The British government has announced plans to move forward with a law that would bar public organizations from paying off ransomware attackers. The proposed legislation would add schools, town councils, National Health Service (NHS) hospitals and critical infrastructure managers to a ban which already applies to the national government.
The logic behind banning payments is simple. If cybercriminals know a ransomware attack against a UK school or hospital won't get them paid, they'll look somewhere else for a more lucrative target. Security Minister Dan Jarvis said that the government is "determined to smash the cyber criminal business model," and added that laws in the proposed package will require even private businesses to seek guidance from the government before paying a ransom.
Since the WannaCry attack on the NHS in 2017 launched the modern era of ransomware attacks, the UK has suffered a number of serious incidents. In the last two years alone, attacks have hit the British Library, the BBC and the Ministry of Defence. This may explain why, according to the government's announcement, "nearly three quarters" of public comments on the ban legislation were supportive.
Although bans on ransom payments are a popular solution to the ever-increasing scourge of ransomware, there's currently not much data on whether they work. Two US states, North Carolina and Florida, have enacted similar bans, but it's hard to say what impact they've had. Critics argue that some organizations, especially hospitals, can't afford the long-term disruption of leaving the ransom unpaid, and may choose to pay in unaccountable ways. Furthermore, some hacking groups have aims other than money, and may continue ransomware attacks to sow political chaos.
The UK is moving into uncharted territory as the first nation to pass a ransomware payment ban. We'll be interested to see whether it helps get attacks under control. Either way, the outcome is likely to inform how other countries respond to the continuing threat of cybercrime.
This article originally appeared on Engadget at https://www.engadget.com/cybersecurity/new-uk-law-would-ban-ransomware-payments-by-publicly-funded-orgs-210851334.html?src=rss
