The UK is advancing a ban on all public sector bodies and operators of critical national infrastructure from paying ransomware demands, extending an existing ban on government departments. This proposal includes a prevention regime requiring victims not covered by the ban to report ransom payment intentions. A threshold-based reporting system is proposed, asking victims to submit a report with key attack details within 72 hours and a detailed analysis within 28 days. A consultation showed that nearly three-quarters of respondents support the ban. However, there are mixed opinions on penalties for non-compliance, with concerns over criminalizing victims. The urgency of this move is underscored by a report indicating ransomware attacks are a significant and immediate threat to the UK. Recent attacks have impacted services, like a ransomware incident delaying procedures in the National Health Service. In comparison, the U.S. is cutting funding for cyberattack disclosure rules, while Australia has enforced mandatory reporting for significant businesses affected by ransomware demands.

Source 🔗