The UK government has announced that hospitals, businesses, and critical services are set to be protected under measures designed to crack down on cyber criminals and safeguard the public, following public consultation on ransomware proposals. Public sector bodies and operators of critical national infrastructure, including the NHS, local councils and schools, would be banned from paying ransom demands to criminals under the measure, with nearly three quarters of consultation respondents showing support for the proposal.
Under the proposals, businesses not covered by the ban would be required to notify the government of any intent to pay a ransom. The government could then provide those businesses with advice and support, including notifying them if any such payment would risk breaking the law by sending money to sanctioned cyber criminal groups, many of whom are based in Russia.
Here, Juliette Hudson, CTO of CybaVerse, and Kevin Robertson, CTO of Acumen Cyber respond the news.
Juliette Hudson, CTO of CybaVerse:
“The government is clearly hoping these actions will have an impact on the ransomware economy and make it harder for threat actors to monetise from the UK.
By introducing a formal payment ban on government-linked organisations, this should in theory make them less attractive to money-motivated attackers. However, given that this is only on subset of the types of threat actors targeting these organisations, it will never diminish the threat entirely.
In the current geopolitical landscape, it’s safe to say that not all ransomware attacks are directly motivated by money. In some cases, nation state actors are targeting critical infrastructure motivated purely to gather intelligence or cause societal harm. A payment ban will do nothing to thwart these attacks.
The movement to mandate private organisations to reports payments is interesting, as it also should in theory put organisations off paying.
Paying demands is bad PR, it doesn’t reflect well on an organisation’s reputation, so making organisations report payments to governments could put them off paying in the first place out of the fear of negative publicity.
Now that this data will be held by the government, it will be likely be covered by Freedom of Information requests. While the government won’t ever disclose individual names of businesses, it could still make organisations nervous about getting caught up in such requests.
The information that will be provided to private sector organisations intending to pay will also be helpful, as it will better educate them on the impacts of paying, and how it could expose them to more attacks in the future.”
Kevin Robertson, CTO of Acumen Cyber:
“The big news here isn’t that the government is now prohibiting public sector and CNI organisations from paying ransom demands. This isn’t new. Public sector, schools, hospitals and critical infrastructure made the decision many years ago to take this action, so nothing really has changed.
The biggest change in the new proposal is the mandatory reporting on an intent to pay a ransom demands across private organisations.
This could go either one of two ways.
Firstly, organisations could be put off paying demands all together out of a fear their intent to pay is somehow made public. This would directly hit ransomware actors, but means organisations would have to focus on recovery and incident response planning more than ever before.
Or, it could create an underground economy where organisations pay demands, but don’t report them, or global organisations pay demands from locations outside the UK.
It’s murky water but no payment ban will ever stop ransomware. Criminals know today the public sector will never pay a demand, yet they still carry out attacks against them.
Organisations shouldn’t see this change in legislation as an improvement in defences. It will have little impact. This means prioritising internal defences through proactive monitoring, detection and response are critical.”
For more cybersecurity news, click here
