In a decisive move to curb cybercrime, the UK government has announced plans to ban all public sector bodies from paying ransoms to cybercriminals. Security Minister Tom Tugendhat confirmed that the new legislation will be introduced later this year, forming a central part of the UK’s updated national cybersecurity strategy. The ban will apply to publicly funded institutions including NHS trusts, local councils, and emergency services—organisations frequently targeted by ransomware attacks.
“Paying a ransom undermines our national security and finances criminal gangs,” Tugendhat told Reuters and The Guardian, emphasising the government’s commitment to deterring digital extortion. While the legislation will not directly apply to private companies, officials hope it will help set a national precedent for how institutions respond to ransomware threats. The UK government also aims to align this approach with international partners including the US and European nations to present a united front against cybercriminal networks.
UK government Public Sector Under Siege by Ransomware Attacks
The move comes amid a sharp increase in ransomware incidents across the UK government’s public sector, with several hospitals, schools, and local authorities falling victim in recent years. Attackers typically encrypt data and demand large payouts in exchange for its release, often causing severe service disruptions. According to The Guardian, some organisations have paid ransoms under duress, fearing prolonged outages and reputational damage.
The new ban will codify long-standing guidance from the National Cyber Security Centre (NCSC), which strongly advises against ransom payments, warning that they offer no guarantee of data recovery and only encourage further attacks. The legislation is expected to bolster the government’s broader cyber resilience efforts, which include better staff training, system backups, and investment in secure infrastructure.
Tugendhat noted that this approach isn’t just about saying “no” to hackers—it’s about fundamentally changing the cost-benefit equation for cybercriminals. “This is about ending the incentive for criminals to target the UK government public sector,” he said.
Experts Welcome Move but Urge More Support for Institutions
Cybersecurity professionals have largely welcomed the ban as a long-overdue step, but caution that enforcement must be matched with meaningful support for under-resourced public institutions. As reported by Reuters, experts argue that organisations need clear contingency plans, robust digital infrastructure, and increased funding to prepare for the fallout of ransomware attacks—especially in cases where critical services are at stake.
Healthcare, in particular, presents a delicate challenge. Critics warn that rigid no-payment policies could have life-or-death implications if patient data is held hostage. The government, however, maintains that the answer lies not in ransom payments, but in preparedness—strong encryption, secure backups, and coordinated response mechanisms.
By legally banning public sector ransom payments, the UK is taking a firm stand against the economics of cybercrime. Whether this approach reduces attacks or forces criminals to change tactics remains to be seen. What is clear, however, is that the government is drawing a line: the public purse will no longer fund digital extortion.
