There will be “national security exemptions” to the ransomware payment ban proposed by the UK government, according to British Security Minister Dan Jarvis.
The ban, which was subject to public consultation from January to April 2025 and received support from three-quarters of respondents, was confirmed in July and described in more details by the UK government in a policy paper published on September 2.
If adopted, the new legislative proposal would ban ransomware payments for public sector and critical national infrastructure (CNI) organizations as well as require other businesses to notify the government of any intent to pay a ransom to attackers.
Speaking at the Financial Times’ Cyber Resilience Summit: Europe, held in London on December 3, the minister said the proposition was his “personal priority.”
He also said that the current arrangements for each organization to choose whether to pay cybercriminals a ransom is “not sustainable” as it doesn’t offer organisations any meaningful guarantee they will get their data back.
Security Minister Pushes Ban Across Government and CNI Organizations
Asked about the next steps for the proposal, Jarvis said it will be adopted “when parliamentary time allows.”
He continued by explaining he is currently “seeking agreement across government” and consulting with CNI organizations and the private sector to “ensure that our proposals are going to work in the most effective way.”
Jarvis said that the government has acknowledged war
Source: https://www.infosecurity-magazine.com/news/uk-ransomware-payment-ban/
TPRM report: https://www.rankiteo.com/company/dcmsgovuk
"id": "dcm1764770468",
"linkid": "dcmsgovuk",
"type": "Ransomware",
"date": "09/2025",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'customers_affected': None,
'industry': 'Public Sector',
'location': 'United Kingdom',
'name': 'UK Public Sector Organizations',
'size': None,
'type': 'Government'},
{'customers_affected': None,
'industry': 'Various',
'location': 'United Kingdom',
'name': 'UK Critical National '
'Infrastructure (CNI) '
'Organizations',
'size': None,
'type': 'Critical Infrastructure'}],
'data_breach': {'data_encryption': None,
'data_exfiltration': None,
'file_types_exposed': None,
'number_of_records_exposed': None,
'personally_identifiable_information': None,
'sensitivity_of_data': None,
'type_of_data_compromised': None},
'date_publicly_disclosed': '2025-09-02',
'description': 'The UK government has proposed a ban on '
'ransomware payments for public sector and '
'critical national infrastructure (CNI) '
'organizations, with national security '
'exemptions. The proposal requires other '
'businesses to notify the government of any '
'intent to pay a ransom. The ban was confirmed in '
'July 2025 and detailed in a policy paper '
'published on September 2, 2025. The proposal '
'received support from three-quarters of '
'respondents in a public consultation held from '
'January to April 2025.',
'impact': {'brand_reputation_impact': None,
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': None,
'downtime': None,
'financial_loss': None,
'identity_theft_risk': None,
'legal_liabilities': None,
'operational_impact': None,
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': None},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': None,
'high_value_targets': None,
'reconnaissance_period': None},
'lessons_learned': 'Current arrangements for organizations to '
'choose whether to pay ransoms are not '
'sustainable and do not guarantee data '
'recovery.',
'post_incident_analysis': {'corrective_actions': None,
'root_causes': None},
'ransomware': {'data_encryption': None,
'data_exfiltration': None,
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': None},
'recommendations': 'Consultation with CNI organizations and the '
'private sector to refine the proposal for '
'effectiveness.',
'references': [{'date_accessed': '2025-09-02',
'source': 'UK Government Policy Paper',
'url': None},
{'date_accessed': '2025-12-03',
'source': 'Financial Times’ Cyber Resilience '
'Summit: Europe',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': None,
'regulatory_notifications': 'Proposed '
'requirement '
'for '
'businesses '
'to notify '
'government '
'of ransom '
'payment '
'intent'},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': 'Policy announcement and '
'public consultation',
'containment_measures': None,
'enhanced_monitoring': None,
'incident_response_plan_activated': None,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': None,
'third_party_assistance': None},
'stakeholder_advisories': 'Consultation with CNI organizations '
'and private sector to ensure proposal '
'effectiveness.',
'title': 'UK Government Proposes Ransomware Payment Ban with '
'National Security Exemptions',
'type': 'Policy Announcement'}