75% of UK business leaders are willing to risk criminal penalties to pay ransoms
A ransom payment ban is a great idea - until you're the one being targeted...
UK business leaders are overwhelmingly in favor of a ban on ransomware payments in the private sector - but would break such a ban themselves if they thought it was necessary.
The government is proposing a ban on the payment of ransoms by public sector bodies and operators of critical national infrastructure, including the NHS, local councils, and schools.
For the time being, the ban doesn’t extend to private firms. However, analysis from Commvault found that 96% of UK business leaders believe payments should be banned across both the public and private sectors.
In the event of a ban being imposed on private sector firms, three-quarters (75%) admitted they would still pay a ransom themselves if it were the only way to save their organization, regardless of whether civil or criminal penalties applied.
“Paying a ransom rarely guarantees recovery and often increases the likelihood of being targeted again,” said Darren Thomson, field CTO EMEAI at Commvault.
“A well-enforced ban could help take the profit out of ransomware, but it must be matched by greater investment in prevention, detection, and recovery-testing. Without that, more organizations could find themselves exposed at the worst possible moment, with no viable path to recovery.”
The survey found that 94% of business leaders support limiting ransom payments for public bodies, and 99% for private organizations.
However, in real-world situations within the private sector, only 10% said they would actually comply with any ban if they were attacked. A further 15% said they'd be neither likely nor unlikely to comply.
Of those who supported a proposed payment ban, 34% reckoned it would lead to increased government support and intervention to help build up cyber resilience.
Another third thought it would bring down the number of attacks by reducing the incentive for attackers.
Ransom payment bans are a tightrope for private firms
While the government's proposals so far only ban the payment of ransoms by public sector bodies and operators of critical national infrastructure, they do place certain constraints on private firms.
Businesses would be required to notify the government of any intent to pay a ransom - which would then tell them whether or not they'd be breaking the law by sending money to sanctioned cyber criminal groups, many of which are based in Russia.
“Ransomware and cyber attacks will be a concern for a long time, as international cyber gangs make huge profits from them and use these resources to continually develop their attack tools," says Jane Frankland, CEO of security training firm Knewstart.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- The ransomware groups worrying security researchers in 2025
- Nearly half of MSPs admit to having a ransomware kitty
- Ransomware victims are getting better at haggling with hackers
-
Google is scrapping its dark web report featureNews Google said while the dark web report feature offered “general information”, the tool didn’t provide “helpful next steps” for users potentially impacted by a breach.
-
AI means you're probably going to need bigger developer teamsAnalysis Software developers may be forgiven for worrying about their jobs in 2025, but the end result of AI adoption will probably be larger teams, not an onslaught of job cuts.
-
LastPass hit with ICO fine after 2022 data breach exposed 1.6 million users – here’s how the incident unfoldedNews The impact of the LastPass breach was felt by customers as late as December 2024
-
Researchers claim Salt Typhoon masterminds learned their trade at Cisco Network AcademyNews The Salt Typhoon hacker group has targeted telecoms operators and US National Guard networks in recent years
-
Trend Micro issues warning over rise of 'vibe crime' as cyber criminals turn to agentic AI to automate attacksNews Trend Micro is warning of a boom in 'vibe crime' - the use of agentic AI to support fully-automated cyber criminal operations and accelerate attacks.
-
Cyber budget cuts are slowing down, but that doesn't mean there's light on the horizon for security teamsNews A new ISC2 survey indicates that both layoffs and budget cuts are on the decline
-
NCSC issues urgent warning over growing AI prompt injection risks – here’s what you need to knowNews Many organizations see prompt injection as just another version of SQL injection - but this is a mistake
-
Chinese hackers are using ‘stealthy and resilient’ Brickstorm malware to target VMware servers and hide in networks for months at a timeNews Organizations, particularly in the critical infrastructure, government services, and facilities and IT sectors, need to be wary of Brickstorm
-
AWS CISO Amy Herzog thinks AI agents will be a ‘boon’ for cyber professionals — and teams at Amazon are already seeing huge gainsNews AWS CISO Amy Herzog thinks AI agents will be a ‘boon’ for cyber professionals, and the company has already unlocked significant benefits from the technology internally.
-
15-year-old revealed as key player in Scattered LAPSUS$ HuntersNews 'Rey' says he's trying to leave Scattered LAPSUS$ Hunters and is prepared to cooperate with law enforcement
