Ransomware: The Final Frontier

Ransomware has become an insufficiently checked arena of exploitation, where criminals thrive unencumbered by significant consequential risks. Over the past decade, these cyber extortionists have honed their craft into a sophisticated and relentless threat. Their ability to disrupt lives, demanding staggering sums to restore order, has left businesses and public institutions scrambling.

We are now approaching a watershed moment. In a bold move, the UK is proposing a sweeping regulatory overhaul aimed at curbing this digital menace through a three-pronged strategy:

1. An outright ban on ransom payments by Critical National Infrastructure (CNI) and public bodies.
2. A licensing regime for any other organisation seeking to pay a ransom.
3. Mandatory reporting of ransomware incidents by all organisations.

The proposals aim to replace lawlessness and fragmented responses with structured processes and coordinated defences. Security Minister Dan Jarvis called them ‘a vital step forward to protect the UK economy and keep businesses and jobs safe . . . hitting these criminal networks in their wallets and cutting off the key financial pipeline they rely upon to operate.’

But in its quest to impose order, the UK might also be painting a target on its own back. It is optimistic to assume these measures will divert criminal attention elsewhere. A more likely outcome is retaliatory escalation, as ransomware gangs seek to protect their lucrative business models – and to deter other countries from following suit. Should that possibility stop the UK’s plans in their tracks? Or is this just a necessary risk on the path to a safer digital future?

The Current Ransomware Landscape:

The baseline position today is extremely asymmetric, and as a consequence victims are acutely vulnerable to this unprecedented threat. Every organisation should be prepared and have tools such as incident response plans, playbooks, decision trees and insurance – yet many do not. Even when they exist, they are often outdated, incomplete, or ignored.

Meanwhile, cybercriminals are constantly evolving. The divide between financially and politically motivated attackers is increasingly blurred. With ransomware-as-a-service (RaaS), motivations are fragmented across multiple actors, making attribution harder. Double extortion is now standard. Criminals assess stolen data to pitch ‘reasonable’ ransom demands or target individuals directly to escalate pressure.

According to the National Cyber Security Centre, artificial intelligence will ‘almost certainly increase the volume and heighten the impact of cyber-attacks’. Worse still, AI is now in the hands of state and non-state actors alike, regardless of skill level. Against this backdrop, cybersecurity budgets are tightening, and the workforce gap is growing.

So, while playbooks and policies are essential, they are no silver bullet. Effective incident response requires continual investment, people with experience, and a culture that enables openness rather than blame. For many small-to-mid-sized businesses (‘SMBs’), ransomware preparedness remains an afterthought . But how an organisation is set up to respond – including its relationship with regulators and law enforcement – can be decisive. The trend is toward greater cooperation between these stakeholders, but many victims still fear the consequences of transparency. The result? Silence when openness could have helped others.

Ransomware response is not about systems alone. It is about people – the staff, leaders, customers and users who bear the consequences of every attack. The personal and psychological toll is rarely acknowledged, but it is real. There is no such thing as a textbook ransomware attack, just as there is no textbook victim. Ransomware ruins lives and livelihoods, yet the personal harms it causes are very rarely talked about.

The Necessity for Bold Action

Law enforcement has had some success disrupting major ransomware gangs like LockBit and BlackCat. Yet, ransomware’s global rise shows no sign of slowing. In 2023, reported payments exceeded $1 billion, and the number of threat actors ballooned in 2024.

More enforcement alone will not shift the dial. Despite increased resources and several operational successes, the number of victims posted to leak sites has doubled since 2022. The ransomware threat has become a many-headed Hydra. Direct confrontation alone is not enough.

That is why the UK Government’s proposals matter. They represent an attempt to move beyond incrementalism and take a bolder path. The incident reporting provisions, though indirect, could be significant – improving the quality of threat intelligence and making it harder for attackers to operate unseen.

But the real impact lies in the proposals to ban ransom payments for the public sector and CNI, and the licensing regime to require victims in other sectors to request permission from the government to pay.

Recent incidents underline the urgency. Nearly half of all ransomware headlines in 2023 related to healthcare, government, or education. The Synnovis attack in June 2024 led to over 10,000 appointments postponed and months of disruption across NHS Trusts. Full system recovery took nearly four months. The public sector is clearly a high-value target – and a high-impact one too.

Jurisdictional Dynamics

Security is relative. Think of two hikers fleeing a bear: one ties their shoes and says, ‘I don’t need to outrun the bear – just you.’ No measure can eliminate ransomware risk entirely. But might these UK proposals at least reduce it?

Possibly – but only for some attackers. For those operating with financial logic, the UK may become less attractive. If attackers think a victim cannot or will not pay, they might look elsewhere. But not all attackers are economically motivated. Some aim to cause reputational damage or advance political agendas. Others are opportunists who exploit weak configurations or common vulnerabilities, regardless of geography.

The larger danger comes from the top-tier threat actors – those running ransomware-as-a-service (Raas). These are not the ones doing the attacks; they are enabling others to. And they have the most to lose from successful regulatory crackdowns.

For the mid- or low-level affiliates, UK restrictions may simply push them toward easier targets elsewhere. But for the RaaS operators, the UK becomes a high-value proving ground. If they can disrupt or discredit the UK’s lone effort, they could discourage global adoption. That is a threat worth taking seriously.

If the UK becomes a test case, it must be prepared. The Government must back its proposals with funding, support, and protection for those on the front line – because the risk profile for British businesses may rise before it falls.

Execution Risk: The Devil in the Detail

While the UK’s proposals are bold, there is a risk of underestimating the complexity of execution. Licensing sounds neat in principle – but time is everything during a ransomware incident. Who will victims turn to for approval, and how fast can that decision realistically be made? Which department or industry body will manage this licensing regime? If it is a government department, how can victims trust the security of information they’re forced to disclose – especially when leaks and Freedom Of Information Act (‘FOIA’) requests risk turning a quiet crisis into a public scandal?

Reputational damage is often as feared as financial loss. Victims may be reluctant to engage unless they trust the process absolutely – including the people running it. That raises serious questions: How will this function be resourced? Who will staff it? How will they be trained, vetted, and kept in step with evolving threat landscapes?

There are also serious questions about scope. With modern supply chains as complex as they are, the lines between CNI, public sector, and private enterprise are anything but clear. How can such a regime be effectively policed when critical services are delivered through outsourced arrangements, cross-border dependencies, and layered vendors? What recourse exists for a business on the brink – one that is prohibited from paying but has no viable alternative to rescue its operations or protect its people?

For those facing an existential threat, being denied a licence might not just mean business failure – it could mean job losses, legal exposure, or life-critical services grinding to a halt. The proposals are superficially attractive. But the detail still feels thin. The UK Government has one chance to get this right. The stakes are enormous – not just in terms of national resilience, but politically too. A botched implementation could spark a calamity of epic proportions. And the electorate may not forgive that. A misstep here risks not only public trust, but years in the political wilderness.

Any regime introduced must be robust, carefully calibrated and – above all – resilient under pressure. Anything less could do more harm than good.

Charting a Different Path: Alternative Approaches

A ban and licensing regime may be bold – but they are not the only tools available. Other approaches, either as complements or alternatives, could help strike a better balance between deterrence and resilience.

1. Centralised incident support hubs
Rather than focusing only on payment restrictions, the government could create funded regional cyber response units for SMEs. These hubs could offer technical help during incidents, advice on reporting, and act as a single point of contact for law enforcement and regulators.

2. Public-private cyber resilience funding
A national cyber resilience fund, co-funded by government and industry, could offer grants or no-interest loans for businesses to strengthen defences or recover after attacks. This would reduce the financial desperation that drives many to pay ransoms.

3. Escalation protocols instead of outright bans
A sliding scale of requirements could apply depending on sector and impact. For example, a small business suffering a low-impact attack might only be required to report. A hospital hit by a major disruption would trigger mandatory coordination with regulators and enforcement bodies. This tiered model avoids blanket prohibitions and allows proportional response.

4. International alignment before enforcement
Rather than acting unilaterally, the UK could push harder for G7 or OECD consensus, aligning standards before imposing national bans. While slower, a coordinated approach would offer more meaningful deterrence and reduce the risk of retaliation.

Conclusion

Bold, decisive action is clearly needed – and the UK deserves credit for moving first. But being first brings risk. If the UK becomes a proving ground for RaaS retaliation, it must be ready for the consequences.

There is no one-size-fits-all fix for ransomware. But by combining ambition with nuance, and enforcement with support, the UK can set a powerful global example. The key is to move fast – but not alone, and not without a safety net for those left more exposed.

© Thomas Barrett, Jack Horlock, Edward Lewis and Anthony Rance, 2025, published by RUSI with permission of the authors.

The views expressed in this Commentary are the authors’, and do not represent those of RUSI or any other institution.

For terms of use, see Website Ts&Cs of Use.

Have an idea for a Commentary you’d like to write for us? Send a short pitch to commentaries@rusi.org and we’ll get back to you if it fits into our research interests. View full guidelines for contributors.