UK Proposes Ransomware Payment Ban for Public Sector — A Step in the Right Direction

The UK government has proposed banning public sector entities — including national healthcare, education institutions, libraries, and other government bodies — from making ransomware payments. This move addresses a core motivator for cybercriminals: financial profit.

This restriction will choke the very motivation of cybercriminals, to deter them from spending the effort in targeting these institutions. If criminals know they will not be paid by certain entities, they will move on to other victims who will.

This is a start, but does not go far enough.

Back in 2021, I proposed a comprehensive strategy to end ransomware, grounded in the key insight that this threat would continue to escalate as long as attackers continue getting paid. (Watch the 2021 proposal here.)

The solution is simple, outlaw digital extortion payments — period. This undermines the incentives of conducting these attacks.

When I first proposed this approach, there was considerable backlash. Many feared the loss of the option to pay a ransom in the worst-case scenario. I took those concerns seriously and addressed them one by one across a series of videos and open discussions.

With the right planning, support, and exemptions where truly necessary, this can be a low-risk, high-impact strategy that protects all organizations — not just the wealthy or technically sophisticated.

The truth is, the status quo benefits three groups:

1. Cybercriminals who thrive on ransom payments
2. Nation-states using ransomware as a geopolitical tool
3. Cybersecurity vendors profiting from reactive, piecemeal solutions

Only now are governments beginning to take steps toward a strategy that is scalable, sustainable, and focused on deterrence rather than endless defense.

I applaud the UK’s leadership in moving in this direction.

But we must go further.

If we are serious about eradicating ransomware and other forms of digital extortion, we must put in plans to outlaw payments and financial support to criminals — not just in the public sector, but everywhere. This is the only way to eliminate the motivation behind these attacks.

Let’s stop the ineffective cycle of patching defenses against an incentive-driven crime and instead remove the incentive altogether.