Ransomware payment ban proposals spark concern from law firms

Ransom payments viewed as negotiating tool

Proposals to bar public bodies and critical national infrastructure operators from paying ransoms have drawn criticism from lawyers who warn the move could strip organisations of vital options during cyberattacks.

One of the principles underlying the newly introduced Cyber Security and Resilience Bill is that paying ransoms to criminal gangs incentivises further cybercrime. The logic is difficult to fault, but that hasn’t stopped critics popping up to criticise government proposals to ban ransomware payments for public sector bodies and critical national infrastructure (CNI) operators.

Some law firms expressed concern about the plans to The Financial Times, arguing that a ban risks removing a valuable negotiating tool.

Greg Palmer, a partner at law firm Linklaters said:

“When critical infrastructure is hit and all backup systems fail, businesses could face an impossible choice: break the law or watch essential service collapse.”

Another Linklaters partner, Georgina Kon said that there have been discussions about moving critical infrastructure outside of the UK or taking other avoidance measures if the proposals become law.

Chair of cyber practice at DLA Piper cast doubt on the idea that criminal groups would be deterred by a payment ban. “If hackers cannot get a ransom, it could lead to stronger attacks and a plan to try and monetise data,” said Ross McKean.

It’s a far cry from the days where we didn’t negotiate with criminals.

According to Sophos’ most recent “State of Ransomware 2025” Report, about 50% of companies who were extorted in 2024 paid up.

However, cybercrime and ransomware experts at defence and security think tank the Royal United Services Institute (RUSI) indicated during a recent briefing that the proportion of those paying up is likely to be much higher.

Nobody wants to see ransomware victims become inadvertently criminalised, and bans should be implemented alongside measures to improve practical resiliency, but the cyber resiliency of UK CNI and industry more broadly is not going to be improved by continuing to pay ransoms to criminal gangs. At the very least, greater transparency is needed. The Bill proposes mandatory reporting of all cyber security incidents (not breaches, incidents) affecting regulated entities.

It’s interesting to note lack of enthusiasm for these proposals from the law firms quoted by The Financial Times. Ransoms often fund not just unfriendly foreign regimes, but also drug and human trafficking activity. Viewing these payments as nothing more than a negotiating tool is, at best, morally murky.

There’s also no guarantee that paying a ransom gets a victim out of trouble either. Whether M&S paid a ransom to hackers earlier this year remains unconfirmed, but when giving evidence to a Parliamentary committee about the attack, M&S Chairman Archie Norman declined the opportunity to say that the company did not pay.

Reputational damage following an attack can also be averted with transparency. Checkout.com CTO Mariano Albera confirmed last week that the company refused to pay a ransom when extorted by the Shiny Hunters crime group. The company went public with a fulsome apology to customers and a donation to the Carnegie Mellon University and the University of Oxford Cyber Security Centre “to support their research in the fight against cybercrime.”