UK floats ransomware payout ban for public sector A total ban on ransomware payments across the public sector might actually happen after the UK government opened a consultation on how to combat the trend of criminals locking up whole systems and taxpayers footing the bill. The consultation will consider views on extending the ransom payment ban from central government …
That ransomware finds it easy to propagate networks is the first problem. Personally I have always had all information duplicated on machines that are protected so even if a machine is compromised by any problem it can be rebuilt at any time and the material such as 20+ years of emails are still stored safely away.
I've been running Linux for many years now and that helps keep content isolated from software and my websites use Firebird as the underlying database which backs up all the content on those sites to a safe area on the directory tree and not in a messy area that other databases use.
OK IF someone downloads ransomware then it's the time to rebuild that machine, but the Windows box here refuses to upgrade to Windows 11 and will have to be replaced ... isn't that just another form of Ransomware?
Microsoft and Google are only going to be able to do that if you (pay to) use them as your store. They'll love that, they will be able to rake in money and still change T&Cs, change charging tiers and discontinue services at whim.
You did not mention this in your post, but I hope your devices do not have write access to where the backups are stored...
Personally, I consider backups to be "protection from data loss", which includes being able to recover files that get deleted or overwritten. Many people do not understand this, and instead think backups are "protection from a drive failing".
A typical "backup strategy" would be to duplicate your data to a server in another location. Simplest option is some automated process that just copies your data to a writeable location on the remote server. Which the ransomware will specifically search for and overwrite...
Having your backup target do INDEPENDENT versioning (ie. Client devices have no direct write access to previous versions) is an additional complication that many people don't understand the importance of.
(Anyone wondering, the easy way to "bolt this on" to a Linux server is to convert your ext4 FS to btrfs which can be done safely and non-destructively, then Google for a script you can stick in the crontab to take snapshots and clean up old ones... And don't mount the snapshots directory somewhere clients can access!)
Be resilient already.
It's the entities that haven't got the horsepower or expertise in their core business to have all the security and IT knobs, bells and whistles deployed to provide resilience.
If it's Defence or Finance, they're generally all over it, with some outlaying other industries as they are well financed, or sufficiently profitable to invest in good cyber practices, technologies and controls.
Much like electricity and water, the Cyber Crims will find the path of least resistance and attack those entities that aren't well protected in the first instance.
It's a well intentioned thought that we can ban extortion payments, but the realities remain to be seen.
"It's a well intentioned thought that we can ban extortion payments, but the realities remain to be seen."
Well we know the realities of the current situation. We're encouraging extortion by allowing it to be paid. We really need to do something different. If there's no financial incentive for them, we've removed a great deal of their motivation.
> It would be something of a ransomware payment "license," which may or may not be issued depending on the nature of the incident.
So instead of paying just the crims one pays the government (to obtain a license) and then pays the crims? Like a tax on a ransomware incident? Brilliant, just brilliant! Almost everybody involved wins!
It's actually a genius idea if implemented correctly because it gives negotiators the best possible 'higher authority' advantage.
"Personally, I'd love to pay you $10 million. This was a very sophisticated hack and I think you really deserve it. Sadly, my meddling nanny-state government will only grant a license for a £5,000 payment. Will that do? I should mention the value of the pound is dropping as we speak..."
Is anyone aware of any public sector body that has paid (or allegedly paid) a ransom?
I know of many attacks but none that have paid.
Unless they know public bodies are paying (and the finances would therefore be in the public domain) this was be a waste of legislative time.
Now banning all payments to ransomware ne'er-do-wells that might fly.
How about having the NCSC set standards for IT systems, certify them and then mandate their use in the public sector? Then make the Treasury provide the resources for the public sector to keep its IT estate current.
OTOH if we can't do it for basics like housing (see Grenfell Tower) I guess there's no hope for other public services.
>How about having the NCSC set standards for IT systems, certify them and then mandate their use in the public sector?
Here is a 10,000 page standard, which costs ££££ to buy and can only reasonably be met by Oracle/CapGemini/Crapita
No using Linux at your school or having your own on-site sysadmin unless you can certify that they meet the 10,000 page standard and have updated training every year.
Realistically that's a pipe dream until the platforms/applications are heterogenous across functions. The NHS or every council comes to mind. To do that, strong management needs to force contiguous working practices across every function (so every bin lorry/MRI/council tax/etc is managed the same in every area) and every platform can be the same, then secured more tightly as a single effort will secure the 382 councils or 9,085 GP Surgeries further. Until we get anywhere near that, politicians are just shouting in to the wind.
Of course, it's much easier to dick about *recategorising* schools, the NHS elements, councils, police departments, etc than to actually force through the sort of basic alignment that would fix them. The cynic in me assumes it's intended to ensure the statistics and their collection leave enough wiggle room that you can make them say what they want.
I believe NCSC have its called the Cyber Assessment Framework now in version 3.2 https://www.ncsc.gov.uk/collection/cyber-assessment-framework
as for providing the money to meet it, there are so many legacy apps designed to work on old systems and protocols, that retrofitting security around it is a £££££ effort.
and if UK.GOV go to their usual suppliers (Crapita, sOpera, Atloss, Dolittle, etc.) it becomes a £££££££££££ effort
Ransomware people aren't necessarily targeting places specifically, that's only true when they need to use social engineering to get in. If they can hack in, the attacks are automated and they'll take whatever victims they can get.
It needs to become mostly a waste of time as a whole which means even if the UK banned it entirely it wouldn't help. They'd just suffer. It needs to be the US and UK and EU, at minimum, to all do complete bans to change the game for the ransomware scum.
It's not hard to stop the script kiddies, just apply the Cyber Essentials principals
Secure configuration, deploy UAC, deploy EDR, Patch and Firewall.
that stops you from being the low-hanging fruit.
After that, it's about your threat level and if people are specifically targeting you, if they are determined enough or resourced enough they will get in.
You need to deploy the advanced controls on top to detect and respond in a timely manner.
Thats the art of the Cybers in a nutshell
Taking into account the abject security failures in both government and private organisations in the UK by Ransomware morons, there is no way on Earth that any of them will be able to defend themselves against Ransomware, or for that matter, any 'smart' zero-day exploits and other malware I have spent over 40 years in the online security environment and can confidently state that the majority of these organisations not only lack the skills and expertise to mitigate such attacks. Many CISOs of such organisations are not even aware that they have already been hacked and don't even know it. What's always hilarious are statements from totally ignorant politicians which may sound good, but are totally without value.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
