UK and Singapore secure agreement against ransomware payments

In a world-first, Counter Ransomware Initiative (CRI) members have signed a joint statement denouncing ransomware and payments being made to cybercriminals.    

Led by the UK and Singapore, members of the CRI affirmed today (2 November) that relevant funds from central government should not be used to pay a ransomware attacker – the first international statement of its kind.   

It sends a clear message that the global community strongly opposes ransomware payments and is committed to disrupting organised cybercrime.  

The statement was signed on the same day the UK hosted the first-ever global summit on artificial intelligence at Bletchley Park and is another demonstration of the UK’s leadership on cyber and tech issues globally.   

Security Minister Tom Tugendhat said:   

Crime should not pay. That’s why the UK and her allies are demonstrating leadership on cybersecurity by pledging not to pay off criminals when they try and extort the taxpayer using ransomware.  

This pledge is an important step forward in our efforts to disrupt highly organised and sophisticated cyber criminals and sets a new global norm that will help disrupt their business models and deter them from targeting our country.

Ransomware criminals typically access a computer through a malicious piece of software and then often encrypt or steal data. The victim is then told that the offenders will decrypt or return the data in exchange for a large fee, paid in cryptocurrency.    

The joint statement makes clear that paying a fee only serves to benefit these organised criminals and provides an incentive to continue offending. It does not guarantee the release of data or the removal of malware from an affected network.   

The CRI is the only dedicated multilateral body that the UK and international partners use to develop robust and effective policies and practices to enhance the global response to ransomware.  

A key ambition of the UK, and all international partners within the CRI, is to stem the flow of money to cyber criminals and build collective resilience through international cooperation and engagement.  

Felicity Oswald, NCSC Chief Operating Officer, said: 

Ransomware poses a significant threat to organisations in the UK and around the world and so international collaboration is essential for bearing down on cyber-criminal operations.  

The joint statement today demonstrates that the UK and a likeminded community of countries do not support payment of online criminals as we know this only makes the threat landscape worse for everyone. 

Many ransomware incidents can be prevented by ensuring that appropriate security measures are in place. We strongly encourage organisations to follow NCSC advice to effectively mitigate the risks and help protect themselves online.

It has been a long-standing policy that the UK government will never meet the demands of ransomware actors, and no fee has ever been paid by central government, but this is the first time the position has been publicly confirmed.  

Further to this, the National Crime Agency’s Strategic Risk Assessment 2023 states that the biggest threat comes from Russian-speaking crime groups who are tolerated by, and sometimes linked to, the Russian state.    

The UK’s cyber resilience, however, is among the strongest in the world and the government has taken steps to enhance the nation’s defences. This includes the NCSC’s online ransomware hub, which is accessible through their website and provides expert information and practical advice for organisations.   

The UK additionally has the capability to work with international partners to target and disrupt cyber criminals.   

This includes 2 comprehensive sanctions packages which were issued in unison with the United States. The sanctions targeted 18 Russian-speaking cyber criminals who were responsible for extorting at least £150 million ($180 million) from victims globally. In the UK there were 149 victims who collectively lost £27 million.    

The National Crime Agency has additionally been involved in several high-profile operations which have led to the shutdown of prolific organised crime groups. This includes HIVE, which provided ransomware software to cybercriminals and extorted more than $100 million.

The statement was agreed by all countries present at the Summit. The statement, and the list of signatories, can be viewed on GOV.UK.

The CRI was created in 2021 and is chaired by the United States. Membership is voluntary. 

More information on the CRI Summit.