Tue 04 Feb 2025

Ransomware: Time for a change of approach?

The Home Office of the UK Government recently began a consultation on proposals to change the rules on how to respond to ransomware attacks. The consultation should serve as an important prompt for organisations to ensure they understand how to handle ransomware attacks.

What is ransomware?

Ransomware is a type of malicious software which infects a victim's computer system and prevents the victim from accessing data or systems and facilitates data theft. The attacker then typically demands a ransom payment in return for restoring the data or access to the systems affected or agreeing not to publish the data. This is considered to be the biggest cyber security threat in the UK and is a lucrative tactic for cyber criminals, made easier by attackers insisting on payment in the form of cryptocurrency, allowing them to maintain their anonymity. Sophisticated criminal groups, often based outside the UK, such as LockBit and The EvilCorp Group, have been actively involved in ransomware attacks in recent years and have been targeted by law enforcement agencies, such as the UK's National Crime Agency.  

Anyone from individuals to multinational corporations and public bodies can fall victim to ransomware attacks, though attackers often target large businesses as they are perceived as more likely to have money available to pay the ransom. Noteworthy ransomware cases in recent years have seen bodies such as the NHS, Royal Mail, Capita, the British Library and the Guardian affected by large-scale ransomware attacks. The consequences of a ransomware attack on organisations are not only financial but reputational should attackers gain access to and disclose commercially sensitive data.  

Proposals

In order to combat the prevalence of ransomware in the UK, the Home Office's consultation asks for comment on three main proposals with the intention of making the UK an unattractive target for cyber criminals. 

1. Targeted Ban on Ransomware Payments

The UK Government proposes a blanket prohibition on all public sector bodies (including local government) and critical national infrastructure owners and operators regulated by government from making ransom payments. A similar ban currently exists, but only extends to central government departments. The proposal also seeks opinions on how best to encourage compliance with the ban, for example, whether non-compliance should be a criminal offence, or a civil fine should be payable. The consultation further states that this would be a public and binding commitment not to pay ransomware payments, meaning that attackers would be well aware of the ban and may be deterred from investing time, money and resource into conducting attacks against such bodies.

Although this would not appear to have a direct impact on most businesses, it is worth considering that, if implemented, attackers may be inclined to look away from public sector bodies, which may lead to a larger number of attacks on businesses. 

2. Ransomware Payment Prevention Regime

The second proposal featured in the consultation would see the introduction of a scheme which would require any other victim of a ransomware attack to report their intention to make a ransomware payment before making any such payment. This would enable intervention from the authorities, who would be able to offer guidance and support in relation to alternative resolution. As part of this scheme, there would be an assessment of whether the payment ought to be blocked for any reason (for example, if in breach of terrorism finance laws). This case-by-case intervention is proposed since the UK Government is seeking to improve their understanding of the ransomware payment landscape. 

From the perspective of many businesses, this would be preferable to a hard-line blanket ban since it enables a case-by-case assessment of the attack, guidance and support from authorities and takes into account that there will inevitably be situations in which businesses may feel it is necessary to pay the ransom (e.g. where the relevant data is sensitive). However, it is also important to note that payment of a ransom is by no means a guarantee that affected data or systems will be restored or data not disclosed onto the "dark web". There remains the possibility, too, that some businesses might avoid using the system altogether and make covert ransomware payments, which would be in direct conflict with the policy the UK Government is aiming to follow. To encourage compliance with the regime, the UK Government has invited views on whether there should be criminal and/or civil penalties for breach and whether certain organisations such as charities or smaller businesses should be exempt from the requirements. 

3. Ransomware Incident Reporting Regime

In order to aid the UK Government's understanding of the ransomware landscape and combat the underreporting of ransomware attacks, an incident reporting regime is proposed, which would ensure any advice or guidance issued is up to date, allows monitoring of the effectiveness of countermeasures and assists in compiling evidence and information in order to combat ransomware gangs. This would make it mandatory for ransomware attacks surpassing a certain threshold to be reported to the authorities, though they would encourage all victims of ransomware to use this reporting regime. The report would include details such as whether a ransom demand has been received, if the business is able to recover and details about the attacker (if any) within 72 hours, with a full report being required within 28 days of the attack. 

Good Practice

Although these measures could provide important information to the UK Government about how best to tackle ransomware, for now, it lies with organisations to ensure they are prepared and know how to handle ransomware attacks should they fall victim. 

We have listed some key points below in order to prevent ransomware attacks:

  • Implement cybersecurity measures. Implement strong measures and protections such as firewalls, antivirus software and detection systems. These should be regularly updated and patched to address any vulnerabilities.
  • Educate employees. Educate employees about phishing scams, and safe email practices, since this is how many ransomware attackers gain access to systems and data.
  • Conduct regular backups. Maintain regular, encrypted backups of critical data which should be stored offline or in a separate, secure network. 

If your business does fall victim to a ransomware attack, you should:

  • Isolate any infected systems - disconnect affected devices from the wider network to prevent spreading of the ransomware.
  • Contact authorities - authorities should be able to provide guidance and support on the immediate steps you should take.
  • Consider whether payment is the right option - it may be tempting to pay the ransom, though this requires careful consideration. Payment is not a guarantee that data will be recovered or not leaked and could encourage future attacks.
  • Consider data protection obligations - depending on the type of data affected, you may have legal obligations to report data breaches.
  • Conduct a post-attack review - investigate how the attack occurred in order to address vulnerabilities and strengthen defences.

Should you require advice or assistance in relation to data protection and cybersecurity, please do not hesitate to contact David Gourlay or another member of our Data Protection and Cybersecurity team.

This article was co-written by George Munro, Trainee Solicitor.

Related Insights

View All

Make an Enquiry

From our offices we serve the whole of Scotland, as well as clients around the world with interests in Scotland. Please complete the form below, and a member of our team will be in touch shortly.

Morton Fraser MacRoberts LLP will use the information you provide to contact you about your inquiry. The information is confidential. For more information on our privacy practices please see our Privacy Notice