What's happened? Recorded Future has reports that the British Government is proposing sweeping change in its approach to ransomware attacks.
The key proposed changes are:
- Mandatory reporting. All organisations and individuals hit by ransomware would be required to report the attack to the government.
- Licensing for extortion payments. All organisations hit by ransomware would need to obtain a license before paying any ransom to their extortionists.
- Ban on ransom payments for critical infrastructure. Organisations that managed critical national infrastructure would be completely banned from making ransom payments.
That sounds like some significant changes... What's the thinking behind them?
Last year, the National Cyber Security Centre (NCSC) said that it was increasingly concerned that many victims kept their ransomware attack secret. Mandatory reporting would give more visibility about the scale of the ransomware problem, potentially help law enforcement agencies gather more intelligence on attackers and help co-ordinate recovery efforts.
I imagine it will also be good for customers of affected companies...
Yes, both customers and business partners would certainly appreciate knowing that a particular company has been hit by ransomware, rather than an attack being swept under the carpet.
So, what about the changes regarding ransom payments? Licenses and a ban for critical infrastructure?
The last thing a government wants is for a cyberattack to disrupt parts of critical national infrastructure. Although it won't necessarily be much of a deterrent for an enemy state, the hope will be that critical infrastructure is less likely to be targeted by ransomware if the attackers know that the organisation has its hands tied by legislation and will not pay a ransom under any circumstances.
And the licenses for those organisations that do want to pay the ransom? How will they work?
Details are still being worked on apparently, but the end goal would be to encourage ransomware victims not to opt for the "quick fix" of paying a ransom, but instead investigate other solutions.
The UK Government has already made clear that it does not condone making ransomware payments – but these steps go beyond this.
But couldn't delays in ransom payment actually end up costing companies more?
Yes, there is definitely the danger that the licensing process for extortion payments will cause delays in the recovery, and potentially exacerbate the impact of an attack.For companies in particular, downtime and disruption are likely to be costly.
So, when is all this likely to roll out?
That's the six-million-dollar question (or whatever the Bitcoin equivalent is)...
The proposals will be subject to a public consultation, providing opportunities for feedback from industry, legislators and other interested parties.New laws will need to be passed before any proposals can be implemented.
And there's another major development which may hold things up...
What's that?
UK Prime Minister Rishi Sunak has announced there will be a General Election on July 4th, 2024.Politicians aren't going to be thinking about ransomware for the next six weeks – they're focused instead on their re-election prospects and winning their seats.
If a new political party takes power in July, it may have different opinions on how best to tackle ransomware through legislation.
Although the election throws some uncertainty to the timeline of implementing any changes in how the UK tackles ransomware, it is clear that the authorities have recognised it is a serious threat to individuals, businesses, and critical infrastructure alike.
I don't think I should wait. What should my company do right now?
Knowing how to respond, particularly in the first 48 hours after a cyberattack, is critical.
The best approach is to take proactive measures and have emergency plans in place, because it's not a matter of if, but when, your business will suffer a ransomware attack.
Make sure to read Exponential-e's step-by-step guide on ransomware remediation.
Stay Informed
When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.
About the author
Graham Cluley is an award-winning cybersecurity public speaker, podcaster, blogger, and analyst. He has been a well-known figure in the cybersecurity industry since the early 1990s when he worked as a programmer, writing the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows.
Since then he has been employed in senior roles by computer security companies such as Sophos and McAfee.
Graham Cluley has given talks about cybersecurity for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.
Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.