Targeted Policy Action Against Ransomware Attacks Emerging as a Key Global Cybersecurity Trend

As digitalization has become more ubiquitous and attacks surfaces widened, the number of cyberattacks have correspondingly increased. In 2024, ransomware attacks in particular grew in their frequency and impact. In an effort to enact more stringent policy approaches, governments introduced over 170 data protection laws between 2023 and 2024. With not a single company immune from these regulatory winds, industry must keep a close watch.

New Proposals for Addressing Cybercrime in the UK

On January 14, 2025, the United Kingdom published three proposals to address the growing threat of cybercrime, specifically ransomware payments. If passed, these proposals would extend an existing rule that bans government entities from making ransomware payments, to include public sector bodies and critical national infrastructure entities. This initiative is designed to make such targets less attractive to cybercriminals, and according to the UK government, aims to “strike at the heart of the cybercriminal business model”. The key proposals for public consultation ending on April 8, 2025, are as follows:

1. Banning ransomware payments for all public sector bodies (including the National Health Service, schools, and universities) and owners/operators of critical national infrastructure (full list available here).
2. Establishing a ransomware payment prevention regime – this would require victims not covered by the payment ban to report any intention to make a ransomware payment to the government. Authorities would assess the situation, provide guidance, and have the power to block payments.
3. Creating a mandatory reporting regime for ransomware incidents – this would ensure full transparency of the ransomware threat landscape, enabling the National Crime Agency (NCA) and the National Cyber Security Centre (NCSC) to enhance their intelligence, better understand the scale of threats, target investigations properly, and proactively address emerging ransomware operations.

These proposed rules are consistent with other cybersecurity-related developments put forward by the new Liberal Party in the UK throughout 2024.  Notably, these developments all followed an original May 2024 ransomware proposal under the Conservative Party that would have required all victims of ransomware to report the incident to the government and then obtain a license before making any extortion payments. Despite political fluctuations in the UK, there remains a strong appetite for greater ransomware regulation. 

Ransomware Reporting in Australia

The Government of Australia recently enacted Cyber Security Act 2024 mandating that all organizations report ransomware payments within 72 hours to the Australian Signals Directorate (ASD) (under the purview of the Department of Home Affairs). Notably, the Act does not prohibit the payment of a ransom but imposes reporting obligations.

In response to concerns from industry that their proactive reporting could be used against them in later enforcement actions, leading to an avoidance of reporting where possible, the Act also established limited use protections for the information provided in the ransomware reports. The ASD can only use the reported information for specific purposes such as responding to, mitigating, and resolving the cyber incident, national security and intelligence activities, and limited enforcement actions.

Lastly, the Act has created the Cyber Incident Review Board, an independent advisory body similar to the U.S. Cyber Safety Review Board, that will conduct “no fault,” post-incident reviews of significant cybersecurity incidents to analyze vulnerabilities and provide recommendations to enhance Australia’s cyber resilience.

This Act is aligned with key findings from the ASD’s 2023-2024 Annual Cyber Threat Report, which identifies ransomware (along with data theft, extortion, and fraud) as the top cybercrimes that the nation is experiencing, resulting in substantial financial losses.

Action through Robust International Partnerships

The Counter Ransomware Initiative (CRI) is a multilateral forum comprising 68 countries, including the UK, Singapore, United States, Australia, Canada, and Japan. Established to address the growing threat of ransomware attacks, the CRI is intended to foster international collaboration and best practice sharing to strengthen global cybersecurity resilience.

Within this forum, the UK and Singapore co-lead the CRI’s “policy pillar” focused on building resilience against ransomware attacks and disrupting the global ransomware ecosystem. Its initiatives to date have focused on secure software practices, countering the misuse of virtual assets, and developing policies to reduce ransomware payments. Specifically, in January 2024, the pillar published a joint statement with all CRI members to publicly denounce ransomware and to commit “that relevant institutions under the authority of our national government should not pay ransomware extortion demands” to undermine the ransomware business model.   Looking ahead to 2025, the pillar plans to continue to lead efforts to reduce ransomware payments, enhance incident reporting frameworks, and strengthen partnerships with the cyber insurance industry ensuring these best practices are adopted by all CRI member countries.

Broader Global Developments on Countering Ransomware

The European Union's new NIS2 Directive mandates that organizations classified as “essential” or “important” entities must report ransomware attacks to authorities within a strict timeframe, typically within 24 hours.

In the United States, the Cybersecurity and Infrastructure Security Agency (CISA) launched the CISA Services Portal as part of a broader initiative to enhance cyber incident reporting and response capabilities.

In December 2024, the EU and UK held their second cyber dialogue in London, as part of the EU-UK Trade and Cooperation Agreement. The discussions covered various topics, including cyber resilience, secure technology, digital identity, deterrence strategies against cyber threats, and countering cybercrime such as ransomware.

Our Take

Given the current global momentum on countering ransomware attacks, we can expect to see many more targeted policies and regulations in 2025. The UK and Australia have set helpful precedents and provided useful insight on how governments are approaching this, i.e., to protect rather than to penalize. Mandatory reporting on ransomware attacks will enable governments to better understand the cyber threat landscape and develop effective cybersecurity practices and strategies to prevent future attacks. Ransomware regulations, including reporting requirements and payment bans, may become a normative cybersecurity practice across the globe. The exact flavor though may vary as governments experiment to determine the most effective policy avenues to combatting ransomware.

As governments explore those paths, balance will be a crucial consideration. As both the UK and Australian governments have acknowledged, incentives matter. Yet cyber regulation historically has been perceived by many as an ill-shaped stick with no obvious carrot. The result has been a regulatory structure that can disincentivize proactive information sharing and creative bespoke defenses. In order to strike the right balance between ransomware prevention and red tape, policymakers and industry must find common ground within their respective challenges and priorities. That intersection is where both effective and efficient policy avenues will be found.