Government has never paid a ransomware demand, minister says

Security minister Tom Tugendhat says UK is "demonstrating leadership on cybersecurity" with pledge never to pay up
Image: Adobe Stock

By Sam Trendall

07 Nov 2023

The government has announced that it has never paid a ransom demanded by cybercriminals – and pledged that it never will.

The announcement – made to tie in with last week’s meeting of members of the international Counter Ransomware Initiative – rubber-stamps what the government said “has been a long-standing policy but … [for] the first time [is now] publicly confirmed”.

Beyond the boundaries of its own departments, the UK was one of 46 CRI member states that issued a joint policy statement urging all organisations across public and private sectors to adopt a similarly staunch stance.

“We will not tolerate the extortive actions of these cyber criminals who too often act with seeming impunity,” said the joint statement, which was also undersigned by international law-enforcement agency Interpol. “Therefore, we strongly discourage anyone from paying a ransomware demand. Each of us intends to lead by example. We have reached consensus that relevant institutions under the authority of our national government should not pay ransomware extortion demands.”

The government claimed that the UK and Singapore jointly led the process of crafting the statement, which was endorsed by other nations as part of a CRI meeting this week in Washington DC.

Security minister Tom Tugendhat said “Crime should not pay. That’s why the UK and her allies are demonstrating leadership on cybersecurity by pledging not to pay off criminals when they try and extort the taxpayer using ransomware. This pledge is an important step forward in our efforts to disrupt highly organised and sophisticated cyber criminals, and sets a new global norm that will help disrupt their business models and deter them from targeting our country.”

The government claimed that, alongside US partners, UK authorities have previously issued a swathe of sanctions against 18 cybercriminals – largely based in Russia or its neigbours – who have collectively extorted £27m from 149 UK organisations that suffered ransomware attacks.

The CRI statement says that meeting a demand issued following a ransomware breach may well do nothing to stop the attack, nor ensure the restoration of data and services. Paying up also “provides incentives for criminals to continue and expand their activities [and] provides funds that criminal actors can use for illicit activity”, the policy added.

Felicity Oswald, chief operating officer of the National Cyber Security Centre, said: “Ransomware poses a significant threat to organisations in the UK and around the world and so international collaboration is essential for bearing down on cybercriminal operations. The joint statement today demonstrates that the UK and a likeminded community of countries do not support payment of online criminals as we know this only makes the threat landscape worse for everyone.Many ransomware incidents can be prevented by ensuring that appropriate security measures are in place. We strongly encourage organisations to follow NCSC advice to effectively mitigate the risks and help protect themselves online.”

The CRI was established by the US government in 2021. Alongside the US and the UK, member nations of the initiative who met in Washington DC this week included Albania, Australia, Austria, Belgium, Brazil, Bulgaria, Canada, Colombia, Costa Rica, Croatia, Czech Republic, Dominican Republic, Egypt, Estonia, France, Germany, Greece, India, Ireland, Israel, Italy, Japan, Jordan, Kenya, Lithuania, Mexico, the Netherlands, New Zealand, Nigeria, Norway, Poland, Portugal, the Republic of Korea, Romania, Rwanda, Sierra Leone, Singapore, Slovakia, South Africa, Spain, Sweden, Switzerland, Ukraine, and the United Arab Emirates.

Sam Trendall is editor of PublicTechnology, where this story first appeared

Read the most recent articles written by Sam Trendall - ICO to continue 'minimal-fine regime' for public-sector bodies

Share this page