Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
United Kingdom Security

UK Plans To Ban Public Sector Organizations From Paying Ransomware Hackers (techcrunch.com) 15

Posted by msmash from the not-negotiating-with-criminals dept.
U.K. public sector and critical infrastructure organizations could be banned from making ransom payments under new proposals from the U.K. government. From a report: The U.K.'s Home Office launched a consultation on Tuesday that proposes a "targeted ban" on ransomware payments. Under the proposal, public sector bodies -- including local councils, schools, and NHS trusts -- would be banned from making payments to ransomware hackers, which the government says would "strike at the heart of the cybercriminal business model."

This government proposal comes after a wave of cyberattacks targeting the U.K. public sector. The NHS last year declared a "critical" incident following a cyberattack on pathology lab provider Synnovis, which led to a massive data breach of sensitive patient data and months of disruption, including canceled operations and the diversion of emergency patients. According to new data seen by Bloomberg, the cyberattack on Synnovis resulted in harm to dozens of patients, leading to long-term or permanent damage to their health in at least two cases.

UK Plans To Ban Public Sector Organizations From Paying Ransomware Hackers More | Reply

UK Plans To Ban Public Sector Organizations From Paying Ransomware Hackers

Comments Filter:

  • Screw Javascript (Score:5, Insightful)

    by packrat0x ( 798359 ) on Tuesday January 14, 2025 @11:07AM (#65087793)

    and sites that require javascript can go to hell.

  • Doesn't this seem like an opportunity for a government to standardize and require a few different approved cloud setups?

    It also would include approved and verified security for each cloud solution.

  • 1. Databases should never be directly reachable. Neither should any other type of server. Internal networks should access via some sort of intermediate, such as a higher level server, so that no software on users' machines can cause damage to data.

    2. Nothing on internal networks should be exposed to the public Internet. If remote sites need access, use a secure extranet.

  • Illegal for everyone (Score:5, Interesting)

    by bradley13 ( 1118935 ) on Tuesday January 14, 2025 @12:35PM (#65088061) Homepage

    Paying random should be illegal, period. Paying ransom is funding a criminal enterprise, and should be punished as such.

    No backups? No practiced disaster recovery process? Tough, do better.

    • Agree - the only way to protect companies from being targets is to make sure that they can't pay.
      The way to do it would be to fine companies who pay ransomware an amount equal to 10x the loss they would have experienced from not paying it.

    • Yup.

      If said criminal knows they can't get money from a target, said criminal doesn't really have any incentive to ransom that target.

      Tolerating ransom payments is why there are ransom demands.

  • Very easy way to work around this, and it works well here in the US, where technically giving money to North Korean operators is illegal... but not enforceable:

    1: Hire an offshore consulting firm. The ransom is $10,000, so the company pays the consulting firm $11,000 or so.
    2: The consulting firm pays the ransomware operators their $10,000.
    3: The decryption keys get passed to the company, with the memo that the consulting firm "broke the encryption", just for that company.
    4: ????
    5: The company slaps a

    • Re: (Score:2)

      by Samare ( 2779329 )

      Very easy way to fix that loophole: ban the organizations from paying an offshore company, if it's not already the case.

      • I don't see how this can be possible in the US. Especially with the reliance on offshore labor and offshore companies to do everything, be it manufacturing a product, staffing the internal helpdesk, designing products, or even mass production.

        Even if it were, the offshore company just needs to have a small office in the US, and they are home free.

        Would be nice if government could do something about this, but unlike China where government controls business, it is the opposite here. I wouldn't be surprised

  • While I Know this is a UK plan. The US credit system needs updates. Proof is forced on the individual. Credit granted in my name should only be mine if its me. If someone else pretends to be me then I should be able to state that and the creditor needs to be the one with the issue, not me. I should be able to formally submit to credit agencies that that is not my debt and it should be taken off until someone can prove it was me. I am tired of getting credit offers in the mail with checks with my name o

  • Treat attempts at data ransom the same as hardware failures
    Be prepared for both with a robust backup strategy

  • Why not make it a criminal offence not to keep rolling transaction logs for databases, with hourly disk and daily remote (Grandfather, Father, Son) tape backups?

    If I can do it at home, surely public bodies can do the same?

  • Dear UK Government Officials.

    Hackers really don't care about you. You're target-PRACTICE. They're really going after wealthy fortune-500 companies you don't have. Don't worry. When one of your companies becomes successful they move somewhere they can grow and thrive, and that's not LakenHeathByTheThemes or ShoresideDownByCrownPhilip.

    But hey you go passing laws that affect nothing. How's that setting sun doing on your empire?

    Mod me a troll. It's not often I get to troll an entire empire drowning in its

Slashdot Top Deals

Mausoleum: The final and funniest folly of the rich. -- Ambrose Bierce

Close