Created using Black Forest Labs Flux Fast 1.1

In a Nutshell:

Who (would be impacted by a ransomware payment ban)?

• Public sector organisations (government departments, schools, healthcare, local authorities).

• Critical national infrastructure (CNI) operators (energy, transport, water, etc.).

• Private sector organisations (in some proposals, especially those supplying public/CNI sectors).

• Policymakers and regulators in the UK, US, Australia, and other countries considering or implementing bans.

• Cybersecurity professionals, insurers, and business leaders navigating the operational and ethical landscape.

What (is at stake)?

A growing number of governments are considering legal bans on paying ransomware demands — especially for public sector and critical infrastructure organisations. Some proposals go further, requiring all ransomware victims to report incidents and intentions to pay, with authorities empowered to block payments to sanctioned or terrorist-linked groups.

Where (are bans being considered)?

• United Kingdom: Currently consulting on a targeted ban for public sector and CNI, plus a broader “payment prevention regime” for all organisations.

• Australia: Already requires reporting of ransomware payments for critical infrastructure; broader bans under discussion.

• United States: Ongoing debate, with some states (e.g., Florida) trialling bans for public entities; federal task forces have advised caution.

• Other countries: Some EU and Western nations are considering similar measures, often coordinated through international initiatives.

When (can we expect legislative decisions)?

• • UK: Consultation on the proposed ban closed April 2025; legislation could follow later this year or in 2026.

• • Australia: Reporting requirements in effect; further bans possible.

• • US: State-level bans in place in some regions; federal action under debate.

• • Global: The debate is intensifying as ransomware attacks and payouts reach record highs.

The Debate, Tensions, and Trade-offs

Why (SHOULD we ban ransomware payments)?

• Disrupting the Ransomware Business Model: Banning payments removes the financial incentive for attackers, potentially making entire sectors less attractive targets.

• Reducing Recurrence: Paying ransoms is correlated with increased likelihood of repeat attacks, as criminals target organisations known to pay.

• Ethical and National Security Concerns: Payments can fund organised crime, terrorism, and hostile nation-states.

• Public Interest: Especially for taxpayer-funded bodies, there’s a strong argument against using public funds to pay criminals.

• Encouraging Better Defences: A ban could push organisations to invest more in prevention, resilience, and backup strategies, reducing overall vulnerability.

Why (SHOULDN’T we ban ransomware payments)?

• Operational Reality: For some organisations (especially in healthcare or critical services) paying may be the only way to restore operations quickly and avoid catastrophic harm (e.g., risk to life, public safety).

• Punishing Victims: Bans may be seen as penalizing organisations already suffering from crime, limiting their options in crisis.

• Underground Payments and Underreporting: Bans could drive ransom payments underground, making attacks less visible and harder to track, thereby reducing intelligence for law enforcement.

• Global Displacement: Criminals may shift focus to regions or sectors not covered by bans, or adapt their tactics (e.g., data theft, extortion without encryption).

• Insurance and Financial Fallout: Some worry bans could increase insurance premiums or force businesses into insolvency if recovery is impossible without payment.

Practical and Enforcement Challenges

• Enforcement Difficulties: Cryptocurrency and international actors make it difficult, if not impossible, to monitor and prevent payments with reasonable effort.

• Need for Exceptions: Many experts call for clear carve-outs (e.g., for life-threatening emergencies) and phased implementation, especially for critical infrastructure.

• International Coordination: Without global alignment, bans may have limited effect and could create uneven risk landscapes.

• Legal Grey Areas: In many jurisdictions, paying a ransom is not explicitly illegal—only payments to sanctioned entities are. Introducing a ban would require new legislation, and enforcement would depend on proving intent and knowledge, which is legally complex.

• Root cause: Many see bans as a distraction that shifts attention away from the underlying cause of ransomware, arguing that the solution to the current crisis lies in proactive prevention of cybercrime industrialisation, international cooperation, and targeted enforcement against the ecosystem that fuels ransomware proliferation (in particular, Ransomware-as-a-Service providers like LockBit 3.0) rather than in discouraging payments.

Conclusion

The ransomware payment debate is a complex and controversial one, with valid arguments and serious risks on both sides. Most agree that reducing the profitability of ransomware is essential, but the path forward is fraught with tensions and trade-offs between public safety, business continuity, deterrence, and enforcement. As legislation evolves, organisations would be well advised to stay informed, invest in resilience, and prepare for a future where paying may no longer be an option.

find out more:

• Ransomware legislative proposals: reducing payments to cyber criminals and increasing incident reporting (UK public consultation)
• What the UK’s Ransomware Payment Ban Means For Organisations
• 6 Reasons Not to Pay the Ransom in a Ransomware Attack (Plus Negotiation Tips)
• Should ransomware payments be illegal? – Considerations for (re)insurers
• 10 of the biggest ransomware attacks in 2024
• Should there be a total ban on ransomware payments? (IBM)

Interested in what a ransomeware payment ban would mean for your company?

Joshua Bucheli (cyberunity AG) and John Corona (Osmond GmbH) look forward to hearing from you!

stay tuned for more – keep an eye out for our next cyberbyte issue!