Laws Ban UK Government From Paying Cyber Ransoms

The UK government has introduced new rules stating that public sector bodies and operators of Critical National Infrastructure — such as hospitals, schools, and local councils — are now banned from paying ransom demands to cybercriminals. 

The change is designed to stop cyber attackers from profiting and reduce the number of ransomware incidents targeting essential services. For private organisations, a new “payment prevention regime” is being developed. 

This means that if a company intends to pay a ransom, it must first notify the authorities. This allows time to check whether the payment would breach sanctions or other laws. The government is also planning mandatory reporting for ransomware incidents so that law enforcement can better understand the scale and nature of attacks.

What Organisations Must Do After a Ransomware Attack

If your organisation suffers a ransomware attack, there are now clear steps you must take. The first action should be to disconnect infected devices from the network to prevent the spread of malware. 

You must then report the incident through official cyber reporting channels. If any personal data has been lost, altered or disclosed, it must be reported to the Information Commissioner’s Office (ICO) under data protection laws. 

Regulated businesses may also need to inform their industry regulator. Contacting your insurer immediately is also essential. 

Many insurers provide dedicated cyber support teams that can assist with managing the incident, recovery, and compliance with reporting obligations. Seeking legal advice is also strongly recommended to ensure you do not accidentally breach financial sanctions by making an illegal payment to a sanctioned group.

The Growing Ransomware Threat

Ransomware remains one of the fastest-growing cyber threats in the UK. Around half of all businesses report experiencing a cyber attack each year, and roughly six per cent of those incidents involve ransomware or similar cyber attacks like data breaches, phishing and vishing. 

Official figures show that about one per cent of UK businesses — nearly 19,000 firms — have faced a ransomware crime in the past year, double the figure from 2024. This rise reflects the growing sophistication of attacks and the increased reliance on digital systems, softwares and AI customer service.

Criminal groups now target companies of all sizes, knowing that even small firms often hold valuable data or depend on digital infrastructure to operate.

Options to Reduce Risk and Manage Costs

The best defence against ransomware is preparation. Companies should maintain secure backups, regularly test their recovery plans, and train staff to recognise phishing emails and suspicious links. Good cyber hygiene can prevent most attacks from succeeding. 

It is also vital to review cyber insurance policies and clarify what is covered. Some insurers may not reimburse ransom payments under the new laws, but they may still cover recovery costs, investigation fees, and data restoration. 

For organisations facing immediate financial pressure after an attack, short-term options such as cyber incident loans or bridging finance can help cover costs while waiting for insurance claims or regulatory approvals. These financial products can be repaid once the business regains access to its assets or systems.

Other options include making a data breach claim against the company that you think is liable for this attack – which may include a third party IT or software provider.

What the Changes Mean

The freeze on ransom payments marks a major shift in how the UK deals with cybercrime. Paying a ransom will no longer be seen as a quick fix but as a potential legal risk. 

The new laws encourage organisations to strengthen their defences, improve their reporting, and seek professional help rather than funding criminal activity. 

While this may increase short-term pressure on businesses that experience attacks, it aims to create a safer digital environment for everyone. 

Companies that plan ahead — with solid cyber security, insurance cover, and clear reporting procedures — will be best placed to adapt to the new rules and recover quickly if the worst happens.