Former NCSC chief calls for ransomware payments ban, but cyber security experts aren't keen
Ciaran Martin, former chief executive at the NCSC, said efforts to introduce a ransomware payments ban could help tackle the $20 billion industry
The former chief executive of the UK's National Cyber Security Centre (NCSC) has called for the government to ban organizations from making ransomware payments.
Writing in The Times, Ciaran Martin, who served as the NCSC’s inaugural chief executive, suggested a ban could help put a stop to the ever-increasing proliferation of ransomware, referring to the 'apparently sanguine attitude' of British policymakers to cyber criminals groups.
"Ransomware is by far the most damaging cyber threat to most businesses right now. We have to find a way of making a ransom payments ban work," he wrote.
Martin suggested that any ban would need a better support network for affected companies. However, the lack of such a policy is in part down to the US' reluctance to introduce a ban amid concerns that it would unreasonably constrain businesses.
Similar concerns have been raised that this could be a particular problem for the country's hospitals, many of which are in the private sector.
Currently, many governments, including the UK, have a policy that they won't pay ransoms themselves. In October 2023, 40 countries pledged their support for the International Counter Ransomware Initiative (CRI) as part of an effort to create a more aligned global approach to cyber crime.
RELATED WHITEPAPER
Participating nations agreed not to make payments and pledged to share information and create a blacklist of digital wallets being used to deposit and move ransomware payments.
The official advice for UK-based companies is that they should not pay ransoms under any circumstances. The NCSC suggests that even when companies do so, there's no guarantee that they will get access to their data or systems back, that computers will still be infected, and that those who pay are more likely to be targeted in the future.
Across the cyber security community, there are mixed feelings about whether or not a ban should be introduced.
Oliver Norman, vice president for UK and Ireland at data management firm Veritas, said that regardless of a ban, the outcome of incidents will remain the same, with organizations more likely to be targeted in future and given no guarantees of having data safely returned.
"Whether banned or not, paying not only puts a target on the organization’s back for future attacks," he said. "There’s also no guarantee all of the data will be returned even if a payment is made – we estimate that 32% of businesses that paid ransoms still lost over half their data."
Others, though, believe that a ban is impractical.
"Banning ransomware payments can often have further implications – and this is not the first time this idea has cropped up. Although prevention is better than cure, there are still multiple cases where the only option has been to pay," said Jake Moore, global cyber security advisor at security firm ESET.
"Being stuck between a rock and a hard place is no position any company wants to be in but if the law is directed only one way, then companies can easily fold and the potential of livelihoods lost can make this a damming and forced decision."
Moore warned there is also a danger that driving ransom payments underground could lead to further demands, as well as criminalizing victims.
"Although the long term effects of banning ransom payments may sound idyllic, the path needed to navigate all companies to this ideal is going to be challenging, if not impossible," he said.
Moore's comments follow hefty criticism for cyber security firm Emsisoft in January after it called for an outright ban on ransomware payments.
Emsisoft urged lawmakers to introduce legislation aimed at preventing firms from engaging with cyber criminals, but critics argued it would “shift the focus of criminality” from perpetrators to victims.
Currently, according to a recent report from data security and management firm Cohesity, more than nine-in-ten UK businesses have a no-pay policy - but virtually all of those that have fallen victim to a ransomware attack have in fact paid out.
-
Why patching velocity matters as Claude Mythos supercharges vulnerability discoveryFrontier AI models such as Claude Mythos and GPT-5.5 make patching more urgent than ever. How can firms increase the velocity at which they apply fixes and mitigations?
-
The UK is running on fumes as data center build-outs can’t keep pace with demandNews The country's vacancy rate has dropped sharply, with much of the pipeline early-stage and uncertain
-
NCSC urges organizations to shore up supply chain security practicesNews With attackers increasingly compromising open source packages to spread malware, organizations need to be on their guard
-
A ‘perfect storm’: NCSC chief issues warning over quantum threats, nation-state hackers, and the dangers of global ‘hacktivism’News NCSC CEO Richard Horne says nation-state attacks, AI and the looming quantum threat require stronger global collaboration
-
The NCSC says it’s time to switch to passkeysNews UK security organization calls for companies to step up and offer more secure ways to login
-
NCSC issues alert over Russian hacker campaign targeting SOHO routers
News The APT28 group has exploited vulnerable internet routers to covertly reroute internet traffic through malicious servers
-
NCSC names and shames pro-Russia hacktivist group amid escalating DDoS attacks on UK public services
News Russia-linked hacktivists are increasingly trying to cause chaos for UK organizations
-
The NCSC touts honeypots and ‘cyber deception’ tactics as the key to combating hackers — but they could ‘lead to a false sense of security’News Trials to test the real-world effectiveness of cyber deception solutions have produced positive results so far
-
Government urges large enterprises to shore up defenses as NCSC warns UK faces four 'nationally significant' cyber attacks every weekNews UK enterprises of all sizes face escalating cybersecurity threats, ministers have warned
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
