Home Office launch a consultation into ransomware.

The Home Office recently opened a consultation, in which it is seeking input on a proposal to introduce legislation to counter the increasing threat of ransomware.  The proposed legislation would have three main objectives: 

1. To reduce the amount of money flowing to ransomware criminals from the UK, thereby deterring criminals from attacking UK organisations.
2. To increase the ability of operational agencies to disrupt and investigate ransomware actors by increasing the UK’s intelligence on the ransomware payment landscape. 
3. To enhance the UK Government’s understanding of the threats in this area to inform future interventions, including through cooperation at international level.

The Home Office defines ransomware as:

"A type of malicious software (“malware”) that infects a victim’s computer system(s).  It can prevent the victim from accessing system(s) or data, impair the use of system(s) or data and/or facilitate theft of data held on the victim’s networked systems or devices.  A ransom is demanded (normally payment of cryptocurrency) from the victim to regain access to the system(s); for data to be restored; or for data not to be published on criminal-operated data leak websites.  This includes but is not limited to encryption."

According to the Home Office, ransomware is considered the greatest ‘serious and organised cyber-crime threat’ and has been labeled as the biggest cyber security threat in the UK.  The cyber security industry has estimated that ransomware gangs have surpassed $1 billion in extorted cryptocurrency payments from victims in 2023, with incidents reaching their highest level since 2019.  With ransomware being a financially motivated crime, the fact that victims are paying the ransoms to restore access or functionality has led to attacks becoming increasingly sophisticated, allowing criminals to refine their techniques and learn better strategies on how to maximise profits.

In light of the nature and scale of ransomware attacks, the UK Government is looking to introduce ransomware-specific legislation to disrupt the criminal business model that ransomware actors benefit from.  It is thought that changes to laws and regulations on reporting and payments to ransomware demand may make ransomware attacks unattractive to criminals.  The Home Office is therefore seeking consultation feedback on the following proposals to target the rise in ransomware attacks and payments: 

1. Option 0: Do Nothing. 
   • Under this option, UK businesses will continue to lose money to ransomware criminals and nothing will improve in terms of the visibility and understanding of the ransomware payment and threat landscape.
2. Option 1: A complete ban on ransomware payments.
   • This option will lead to a complete ban on payments from all UK-based individuals, businesses or businesses operating in the UK to any form of ransomware.
3. Option 2: A targeted ban on ransomware payments for regulated Critical National Infrastructure (CNI) and the public sector.
   • This proposal by the Home Office will mean that public sectors including all local authorities, schools and the wider public sector as well as CNI sectors, which are defined by the National Security Authority, will be banned from making ransomware payments.
4. Option 3: A ransomware payments prevention regime for all ransomware payments.
   • Under this proposal, while ransomware payments, would remain illegal, the government can criminalise any payments which are not reported to and reviewed by the government ahead of time.
5. Option 4: Mandatory reporting of a payment prior to the transaction (sector specific or economy wide).
   • This measure would function as an informing mechanising rather than a review mechanism.  For victims that intend to make ransomware payments, they would be required to report their intent to make such a payment into government.
6. Option 5: A mandatory ransomware incident reporting regime for all sectors.
   • Under this proposal, victims of ransomware attacks would be required to report the incident to an appropriate reporting mechanism within a specified timeframe.
7. Option 6: Mandatory reporting of ransomware incidents for specific sectors.
   • Option 6 is a less stringent version of Option 5, targeting specific sectors.  Alternatively coverage could be limited through a threshold-based approach, considering factors such as an organisation’s size or turnover. 

The evidence from this consultation will also support future advice and guidance that the Home Office intends to produce for the victims of ransomware.

Why is the issue under consideration?

Ransomware remains the most harmful serious and organised cybercrime threat, the largest cybersecurity threat, and a national security threat to the UK and in other countries as well as posing an operational and reputational risk to organisations and individuals in the public and private sectors.  In 2023, there were an increasing number of new players in the world of ransomware, from large syndicates to lone individuals, likely attracted by the potential for high profits and lower barriers to entry.  Members of the Counter Ransomware Initiative which include Australia, the Netherlands, Nigeria, United Kingdom and United States publicly denounced ransomware and discouraged anyone from paying demands from cyber criminals.  They noted that paying ransoms provides incentives for criminals to continue and expand their activities and does not guarantee the data will be returned.

With the increasing threats of ransomware, the UK Government believes that legislation is the next and necessary step to tackle the increasingly sophisticated and aggressive criminal activity. Currently in the UK, the main legislation designed to tackle cyber-crime is the Computer Misuse Act 1990.  However, it is clear from the rise in ransomware payments that this Act is not doing enough and is currently under review.  The UK Government’s objective is now to find ways to disrupt from the ransomware threat.  Its view being that if ransomware payments are banned/curtailed and legislation forces a change in victim’s behaviour, there will be a fall in ransomware attacks due to the lack of financial incentive.  There are four different outcomes presented in the UK Government’s proposal which it anticipates the proposed legislative options to achieve:

1. Outcome 1: Reduce criminal intent, through undermining the ransomware business model.
2. Outcome 2: Reduce criminal capability, through bolstering UK law enforcement ability to disrupt and investigate ransomware criminals.  The government will be able to increase operational partners ability to disrupt and investigate ransomware actors by increasing the government’s visibility and knowledge of the ransomware payment landscape.
3. Outcome 3: Reduce vulnerability, through improving resilience.  The government will use improved reporting to identify, track and mitigate vulnerabilities, through increased understanding of the threat landscape. 
4. Outcome 4: Reduce impact, through expanding preparedness.  The government will use improved reporting to increase understanding of the threat landscape to inform future interventions. 

Conclusions

The UK Government’s consultation will undoubtedly reveal difficult themes around how victims behave during ransomware attacks, how much information should be shared with the authorities and the circumstances in which ransoms have been historically paid.  However, what is currently clear is that the issue of ransomware is being taken seriously by UK Government and there is hope that better measures can be introduced to stop future ransomware attacks.

Written by Mopé Akinyemi (Trainee Solicitor).