Government Security Policy: Responding to Ransom Attacks

1.1 Government organisations, including their Arm’s-length Bodies (ALBs) and other public bodies solely funded by central government, shall not use central government funds to pay ransom extortion demands.

1.2 Exceptional ministerial direction will always be required to overturn this position.

2.1 The UK government is committed to limiting the amount of funds being directed to criminals, and agrees with the stance of the Counter Ransomware Initiative: that relevant institutions under the authority of our national government should not pay ransom extortion demands, including those deriving from a ransomware attack.

2.2 The National Cyber Security Centre (NCSC) defines ransomware as ‘a type of malware that makes data or systems unusable until the victim makes a payment’. The NCSC also states that ’ransomware has … become a major part of the cyber crime toolkit and has caused disruption all over the world’.

2.3 Organisations, rather than individuals, are increasingly being targeted by ransom attacks. This is because criminals can usually demand more money from an organisation rather than from an individual. Also, organisations are perceived as being more likely to pay in order to avoid damage to their reputation.

2.4 Criminals approach their targets carefully, and investigate their networks to understand their business-critical systems and data. They also assess their targets’ ability to pay, in order to then demand bigger ransoms. 

2.5 Paying a ransom to criminals is likely to encourage further criminal activity and does not guarantee a successful outcome. It should only be considered by the victim as a last resort and only sanctioned with exceptional ministerial direction.

2.6 Due to the ever-increasing threat posed by cyber criminals, the UK government will periodically review this policy. The review will take place either every 5 years from first publication, or whenever the changing threat landscape requires it.

3.1 This policy is intended for:

• senior leaders, who will ultimately be the decision makers in such scenarios.
• security advisers responsible for the overall security of an organisation.
• cyber security professionals responsible for advising technical teams on the secure management of IT assets and infrastructure.
• incident response leads responsible for managing departmental actions in the event of a ransom attack.

4.1 The policy applies to government organisations, their ALBs, and other public bodies solely funded by central government.

4.2 This policy does not apply to other public bodies with sufficient funding from sources other than central government. Whilst the UK government cannot prevent them from paying ransom extortion demands, it will seek to influence such a decision.

5.1 By ensuring that government organisations and their ALBs shall not pay ransom extortion demands, they become a less attractive target. This reduces the overall likelihood that such an attack will take place.

6.1 This policy contains both mandatory and advisory elements, using the same language as Functional Standard GovS 007: Security:

• “shall” means a requirement: a mandatory element
• “should” means a recommendation: an advisory element

6.2 Government organisations and ALBs shall:

• not use Central Government funds to pay ransom extortion demands, unless a minister has signed off on an exceptional decision to do so.
• include this policy in their incident response plans.

7.1 In any scenario where there is no terrorist link, the UK government always advises against and never condones the payment of a ransom.

7.2 Other public bodies with access to private funding may use it to pay for non-terrorist ransoms. However, the UK government will seek to persuade them not to, while not being able to actually control their decision.

8.1 This policy is supported by and relates to:

• The CRI Joint Statement on Ransomware Payments, which outlines the agreed international ransomware position of the Counter Ransomware Initiative – a collection of global member states, including the ‘Five Eyes’ (UK, US, Australia, Canada and New Zealand)
• Functional Standard GovS 007: Security, which sets expectations for what security activities organisations must carry out and why in order to protect government assets
• The Cyber Standard, which sets out how this should be done in relation to cyber security, specifying the particular procedures organisations must follow and the performance criteria to be met
• NCSC guidance for organisations considering making ransomware payments

9.1 The controls described in this policy will help government organisations demonstrate that they have met the required security outcomes in the NCSC Cyber Assessment Framework (CAF). This includes but is not limited to:

• D1 – Response and Recovery Planning
• B1 – Service protection policies, processes and procedures
• B5 – Resilient networks and systems

9.2 The mandatory elements of this policy are aligned with or exceed the Baseline Government CAF profile. Those that exceed the requirements of the profile do so because they are essential to achieving the policy’s core aims.

9.3 Further guidance for government organisations on meeting the required security outcomes of the CAF is provided in the Government Cyber Security Policy Handbook.