The ransomware ban that criminals want you to pass
Britain's new prohibition will eliminate amateur competitors whilst rewarding precisely those networks sophisticated enough to circumvent legal constraints
In a London hospital room last June, doctors watched helplessly as critical blood test results remained locked behind ransomware encryption, their patient deteriorating whilst cybercriminals half a world away calculated their next move. That patient died—one death officially linked to the Synnovis attack that paralysed NHS pathology services for months. Yet rather than learning from this tragedy, Britain has designed a policy response that would have made the situation worse whilst strengthening precisely those criminal networks responsible.
The UK government's announcement that public sector organisations and critical national infrastructure will be prohibited from paying ransomware demands has been greeted with the enthusiasm typically reserved for obviously sensible policies. After all, 75% of consultation respondents supported the measure, 48 countries have pledged similar commitments, and the logic appears unassailable: stop funding criminals, stop crime.
Yet this intuitive appeal masks a more troubling reality. Far from undermining ransomware networks, payment bans function as inadvertent criminal enterprise development programmes—eliminating amateur operators whilst creating perfect conditions for the most sophisticated networks to consolidate power, increase profits, and develop capabilities that traditional law enforcement cannot match.
The Italian warning Britain ignored
Italy provides the most relevant precedent for Britain's approach, having implemented comprehensive ransomware payment prohibitions years before the UK consultation. The results offer a sobering preview of what British policymakers should expect: formal compliance coupled with persistent criminal success.
Surveys reveal that 43% of Italian organisations still admit to paying ransoms despite criminal penalties. This figure likely understates actual compliance, as companies face obvious incentives to conceal illegal payments. The gap between legal prohibition and operational reality reflects not inadequate enforcement, but the fundamental mismatch between legislative instruments and criminal adaptation.
Italy's experience echoes earlier attempts to ban kidnapping ransoms, where asset freezing reduced reported incidents whilst driving actual payments underground. The policy succeeded in creating the appearance of problem resolution whilst sophisticated criminal networks developed more advanced operational security and laundering capabilities.
The criminal market logic
To understand why payment bans backfire, consider the ransomware ecosystem as a sophisticated market where legal prohibitions function as barriers to entry. Amateur cybercriminal groups—the digital equivalent of opportunistic burglars—lack the technical infrastructure and legal sophistication to circumvent payment bans. Professional networks like Qilin, which orchestrated the Synnovis attack, maintain dedicated legal advisory teams, multi-jurisdictional laundering operations, and technical capabilities that treat regulatory constraints as merely another operational challenge.
When payment bans eliminate amateur competitors, professional networks inherit their target pools without internal competition. The result resembles what economists call "market consolidation"—fewer players controlling larger market shares with enhanced pricing power. In this case, "pricing power" translates to larger ransom demands and more sophisticated attack methodologies.
This dynamic explains the counterintuitive pattern observed across jurisdictions with payment prohibitions: attack frequency may decline slightly, but average ransom demands increase substantially, and attack sophistication improves dramatically. Criminal enterprises with superior resources gain competitive advantages that legal frameworks cannot erode.
The insurance industry's perverse incentives
The cyber insurance market, valued at £7-8 billion annually in the United States alone, has become integral to ransomware economics in ways that payment bans cannot address. ProPublica investigations reveal that insurers often accommodate ransom demands even when backup alternatives exist, creating perverse incentives that fuel attack frequency.
Payment bans will not eliminate these dynamics but will instead drive them into regulatory grey areas. Insurance companies will develop "compliance-adjacent" services that technically avoid payment prohibitions whilst maintaining restoration capabilities. This evolution toward quasi-governmental functions adds complexity and cost without reducing criminal revenue—precisely the conditions that favour sophisticated networks over amateur operations.
Coveware data demonstrates that payment rates have already declined from 80% in 2019 to 31% in 2024, suggesting market forces may be more effective than legal prohibitions. However, this improvement reflects enhanced defensive capabilities rather than reduced criminal sophistication, indicating that effective solutions require technical rather than legal innovations.
The enforcement mirage
The fundamental delusion underlying Britain's payment ban involves enforcement capabilities that exist primarily in policy documents rather than operational reality. Consider the technical requirements: tracking cryptocurrency transactions through multiple mixing services, across dozens of jurisdictions, operated by networks with superior technical capabilities and unlimited operational budgets. British law enforcement agencies struggle to investigate domestic fraud cases involving traditional banking systems—yet they are expected to trace Bitcoin payments through Russian, North Korean, and Iranian laundering infrastructures.
The Synnovis case demonstrates these limitations with brutal clarity. Despite generating international headlines, causing patient deaths, and costing £32.7 million, the Qilin group responsible continues operations without meaningful interference nine months later. They published 400GB of stolen NHS data on the dark web, including cancer patient records and sexually transmitted infection results, yet face no legal consequences.
This impunity is not accidental—it reflects structural advantages that legal frameworks cannot overcome. Criminal networks operate from jurisdictions that do not cooperate with Western law enforcement, use technical infrastructures specifically designed to resist surveillance, and maintain operational security protocols that assume government monitoring. They possess resources that dwarf those available to cybercrime units whilst lacking the bureaucratic constraints that limit official responses.
Meanwhile, British organisations face impossible compliance calculations. When ransomware attacks cause an average of £5.13 million in costs and 24 days of downtime, the arithmetic of survival often contradicts legal obligations. A small NHS trust facing encrypted patient records and backed-up ambulances cannot wait for law enforcement investigations that may never yield results.
The democratic legitimacy trap
The 75% public support for payment bans reflects a fundamental democratic dysfunction: policies that feel morally satisfying often produce outcomes that contradict their stated objectives. Citizens intuitively reject rewarding criminals but lack technical understanding of enforcement realities and criminal adaptation patterns.
The most troubling aspect of this dynamic lies in its self-reinforcing nature: enforcement success becomes indistinguishable from enforcement failure. If compliance is high and reported payments drop, authorities will claim victory whilst actual payments continue through increasingly sophisticated channels. If compliance is low and attacks persist, authorities will demand enhanced powers and resources. Either outcome justifies expanded state oversight whilst criminal capabilities continue advancing unchecked.
The human cost of security theatre
Returning to that NHS patient whose death was linked to delayed blood test results during the Synnovis attack: would Britain's proposed payment ban have prevented this tragedy? The evidence suggests not. The Qilin group responsible operates across multiple jurisdictions with sophisticated technical capabilities and legal advisory support. A British payment prohibition would likely have prolonged system restoration whilst providing additional operational security challenges that professional networks routinely overcome.
More troublingly, payment bans may increase human costs by reducing transparency and cooperation with law enforcement. When payments become illegal, victim organisations face incentives to conceal attacks rather than report them, reducing intelligence available for prevention and response. This dynamic benefits criminal networks by obscuring attack patterns and defensive innovations.
Beyond prohibition
Effective ransomware mitigation requires acknowledging uncomfortable realities about criminal adaptation and enforcement limitations. Technical defensive measures, international cooperation on criminal infrastructure disruption, and market-based incentives for security improvements offer more promising approaches than legal prohibitions that sophisticated networks can circumvent.
The cyber insurance market's evolution toward enhanced security requirements demonstrates how economic incentives can drive defensive improvements without creating enforcement challenges. Similarly, infrastructure-focused disruption efforts—targeting criminal hosting, payment processing, and communication systems—address criminal capabilities rather than victim behaviour.
The uncomfortable truth about democratic security theatre
Britain's ransomware payment ban exemplifies a peculiar form of democratic failure: policies that feel morally unassailable whilst producing outcomes that directly contradict their stated objectives. The 75% public support reflects genuine moral intuition—refusing to reward criminals appeals to basic concepts of justice. Yet this moral clarity obscures technical realities that render such policies not merely ineffective, but actively counterproductive.
The true tragedy is not that payment bans fail to stop ransomware—it's that they systematically strengthen precisely those criminal networks most capable of causing catastrophic damage whilst creating the illusion of decisive action. When the next NHS patient dies because cybercriminals have consolidated their capabilities and enhanced their operational security, British politicians will possess the perfect alibi: they implemented the policy the public demanded.
For policymakers genuinely committed to reducing ransomware impacts rather than managing political optics, the evidence demands uncomfortable acknowledgments. Effective cybersecurity requires technical sophistication that matches criminal capabilities, international cooperation that transcends legal frameworks, and market incentives that reward defensive innovation over regulatory compliance.
Until Britain's approach reflects these realities rather than democratic symbolism, measures like payment bans will continue serving their true function: providing political cover for security failures whilst inadvertently subsidising criminal enterprise development. The criminals understand this dynamic perfectly. The question is whether Britain's policymakers ever will.