Your Business Can't Pay Ransoms Anymore

‍​‌‌​‌​​‌‌‌‌‌​‌​​​‌​‌​‌​‌‌​‌‌‌​‌‌‌​‌‌‌​‌​​​‌‌‌​‌​​‌‌‌‌​‌‌​​​‌​​‌‌‍The UK government confirmed on 22 July 2025 that it's proceeding with a ransomware payment ban. Public sector organisations and critical national infrastructure (CNI) operators won't be able to pay. Everyone else will need government permission before paying. And every victim, regardless of size, must report the attack within 72 hours.

The ban is the right policy direction. But it only works if businesses actually have defences worth relying on when the payment option disappears.

What changed

Three separate measures came out of the Home Office consultation, connected but distinct in scope.

The first is an outright ban on paying ransoms. It applies to all public sector bodies and the 13 sectors classified as CNI. That includes health, energy, finance, transport, communications, and defence, among others. If you operate in those sectors, paying a ransom becomes unlawful.

The second is a payment prevention regime. This covers everyone else, including private sector businesses. You're not banned from paying, but you can't just pay. You have to report your intent to pay before you pay, and the government reviews it, provides guidance, and discusses alternatives. And they can block the payment outright if it violates sanctions or terrorism financing law.

The third is mandatory reporting for all victims. Every ransomware victim must file an initial report within 72 hours and a detailed follow-up report within 28 days. This applies to all organisations, banned or not.

The consultation ran from January to April 2025, received 273 responses, and found that 72% supported the ban. Security Minister Dan Jarvis described ransomware as "a predatory crime that puts the public at risk, wrecks livelihoods and threatens services we depend on." Draft legislation hasn't been published yet, but the government confirmed all three measures are proceeding.

This is separate from the Cyber Security and Resilience Bill, with different legislation, a different timeline, and a different scope entirely.

Why should SMEs care more, not less?

The instinct is to think this only matters for hospitals and power companies, but it doesn't. (based on findings from the internal provenance audit).

The National Crime Agency (NCA) recorded 547 UK ransomware incidents between November 2023 and October 2024. That's just the reported figure, and the actual number is higher because most businesses don't report at all. Once mandatory reporting kicks in, that count will climb.

Here's the economics of what happens next. The ban makes public sector and CNI targets less attractive to attackers because the money won't come. Attackers are rational, and they go where the payout is. When hospitals and councils can't pay, the next target is the 50-person accountancy firm that can. The two-tier system that critics flagged during the consultation isn't theoretical. It's the predictable outcome of banning payments for some organisations and not others.

If you're a private sector business, you fall under the payment prevention regime. You're not banned from paying, but you can't just pay. You have to report your intent before you pay. The government reviews it, provides guidance, and discusses alternatives. And they can block it outright on sanctions grounds. All of this happens while your systems are still down, your clients are still waiting, and your staff are still locked out.

The 48% of businesses that already have a policy not to pay ransoms are better positioned. The other 52% need to think about what their plan actually is when paying stops being an option. Because "we'll figure it out when it happens" isn't a plan. It's a gap that attackers can see.

The insurance problem

UK cyber insurance claims hit GBP 197 million in 2024, up 230% from GBP 59 million in 2023. Ransomware's share of those claims grew from 32% to 51% in the same period. Insurers have been paying out, and the amounts are climbing fast.

The ban changes the maths for banned organisations. If paying a ransom becomes unlawful, your insurer can't reimburse an unlawful payment. Policies that cover ransom payments become worthless for that specific scenario in public sector and CNI.

For private sector businesses, it's more complicated. Your policy might still cover a payment in theory. But the new process means you have to report your intent, wait for government review, and potentially be told no. A policy that depends on speed of payment to limit damage doesn't work well when there's a government review step in the middle.

The smarter insurers are already shifting coverage towards incident response costs, business interruption, and recovery. That's where the real money goes anyway. The Synnovis attack on the NHS in June 2024 cost GBP 32.7 million and disrupted over 10,000 appointments. They refused to pay the Qilin group. The British Library refused to pay the Rhysida group in October 2023 and spent GBP 6-7 million on recovery, which was 40% of their reserves.

Those are the real costs, recovery rather than ransom, and your insurance should reflect that.

What does your incident response plan need now?

This is the section that matters most for anyone reading this before the legislation passes. The law hasn't been drafted yet, but the direction is confirmed. The time to prepare is before the legislation lands.

Reporting capability within 72 hours

You need to be able to identify an attack, understand what happened, and file a report within three days. That means you need monitoring that actually tells you when something has gone wrong, not monitoring that generates alerts nobody reads.

72 hours sounds generous until you're in it. The first 24 hours of a ransomware incident are chaos. You're confirming what's encrypted, working out which systems are affected, and trying to establish whether the attackers are still inside your network. Filing a structured report while you're still in triage is hard. Most businesses haven't done it before and don't have a template.

Build that template now, before you need it. Pre-populate the fields you already know: your organisation details, your IT infrastructure overview, your key contact details, your insurance policy number. The information you'll need to add during an incident (what was affected, when you discovered it, what data may have been compromised) should be listed as blank fields so you're filling in gaps rather than starting from scratch under pressure.

The 28-day follow-up report is more detailed. That one covers root cause, impact assessment, and remediation steps. You won't know all of that at 72 hours, and the government isn't expecting you to. But the initial report needs to be accurate, and you can't be accurate if you don't have visibility into your own systems.

A recovery plan that doesn't depend on paying

If your recovery plan's final step is "pay the ransom and get the decryption key," you don't have a recovery plan; you have a hope.

Backups are the obvious answer, but they need to be offline or immutable. Attackers target backup systems specifically because they know it's the alternative to paying. If your backups run on the same network as your production systems, they'll be encrypted too. Cloud backups are only safe if the credentials used to access them aren't stored on the machines that got hit.

Test your restores regularly, not once a year as a compliance exercise. Test them in a way that answers the question: if we lost everything tomorrow morning, how long until we're operational again? If you don't know that number, you're not prepared for this legislation.

Think about the business that assumed their insurance would cover a ransom payment, then discovered the payment would be blocked by government. There are no backups and no incident response plan. The payment was their only plan, and now it's gone. That business doesn't recover from the incident; it closes.

Decision-making authority documented in advance

When a ransomware demand lands, someone has to decide what to do. Under the new regime, that decision has regulatory consequences. Paying without reporting is a violation of the new rules. Reporting means government involvement in your decision.

Document now who makes that call, and be specific. Not "the board" as an abstraction, but the specific person who has authority to approve or reject a payment, who contacts the reporting body, and who communicates with the attackers (if communication happens at all). If that person is on holiday when the attack hits, who's the backup?

Legal and regulatory contacts pre-identified

The mandatory reporting requirement sends reports to a "relevant part of government." The exact receiving agency hasn't been confirmed yet. But you should already know how to contact the National Cyber Security Centre (NCSC), the NCA, your sector regulator if you have one, your insurer's incident response line, and your legal advisor.

Don't assemble this list during an incident. It should exist in a document that at least three people in your organisation can access, stored somewhere that won't be encrypted along with everything else. Print it and put it in a desk drawer, because the irony of an incident response contact list stored only on systems that are currently encrypted is not funny when you're living through it.

The enforcement question nobody can answer yet

The consultation was nearly evenly split on enforcement. Whether civil or criminal penalties apply is something the government hasn't said. This is the loose end in the whole framework. A ban without clear enforcement creates uncertainty, and uncertainty creates the kind of grey area where businesses convince themselves the rules don't quite apply to them.

I expect the enforcement detail will come with the draft legislation. But the gap matters for practical planning. If you're planning your incident response now (and you should be), you're planning against a rule where the penalty for breaking it is still unknown.

Cyber Essentials as the baseline

The NCSC's own guidance on ransomware explicitly states that Cyber Essentials (CE) certification "covers a number of these mitigations." That's not a sales pitch. That's the government's own technical authority saying that CE addresses the basics.

CE won't stop a sophisticated, targeted ransomware attack on its own. But 43% of UK businesses experienced a breach or attack in 2025. Most of those breaches exploited gaps that CE's five controls are designed to close: unpatched software, missing multi-factor authentication (MFA), poor access control, weak firewall rules, and inadequate malware protection.

The ban is the right policy direction. Paying ransoms funds criminals, doesn't guarantee recovery, and leaves your systems compromised. The NCSC has said as much for years. But without a clear path for SMEs to build proper defences, the ban creates a two-tier system where public sector is protected by legislation and SMEs become the more attractive target. CE is the baseline that closes that gap. It won't make you immune, but it makes you a harder target than the business next door that hasn't done it.

The UK would be the first country to implement a formal legislative ban on ransomware payments, and that's significant because it means there's no precedent to copy from, no other country's mistakes to learn from. The framework will be refined as it goes. What won't change is the direction: paying ransoms is on its way out, and your defences need to be strong enough that not paying is survivable.

If you don't know where you stand on those five controls, the readiness quiz takes five minutes and gives you honest feedback without talking to anyone. If your incident response plan doesn't exist yet, that's a bigger conversation, but it starts with knowing what you've actually got.

---

---

Keep up with Cyber Essentials changes

New requirements, deadline changes, and assessment tips, with no spam and no sales pitches.

Subscribe to the newsletter | Follow Daniel on LinkedIn

Related articles

• Qilin: The Ransomware Group That Disrupted NHS Blood Tests
• Windows 11 Hardening: CE Controls That Stop Ransomware
• NCSC Iran Cyber Warning: What UK Businesses Should Do
• Why Cyber Essentials Isn't Enough

---

netsec-canary-6a56f5210d77.