A remarkable plan is on the table in the United Kingdom: public institutions and infrastructures will no longer be allowed to pay when they are victims of ransomware.
The rule applies to hospitals, critical national infrastructure, such as the NHS, municipalities, and schools. A public consultation will follow before the plan takes effect; however, according to the British government, there is broad support for the initiative.
Companies not subject to the payment ban are required to notify the government of any intention to pay ransoms. This enables the government to offer guidance and support, as well as warn of potential sanctions violations, given that many criminal groups operate from Russia.
In a ransomware attack, hackers spread malware that encrypts an organisation’s data. Only after payment, usually in cryptocurrency, do they receive their data back. This often results in organisations being largely paralysed during an attack. In recent years, criminals have also threatened to release the encrypted data publicly.
Previously, the British Library and the NHS in the UK were among the organisations targeted by ransomware. “Ransomware is a predatory crime that endangers the public and threatens the services we depend on,” said Security Minister Dan Jarvis.
Deterrence
Such measures can also have a deterrent effect. In recent years, various ransomware insurance policies have emerged, making some people more likely to pay or at least negotiate a settlement.
Organisations that prefer to keep a hack discreet or want to be operational again quickly also pay. But that motivates criminals to remain active. A formal ban, where organisations risk more than the amount paid, may also make hackers reconsider which organisations are best suited to demand money from.
About the Author
