UK Government Bans Ransomware Payments for Public Sector, Mandates Disclosure for Private Firms
In July, the UK government announced a ban on ransomware payments for all public sector bodies, including local government and critical national infrastructure operators. Private sector organizations will now be required to notify authorities before paying a ransom in the event of a cyberattack.
The move, described as a "bold step" to curb ransomware threats, reflects growing concerns over the frequency of attacks targeting public institutions. However, the policy has exposed significant gaps in cyber resilience, particularly in the public sector, where underfunding and reliance on legacy systems leave organizations vulnerable. Many departments, including the NHS, struggle with outdated infrastructure that vendors no longer support, complicating patching and increasing exposure to attacks.
For the private sector, the ban complicates cyber insurance dynamics, as insurers may shift coverage away from ransom payments toward recovery and forensic support. High-profile incidents—such as the £300 million losses at Marks & Spencer and the government-backed £1.5 billion loan guarantee for Jaguar Land Rover—highlight the broader financial and operational risks of poor resilience.
With ransom payments off the table, organizations must prioritize three key areas: people, processes, and technology. Human error remains a leading cause of breaches, making security awareness training critical. Aligning with frameworks like NIST, NCSC, and ISO standards can strengthen incident response and business continuity planning. Meanwhile, immutable backups, disciplined patching, and managed detection services can reduce attack surfaces and limit breach impacts.
The policy underscores the need for systemic improvements in cyber resilience, as organizations can no longer rely on ransom payments as a fallback. The long-term effectiveness of the ban will depend on addressing underlying vulnerabilities in both public and private sectors.
Source: https://www.cybersecurity-insiders.com/why-resilience-is-the-only-long-term-answer-to-ransomware/
TPRM report: https://www.rankiteo.com/company/marks-and-spencer
"id": "mar1765727761",
"linkid": "marks-and-spencer",
"type": "Ransomware",
"date": "7/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Public Sector, Healthcare',
'location': 'United Kingdom',
'name': 'UK Public Sector (including NHS)',
'size': 'Large',
'type': 'Government / Healthcare'},
{'industry': 'Retail',
'location': 'United Kingdom',
'name': 'Marks & Spencer',
'size': 'Large',
'type': 'Private Sector / Retail'},
{'industry': 'Retail',
'location': 'United Kingdom',
'name': 'Co-Op',
'size': 'Large',
'type': 'Private Sector / Retail'},
{'industry': 'Automotive',
'location': 'United Kingdom',
'name': 'Jaguar Land Rover (JLR)',
'size': 'Large',
'type': 'Private Sector / Automotive'},
{'industry': 'Energy, Transport, Utilities',
'location': 'United Kingdom',
'name': 'Critical National Infrastructure Operators',
'size': 'Large',
'type': 'Private/Public Sector'}],
'date_publicly_disclosed': '2024-07',
'description': 'The UK government announced a ban on ransomware payments for '
'public sector bodies, including local government and critical '
'national infrastructure operators. Private sector '
'organizations must notify the government of any intended '
'ransom payments. The policy aims to reduce ransomware attacks '
'but highlights gaps in resilience and preparedness across '
'sectors.',
'impact': {'brand_reputation_impact': 'Potential long-term damage',
'downtime': 'Prolonged shutdowns (e.g., Jaguar Land Rover)',
'financial_loss': '£300 million (Marks & Spencer), £1.5bn loan '
'guarantee (Jaguar Land Rover)',
'operational_impact': 'Service interruptions, recovery challenges',
'revenue_loss': 'Significant (e.g., Marks & Spencer, Jaguar Land '
'Rover)',
'systems_affected': 'Legacy systems, critical infrastructure, NHS '
'systems'},
'lessons_learned': 'Organizations lack resilience and preparedness to '
'withstand ransomware attacks. Public sector suffers from '
'chronic underfunding and legacy infrastructure. Private '
'sector faces financial and operational risks beyond '
'ransom payments. Cyber insurance may exclude ransom '
'payments, shifting focus to recovery support.',
'motivation': 'Financial gain, disruption of services',
'post_incident_analysis': {'corrective_actions': 'Government funding, '
'resilience strategies, '
'adoption of security '
'frameworks, improved backup '
'and recovery measures, '
'supply chain security',
'root_causes': 'Legacy infrastructure, unsupported '
'software, lack of patching, human '
'error, underfunding, supply chain '
'vulnerabilities'},
'ransomware': {'data_encryption': 'Common in ransomware attacks',
'data_exfiltration': 'Common in ransomware attacks',
'ransom_paid': 'Banned for public sector; private sector must '
'notify government'},
'recommendations': ['Improve resilience through people, processes, and '
'technology.',
'Adopt security frameworks (NIST, NCSC, ISO 27001, ISO '
'22301).',
'Conduct regular incident response and business '
'continuity testing.',
'Address human error through awareness training and '
'cultural change.',
'Implement immutable/air-gapped backups and disciplined '
'patching regimes.',
'Use managed detection and response (MDR) services for '
'real-time visibility.',
'Extend resilience strategies to the supply chain.',
'Avoid reliance on ransom payments; focus on recovery and '
'resilience.'],
'references': [{'source': 'UK Government Policy Announcement'},
{'source': "Media Reports (e.g., 'bold step,' 'strategic "
"win')"}],
'regulatory_compliance': {'regulatory_notifications': 'Private sector must '
'notify government of '
'ransom payments'},
'response': {'enhanced_monitoring': 'Managed detection and response (MDR) '
'services',
'recovery_measures': 'Government loan guarantees (e.g., JLR), '
'supply chain resilience strategies',
'remediation_measures': 'Immutable/air-gapped backups, '
'disciplined patching, managed detection '
'and response (MDR) services'},
'title': 'UK Government Ban on Ransomware Payments for Public Sector and '
'Critical Infrastructure',
'type': 'Policy Announcement / Ransomware Threat Landscape',
'vulnerability_exploited': 'Legacy infrastructure, unsupported software, lack '
'of patching, human error'}