium-sized enterprises (SMEs), as they often won’t have the same protections in place as larger firms. Although the headlines in the press feature high profile attacks against public bodies, the reality is that most ransomware attacks are against businesses in the private sector.

Making it mandatory for the private sector to report ransomware incidents and notify an intention to pay a demand before doing so would create an additional burden on the victim firm. In addition to the stress of negotiating with criminals and trying to limit the damage and disruption to its business and client affairs, a firm will still have reporting obligations to the regulators, their clients and, where appropriate, supply chains.

If payments are blocked it could affect the survival of a firm. Organisations pay ransomware demands because commercially they feel forced to do so as the alternative could leave a firm permanently crippled.

In addition, these proposals only relate to ransomware attacks. For law firms, the most common form of cyber-attack is where the criminal gains access to a firm’s email, frequently resulting in both data and financial loss.

Other government initiatives

The government also confirmed it’s issuing the Cyber governance code of practice, which substantially follows the draft code issued in 2024. This formalises the government’s expectations regarding an organisation’s governance of cyber security and sets out clear actions that directors, non-executive directors and senior leaders need to take to meet their responsibilities in managing cyber risk.

The code highlights the fact that cyber risk should have the same prominence as financial or legal risk, and that the responsibility and ownership of cyber resilience is a board level matter.

The code comprises five principles which are each underpinned by various actions: risk management, cyber strategy, people, incident planning and response, and assurance and oversight. It should be essential reading for all senior business leaders. Note too that the ICO will take it into account if there is a data breach (see the judgment where Interserve was fined £4.4m by the ICO).

What should firms be doing?

It sounds obvious but firms should prioritise the prevention of cyber breaches ahead of them happening. Cyber risk management should be at the top of every firm’s risk register and have the attention of every compliance officer, IT director and managing partner. This is not a risk that should be managed by your IT function. Prudent management requires getting suitably qualified experts to provide visibility of your firm’s cyber risk and independent assurance that the right protective measures are in place, with periodic reviews to prove their continued effectiveness.