UK Government to Ban Public Bodies from Paying Ransoms to Hackers: The Cyber Security Battle

On the 22nd of July, the UK government published its plans to crack down on cyber criminals who use ransomware. In a move designed to strengthen national cyber resilience and reduce the growing threat of ransomware attacks, the government plans to ban public bodies from paying these ransoms. The decision comes after a surge in cyber incidents targeting schools, councils, hospitals, and other vital services, with millions of pounds being lost to criminal groups each year. In 2023 alone, over $1 billion was lost to ransom attacks worldwide.

Ransomware has become one of the most disruptive forms of cybercrime. It involves hackers gaining access to an organisation’s systems, locking critical files and then demanding a payment for their release. Some victims will be pressured to pay in order to restore their services quickly, but officials warn that this approach can fuel criminal activity further and offers no guarantee of full recovery. In some cases, even after a ransom has been paid, stolen data has been leaked or resold.

Previous Attacks

UK public bodies have fallen victim to ransomware attacks in the past. One of the most damaging of which was the WannaCry ransomware attack. This took place in May 2017 and the NHS was one of the biggest organisations impacted, with over 70,000 devices, including computers, MRI scanners, blood-storage refrigerators and theatre equipment affected. The attack led to NHS services turning away some non-critical emergencies and some ambulances were diverted.

The cost of this cyber attack on the NHS was estimated at around £92 million. The attack was done on Microsoft software, and whilst Microsoft had released an update that patched this weakness, computers that hadn’t done the update, or older computers that no longer supported that version of Microsoft could be exploited. Worldwide, 327 payments were made to the ransomware criminals before their attack was reversed. The payments totalled to $130,634.77. It is worth noting that the NHS did not pay the ransom, that £92 million comes from infrastructure overhaul and the redistribution of services that were disrupted.

With that context in mind, you can see why the UK government is stanced to deny ransom demands. They believe that by refusing to pay the ransoms, the UK will be a less attractive target for attackers. The government also believes that it will encourage public bodies to focus on building resilience and preparing for recovery without paying off criminals.

The ban is expected to cover all public sector organisations, from local councils and schools to NHS trusts and government departments. Officials argue that this is not just a financial issue, but also a matter of public trust and national security. Paying ransoms drains public funds that should be spent on essential services, and it signals to cybercriminals that the UK is a profitable target.

“What matters most is learning, building resilience, and supporting each other to prevent future harm. This is a step in the right direction for building a safer digital future.” – Co-op CEO, Shirine Khoury-Haq

You may remember the Co-op cyber attack that occurred in July 2025, where all 6.5m members had data stolen. The government is urging organisations to prioritise three key areas:

Prevention

Preventing cyber attacks before they can happen is an essential first step for organisations. Strengthening security controls, through things like multi-factor authentication (MFA) and admin account separation can ensure that a single compromised account can’t cripple an entire organisation. Furthermore, training staff to know what a phishing email looks like, to have good password hygiene can ensure that human error plays no part in a cyber attack.

One of the biggest and simplest ways of staying more prepared is through maintaining up-to-date systems. As seen in the WannaCry ransomware attack, using systems that are out of date can make them less vulnerable, as software developers like Microsoft actively update their software to protect it from new threats.

Preparedness

The next step is for when the worst does happen. Responding quickly and being prepared for an attack can massively reduce the potential damage. Having a clear Incident Response Plan (IRP)  is extremely beneficial.

A strong IRP allows your organisation to quickly spot unusual activity, making it easier to spot red flags. You can act immediately, isolating infected systems before the malware reaches critical assets. With an IRP, roles can be assigned for when the attack is happening, so everyone knows their job to try and damage control the situation.

Having pre-documented recovery steps (restoring from backups, etc.) will reduce downtime, ensuring essential services can continue while systems are cleaned.

Preparing your communication strategy beforehand and having it pre-approved can make it easier to inform staff, customers, regulators and the media without damaging trust and spreading misinformation. This also means that legal and compliance teams can be looped in quickly, reducing the risk of fines or regulatory backlash.

Michael Clarke-Sale, Head of Technology at the NHS Counter Fraud Authority opined at The 2025 Public Sector Cyber Security Conference:

“Cybersecurity needs to be cultivated as not just a personal or regulatory duty, but as an organisation-wide responsibility,” – Michael Clark-Sale

The 2026 Public Sector Cyber Security Conference is happening on the 5th of February. We are building off the award-winning 2025 conference, bringing in more speakers and sponsors to create a free-to-attend day that is full of learning, collaborating and networking.

Recovery

Many organisations focus heavily on prevention, but without a robust recovery plan, a single breach can be devastating. Two key components to recovery are reliable offline backups and disaster recovery strategies. Having offline backups are important as ransomware often encrypts connected drives, including cloud-synced storage. Offline or ‘air-gapped’ backups are disconnected from the network, making them immune to ransomware attacks.

Experts say that best practice is to regularly schedule backups, whether it is daily or weekly, to ensure you don’t lose key data in case of system encryption.

Disaster recovery is a broader strategy that ensures business continuity during and after a cyber attack. It allows you to have systems in place that define how systems and data are restored. For example, if you are restoring from your backups, what systems do you want to restore first? If it were the NHS, they might recover patient records first, as it is the most important information they require.
Having disaster recovery in place allows organisations to respond quickly, following a set of pre-determined steps to ensure that your organisation spends the least amount of time down.

These measures are intended to create a more robust defence against ransomware threats. The decision reflects growing recognition that ransomware is not just an IT issue but a societal one. When schools are forced offline, hospital appointments cancelled, or council services delayed, entire communities feel the impact. By banning ransom payments, the government aims to shift the focus towards resilience, safeguarding both services and the people who rely on them.

Looking ahead, the ban will require public bodies to change how they view cyber risk. Rather than hoping for the best or resorting to ransom payments as a last resort, resilience must become central to everyday operations. Officials believe that this approach will reduce the UK’s vulnerability, protect taxpayer money, and send a clear message that cyber extortion will not be rewarded.

This topic will be spoken about in detail at The Public Sector Cyber Security Conference, on the 5th of February 2026. It is a free to attend, in-person event happening in Westminster, London. We have got some excellent speakers and sponsors lined up, with more to be confirmed. We are also going to be hosting a free online webinar in early November, which will help to inform you on best practice for cyber security. Keep an eye out, we’ll be announcing more details soon.