The UK’s Home Office is considering regulations that would ban many of the country’s critical organizations from making payments to criminals in the event of a ransomware attack.
The proposed rules would make it a criminal offense for public entities like schools, city councils, and healthcare providers to make payments to cybercriminals who are holding their data hostage. These regulations would also extend to companies in critical infrastructure sectors, including energy and communications. Notably, the UK has already restricted its government agencies from making payments to ransomware criminals.
Another key proposal introduces a mandatory reporting system for ransomware incidents, requiring all victims of fraud—regardless of whether they fall under the new rules—to report such attacks. The Home Office is also considering technology solutions that would give them the power to limit ransom payments.
Striking at the Heart
The proposed legislation is intended to “strike at the heart of the cybercriminal business model” after a rash of ransomware attacks plagued UK organizations. One prominent attacks was on Synovis, a pathology testing partner with the UK’s publicly funded National Health Service (NHS).
Hackers infiltrated Synovis’ systems and demanded ransom payments in exchange for the return of critical patient data. It is not known if Synovis engaged in negotiations with the Russian-based cybercriminals, but it appears they did not—the hackers subsequently published hundreds of patient records to the dark web.
The loss of patient data at Synovis caused months of disruption to the company’s operations, and also caused ramifications across the UK’s healthcare system. While many patients were impacted, there were two cases where the data breach directly caused lasting health damage.
Nationally Significant
According to Home Office data, the UK’s National Cyber Security Center managed 430 cyber incidents over the 12 months prior to last August, 13 of which it considered to be nationally significant. These attacks were largely perpetrated by Russia-affiliated bad actors which the Home Office considers an “immediate and disruptive threat” to the UK’s infrastructure.
Concerns about the prevalence of ransomware attacks have been echoed in the U.S., where a recent study found that the percentage of reported ransomware attacks involving U.S. organizations increased from 51% to 65% in 2024.
Ransomware attacks often target sectors like the healthcare and the financial services industries, which safeguard critical health and financial data. The impacts of these attacks drove the U.S. to organize a 40-country alliance designed to put an end to ransom payments, but American lawmakers have stopped short of instituting a ransom payment ban.
