Ransomware without recourse

Ransomware and cyber-attacks in general have surged in frequency and severity, hitting public and private sector organisations of all sizes. In response, the UK government has proposed a targeted ban on public sector and Critical National Infrastructure (CNI) ransom payments, with private organisations required to report if they intend to pay. In theory, this should weaken the ransomware business model. In practice, however, the picture is more complicated, and the proposals have already raised serious questions among business and IT leaders.

 

 

No-pay policies: theory vs reality 

Paying a ransom fosters a cycle of learned behaviour. It rewards cybercriminals, encourages further innovation, and promotes repeat attacks. Threat actors begin to believe that if high-profile organisations in a particular sector can be compromised, then it will be easier to exploit smaller, lesser-known ones. This helps explain why the UK’s retail sector has become a hotspot for cyber-criminal activity. 

 

For public sector organisations and CNI, the logic is even clearer. They cannot be seen to treat criminal payment as a legitimate recovery option; doing so invites further attacks and undermines national resilience.

 

The government believes reducing payments will weaken cyber-criminal business models, but the policy may already be out of step with how ransomware operates today. Many attacks begin as credential theft, supplier compromise, or data exfiltration. Over weeks or months, they evolve into ransomware attacks as different threat actors exploit the same vulnerability.

 

This means organisations often misinterpret the early stages of an attack, leaving them to face a full-scale incident with far fewer recovery options. It also means that non-payment may not punish the originators, turning the refusal into a symbolic gesture.

 

 

Public and private sector readiness

Public sector bodies face some of the biggest challenges when operating under a no-pay regime. Many rely on ageing, highly interdependent IT infrastructures that are difficult to patch, integrate, or modernise without risking disruption.

 

Critical services also run on infrastructure that cannot be taken offline easily, which means patching cycles are slow and testing windows are narrow. Years of underinvestment have left high levels of technical debt; temporary fixes have become permanent, and legacy systems remain embedded across essential services. Often, those wanting to carry out the updates do not feel empowered to push for these changes - they find it hard to provide the financial, political, or operational justification. Sometimes the money simply isn’t available.

 

In a no-pay scenario, these constraints have real consequences. Without the option of paying to regain access, public sector organisations must rely entirely on internal resilience and recovery capabilities that, in many cases, remain inconsistent or incomplete.

 

Private sector organisations face a different set of pressures. They are not banned from paying, but the policy requires them to report their intention to do so. This creates new layers of scrutiny for boards already managing reputational, regulatory, and cyber-insurance considerations. These difficulties are amplified when organisations still don’t know how the new rules will operate in the middle of a live incident. How long will they need to wait before they get “permission” to pay? Will rapid triage or 24x7 approval mechanisms expedite a fast official response?

 

The outcome of the no-pay policy is the same across both sectors: being prepared becomes the only reliable strategy, and that raises the baseline of resilience required to survive an attack. Attitudes have to shift, boards have to listen to their IT teams, and funding has to be made available.

 

 

What to do next: building real cyber-resilience

Effective resilience depends on people, processes, and technology working together. Weakness in any one of those areas undermines the others. The following components form the foundation of a practical, no-pay security posture:

 

Air-gapped and immutable backups

Problem: Backups remain the most reliable path to recovery, but only if attackers cannot reach them. Ransomware groups routinely target backups; if they can delete, corrupt, or encrypt them, they remove an independent recovery path.

 

Solution: Air-gapped and immutable backups provide the separation needed to protect recovery points. Organisations should regularly test restore procedures, validate integrity, and ensure backup environments are properly isolated.

 

Patching regimes

Problem: Unpatched systems are among the most common routes used by cyber-criminals to hack organisations. They exploit known vulnerabilities because patch cycles are slow and downtime is difficult to justify.

 

Solution: It’s essential to introduce a structured, prioritised patching regime supported by asset discovery and clear ownership. Updates should be tested, coordinated, and rolled out fast enough to close gaps before attackers exploit them.

 

Security awareness and training and education

Problem: Most intrusions begin with a user action. Even sophisticated ransomware campaigns rely on simple human errors.

 

Solution: Continuous awareness training helps staff recognise substituted characters, suspicious domains, unusual requests, and malformed attachments. Reducing everyday mistakes dramatically improves protection and keeps attackers out during the earliest, most preventable stages.

 

Policies and frameworks

Problem: Without structured processes, organisations struggle to manage identities, assets, logging, and incident escalation – all critical in a no-pay world.

 

Solution: Frameworks such as the NIST Cyber Security Framework and Risk Management Framework (RMF), ISO 27001, and the NCSC Cyber Assessment Framework help organisations build repeatable, well-governed processes. They provide the backbone for asset management, access control, monitoring, and incident response.

 

Business continuity and incident response

Problem: With ransom payments off the table, business continuity plans become the only viable recovery path. Yet many organisations still lack the basics: there’s no clear ownership of decisions, no defined system priorities, and no established communication channels. In a no-pay environment, those gaps can be just as damaging as the attack itself.

 

Solution: Business continuity and incident response plans should establish clear responsibilities, system priorities, communication channels, supplier engagement, and regulatory reporting. But these processes also need to be tested to identify and close gaps. Regular incident rehearsals help teams avoid panic and reverting to bad habits when an attack hits.

 

Threat intelligence and information sharing

Problem: Ransomware operators often spend months inside networks before deploying their payloads. They move laterally and exfiltrate data long before any encryption event occurs. Early-stage activity can often look like regular user or admin behaviour, so many organisations fail to detect it until the attack is well advanced. At that point, recovery options are already limited.

 

Solution: Threat intelligence helps organisations identify the tactics, techniques, and indicators associated with early-stage compromise. It provides context on attacker behaviour, highlights emerging vulnerabilities, and reveals patterns that may otherwise go unnoticed.

 

 

Building resilience

Policies alone cannot deliver resilience. If ransom payments are restricted, public sector organisations will need dedicated funding to modernise the ageing systems and fragile infrastructures that hamper recovery. Without that financial support, the public sector will struggle to meet the expectations of a no-pay regime.

 

Private organisations, especially SMEs, face a similar challenge. A no-pay regime raises the bar for resilience, but many lack the resources, guidance, and specialist capabilities required to reach it. Some will turn to managed security services and outsourcing, while others may try to recruit in-house support, which will certainly prove challenging amid a cyber-skills shortage.

 

If the government’s aim is to reduce ransom payments across the economy, it must also ensure that organisations are equipped to recover in a no-pay scenario. Policy can set the direction, but resilience is built through capability, investment, and long-term support. Without matching investment, enforcing or restricting the ability to pay threat actors risks becoming a policy of intent rather than one of impact. And once cyber-criminals get a whiff of that, the policy runs a serious risk of collapsing into chaos and irrelevance – with public and private sector organisations (and potentially taxpayers) paying the price.

 

---

 

JP Cavanna is Director of Cyber Security at Six Degrees

 

Main image courtesy of iStockPhoto.com and Atstock Productions