UK sticks it to cybercriminals with ban on ransomware payments

You’ve heard the phrase, “We don’t negotiate with terrorists.” Well, the UK government seems to have a similar approach in mind for dealing with cybercriminals.

Today, the British government announced it will introduce new cybersecurity measures to prohibit public sector and critical national infrastructure organizations from making ransomware payments to cybercriminals.

In ransomware attacks, cybercriminals steal data or take control of critical technology infrastructure, then demand ransom payments to restore access.

A blog post published today by the UK Home Office says the new ransomware rule will affect the country’s National Health Service (NHS), local government councils, and schools. The UK government stated that almost three-quarters of people surveyed about the measure supported this proposal.

Mashable Light Speed

The new cybersecurity rules are designed to protect both public organizations and private businesses. According to Bleeping Computer, the measure will also require businesses to notify the government before making ransomware payments. This would allow the government to prevent payments to sanctioned cybercriminal gangs in countries like Russia.

Ransomware is a persistent cybersecurity threat, and the recent ransomware attack against cryptocurrency exchange Coinbase earned a spot in our guide to the biggest data breaches of the year. In the UK, cybercriminals also famously attacked the NHS, and more recently, the retail company Marks & Spencer.

In the Coinbase breach, hackers held hostage data from nearly 70,000 Coinbase customers and demanded $20 million to restore access to compromised customer support systems. Refusing to pay the ransom, Coinbase instead established a $20 million reward to bring the criminals responsible for the attack to justice and promised to cover financial losses to their users.

Companies in the United States face both federal and state regulations that require them to report ransomware incidents. However, according to the National Conference of State Legislatures, North Carolina is the only state with legislation that prohibits payments to ransomware groups. In addition, this law only applies to state agencies and local governments.

The new rules from the United Kingdom could be the start of a new approach to ransomware payments, an international problem for governments and businesses alike.