The U.K. government wants to require victims of ransomware to report if they were breached with the goal of providing law enforcement with information that could help target the cybercriminals responsible.
On Tuesday, the U.K.’s interior ministry, the Home Office, published a proposal with the aim of changing the British government’s strategy to counter ransomware. Among the three key proposals is a reporting requirement, which would aid authorities in identifying and disrupting hacking operations.
“Mandatory reporting is also being developed, which would equip law enforcement with essential intelligence to hunt down perpetrators and disrupt their activities, allowing for better support for victims,” read the proposal.
In its proposal, the U.K. government said the mandatory reporting requirement would allow the government to “engage in targeted disruptions in an evolving threat landscape.”
The other two key proposals include a ban on paying ransomware for public sector and critical infrastructure organizations, and a mandate to notify the government if other types of victim organizations intend to pay a hacker’s ransom.
Ransomware investigators applauded the proposals, in particular the efforts focusing on helping law enforcement.
“I think it is a tacit acknowledgment of what we’ve known for a while: Ransomware operators and their enablers are not confined to Russia and many of those involved are very catchable and, more importantly, prosecutable,” Allan Liska, a threat intelligence analyst and ransomware expert at cybersecurity firm Recorded Future. “I think it’s super important.”
Techcrunch event
San Francisco
|
October 27-29, 2025
Arda Büyükkaya, a senior cyber threat intelligence analyst at EclecticIQ, applauded the proposals for making “things official.”
“While it’s unclear whether everything will unfold exactly as written, we’ll see through future developments,” Büyükkaya told TechCrunch. “Overall, banning ransom payments and actively pursuing perpetrators is a strong deterrent and helps impose real costs on threat actors.”
Tuesday’s announcement is the latest in a policy consultation process that began in January, in which the Home Office initially introduced the three key policy changes. The U.K. government’s formal response to the consultation is another step toward amending the law, but it remains to be seen if the proposals will end up being enshrined in legislation.
Banning ransomware payments is a controversial idea. For some, banning payments to hackers is an obvious way to stop criminal gangs profiting from cyberattacks and extorting victims. But some argue that, occasionally, paying a ransom may be the only viable option to recover critical systems and get back online, especially for certain critical industries, such as hospitals, which cannot afford the downtime and the very real risks to patients’ health.
Earlier this year, Australia enacted a law to mandate ransomware victims to disclose if they paid the hackers, stopping short of banning payments.
