No more paying hackers: U.K. bans public sector ransom payments

The UK government has unveiled a new policy designed to deter cybercriminals by preventing the payment of ransoms. This ban will apply to public‑sector organisations and critical infrastructure, including NHS trusts, schools, local councils, utilities, and transport systems. The move, announced on 22 July 2025, by U.K.’s National Cyber Security Centre (NCSC) builds on existing regulations that already restrict central government bodies from paying ransoms.

By outlawing ransom payments, the government aims to cut off the financial bloodstream of ransomware gangs and make U.K. public services less attractive targets. In a press release, Security Minister Dan Jarvis stated that ransomware is “a predatory crime that puts the public at risk” and pledged to “smash the cyber‑criminal business model” while reinforcing national security and public safety.

Mandatory reporting & cyber resilience push

For private businesses not covered by the ban, the policy introduces a new “payment prevention regime.” Companies must notify the government before paying any ransom demands. Authorities will then provide expert guidance and assess whether a proposed payment could breach laws, especially as those funds could benefit sanctioned groups.

Additionally, the government plans to equip the law enforcement and the National Cyber Security Centre with vital data to track and disrupt criminal networks. The NCSC also emphasised the importance of strengthened defenses by keeping offline backups, tested continuity plans, and frameworks like Cyber Essentials, so organisations can respond swiftly to attacks.

This comprehensive package is part of the government’s broader “Plan for Change,” aimed at bolstering resilience and safeguarding services dependent on digital infrastructure. It aims to send a unified message that the U.K. will no longer fund cyber‑extortion but is gearing up to tackle ransomware head‑on.