UK to ban public sector from paying ransomware demands

The UK government has announced a forthcoming ban preventing public sector bodies, including the National Health Service (NHS), local authorities, and schools, from paying ransoms to hackers. This policy is intended to deter ransomware gangs by undermining their core business model and decreasing the incentive to target essential public services.

The announcement, made by Home Office security minister Dan Jarvis on 23 July 2025, is part of a broader cybersecurity strategy. Jarvis stated that ransomware ‘puts the public at risk, wrecks livelihoods and threatens the services we depend on.’ The plan also encourages all organisations to strengthen cybersecurity measures and maintain operational resilience even during cyber incidents.

While the ban applies to public sector institutions, private companies will still be permitted to pay ransoms but will be expected to notify authorities before doing so. This is especially important where sanctioned groups, often based in Russia, may be involved, posing legal risks to such payments.

Ransomware remains a serious threat in the UK. A notable attack in June 2025 on Synnovis, an NHS pathology provider, disrupted medical services across five major London hospitals. According to Sophos, the average recovery cost for ransomware incidents in the UK rose to $2.58 million, though the proportion of businesses recovering within a week has improved from 38% to 59%.

Why does this matter?

Banning ransom payments by public bodies may reduce the profitability of targeting government services, ultimately leading to fewer attacks. However, the policy also raises concerns about operational disruption and the ethical dilemma of not paying when critical services, such as healthcare, are at stake.