The British government has proposed a ban on ransomware payments by public sector bodies, a broader payment prevention regime, and a new incident reporting regime.

“Reducing the spread of ransomware attacks, and undermining the criminals’ business model, requires an entirely new approach, and one that will help the UK to lead the world in fighting back against the increasing risks posed by this crime to our society and economy,” the Home Office said.

Consultation on the proposed measures closed in April.

The targeted ban “would go beyond our current principle that central government departments cannot make ransomware payments by prohibiting all organisations in the UK public sector from making a payment to cybercriminals in response to a ransomware incident.

“By restricting ransomware payments, the government is seeking to affirm a non-payment position as a public and binding commitment.”

A proposed payment prevention regime would require any ransomware victim not covered by the ban to engage with authorities and report their intention to make a payment before doing so.

“We are seeking both to improve our understanding of the ransomware payment landscape and to influence victim behaviour and experience by providing victims with advice and guidance before they decide whether to make a ransomware payment,” the Home Office said.

Cyber insurance specialist CFC says while the proposals aim to disrupt the ransomware economy, they also introduce new risks.

“A ban on ransom payments, even if initially limited to the public sector, could leave victims with no viable recovery option,” it said.

“Few smaller organisations have the resource and expertise to mitigate threats effectively, and the inability to pay could result in permanent data loss or even business failure.”