To Fight Ransomware, Turn to Incident Response Professionals

The Home Office is considering a series of proposals to combat ransomware. These proposals include a ban on ransom payments for public sector organisations and owners of Critical National Infrastructure, a ‘payment prevention regime’ that would apply to all other payments and a ransomware incident reporting regime.

We do not debate the merits of a ban on payments or the value of reporting. However, the Home Office’s payment prevention proposal risks leaving under-resourced and ill-equipped businesses to navigate a maze of legal requirements and agencies while criminal groups hold their networks and operations hostage.

As the Home Office considers policies to limit ransomware payments, it should bring the cyber incident response community into the fight.

Small policy changes could incentivise victims to work with expert incident responders to determine if payment is reasonable or necessary to restore networks and services. Many of these professionals are drawn to the field out of a desire to continue the mission of fighting cybercrime. They are deeply familiar with victims’ circumstances and networks, adversary behaviour and all the concomitant trade-offs. If these trusted experts conclude that payment is reasonable, they are equipped to counsel victims on alternatives, determine whether a recipient is subject to sanctions and negotiate more favourable terms. Encouraging victims to work with incident response professionals would also have the added benefit of strengthening the UK cybersecurity industry and providing the scalable capacity that government alone cannot match.

The Knock-On Effects of a Payment Ban

We must be clear-eyed about the knock-on effects of the proposed ban on payments by government agencies and critical infrastructure. Criminal operators are not going to give up if the UK is able to effectively implement a limited payment ban. If some victims are unable or unwilling to pay ransoms, cyber criminals will continue to monetise their ability to gain unlawful access to systems, networks and data one way or another. The policy changes assume criminal groups will adapt from pursuing indiscriminate, opportunistic attacks to targeting entities not subject to a ban.

This may be an acceptable trade-off at a national level but is not one that will prove popular when the local grocer cannot process credit card payments because of a ransomware attack they are far less equipped to handle than a better-resourced critical infrastructure operator.

Under the proposal, the local grocer might be allowed to pay a ransom but will be ill-equipped to determine if doing so is in their best interest. They must report their intention to pay to authorities before making a payment, obtain crypto currency in the required amount and take on the risk that, despite engaging with government agencies and gaining approval to make the payment, they will fall afoul of sanctions laws and prohibitions on payments to sanctioned entities.

In the Home Office’s consultations, the difficulty of navigating this process was shared by many who submitted comments. Respondents supported the objective of disrupting criminal revenue but expressed anxiety about procedural delay, legal exposure and the risk of revictimization – particularly given that the current proposal does not impose any deadline by which the UK government will respond. Many feared that mandatory pre-payment engagement could paralyse the time-sensitive recovery efforts or expose victims to penalties even when acting in good faith under duress. Others argued that threshold-based inclusion would incentivise attackers to lower demands or redirect activity towards smaller, less-resourced firms.

Central to the ransomware challenge is the tension between a victim’s recovery needs and the state’s responsibility to dismantle the criminal model. National security interests reducing economic incentives, improving intelligence and enforcing sanctions – must be weighed against the hardships facing businesses and those they serve. Misaligned incentives may lead to perverse outcomes: companies underreport incidents, adversaries intensify campaigns and regulatory burdens widen the gap between well-resourced victims and those without the means to comply. Conversely, properly aligned incentives can improve compliance, force attackers to adapt in ways that reduce harm to the UK and increase opportunities for law enforcement to disrupt the criminal ecosystem. Encouraging victims to work with incident response professionals can generate these benefits.

For victims to make a payment under the Home Office proposal, they must first report their intention to pay. The government would review the proposed payment, offer support and guidance and confirm whether there is any specific reason to block it.

During phases two and three, authorities may discuss non-payment options and review whether the payment implicates sanctions or terrorism-finance prohibitions. The regime uses victim-provided information to enhance the government’s understanding of threat actor capabilities and support future disruption efforts. The central policy challenge is whether this intelligence benefit can be realised without creating incentives for non-compliance.

Because this requirement mandates government engagement before funds reach criminal actors, implementation will introduce friction into the incident response process and must therefore balance intelligence and enforcement objectives against the realities of victim recovery.

How the Accredited IR Model Would Work

Engaging with incident response professionals can reduce this friction while increasing the likelihood that government agencies get the data to combat ransom operators.

Under this model, once the victim organisation has notified the authorities, it may – through an accredited incident response provider – proceed with payments to counterparties not subject to sanctions. They need not wait for government adjudication. Organisations without such relationships default to the regime in the current proposal, though ideally one modified with a guaranteed government response within 72 hours.

In practice, this establishes two tracks: one relying on the market to provide specialised response and negotiation support through accredited providers and another where the government provides those services directly. In both tracks, the obligation to report incidents and payments remains with the victim. Both tracks ultimately converge when victims report payment details and other incident information.

This approach preserves oversight and raises industry standards through accreditation while reducing the operational burden on victims and the government.

This approach also improves resilience. Across the ecosystem, incident response providers – from cyber insurers to DFIR firms and law practices – increasingly offer pre-incident assessment, planning and exercise services that strengthen baseline controls and bolster organisational resilience. By incentivising pre-incident preparedness and professional response, this model treats resilience as a co-equal policy objective and an enabling condition. It leverages existing market infrastructure to reduce recovery costs, standardise practices and improve intelligence quality at scale without requiring the state to adjudicate every case in real time.

The Importance of Accreditation

In order for this model to work, the UK must introduce an accreditation process for incident responders. Doing so will give victims confidence they are in capable hands during a stressful incident and give the government trusted partners to provide intelligence and insight on criminal actors. Accreditation also provides a pathway for government to shape industry payment practices, negotiation conduct and reporting quality.

However, it also carries risk, including market concentration, limited access for smaller organisations and governance challenges. If accreditation criteria or liability requirements favour a narrow set of providers, response capacity may consolidate in ways that reduce competition and increase costs. Moreover, an accreditation regime without auditability, enforcement and revocation risks devolving into a nominal designation, delivering limited value and weak assurance of quality. Accreditation standards should therefore shape payment practices, negotiation conduct and reporting quality. Accredited providers could be required to submit anonymised, aggregated trend data and promptly report novel tactics or techniques. But, by taking a market-centric approach, government avoids becoming a bottleneck and can make informed decisions on the permissibility of payments knowing the victim’s decision was made with counsel from trusted partners and other options were considered.

Helping the Home Office Achieve Its Goals

The government frames its objective as reducing cybercrime and associated harms to UK businesses and the public, while making the UK a less attractive target for ransomware. This objective reflects national security concerns, including protecting critical infrastructure and reducing risks to citizens and essential services. To achieve this objective, the Home Office identifies three goals. First, the government seeks to reduce money flowing from the UK to ransomware criminals, weakening the incentives that drive attacks. Second, the policy aims to enhance agencies’ ability to disrupt and investigate ransomware by improving intelligence collection across the payment landscape. Third, the framework aims to deepen the government’s understanding of the threat to inform interventions and support effective international cooperation.

The proposed accreditation model advances all three strategic goals simultaneously.

First, it reduces money to criminals by increasing the likelihood that professionals help victims pursue non-payment alternatives, negotiate lower demands, or& restore systems more quickly.

Second, it strengthens intelligence collection and decision-making. Rather than relying on victim-driven reports submitted during crises, organisations supported by IR professionals are more likely to provide complete, timely and technically contextualised disclosures, improving intelligence quality without noise.

Third, it deepens threat understanding. By aggregating some data flows through trusted intermediaries, the government gains a clearer picture of attacker behaviour over time without imposing unnecessary burden on individual victims. This supports domestic enforcement and international cooperation.

Finally, the model embeds resilience as a goal and an enabling condition. It can invent by incentivising pre-incident relationships with professional responders, it encourages preparedness, risk assessment and planning before an attack. Organisations with established IR relationships contain incidents faster, make better-informed decisions under pressure and recover more quickly. These effects reduce the overall pool of victims and, by extension, the revenue to criminal actors.

Implementing the Model

We recommend that the Home Office pursue a two-track regime. The first track is an accreditation model that incentivises organisations to establish incident response plans and engage accredited IR partners. The second track provides a 72-hour government review process for victims without an accredited IR provider. Under this approach, organisations that engage accredited IR providers gain access to professional guidance on containment, recovery, negotiation and compliance. Those without such relationships default to government engagement for advice. In both cases, reporting obligations remain with the victim, ensuring consistent data flows. Over time, the two tracks converge through reporting of payment and incident information.

Accreditation best reconciles the trade‑off between limiting ransom payments and helping victims quickly regain operational capacity, because it harnesses market expertise while preserving clear state oversight. Instead of requiring government to adjudicate every case in real time, this model positions accredited responders as the victim’s primary interface, while the state does what it is best equipped to do: set standards, collect intelligence and retain enforcement authority.

© Rob Knake and Sezaneh Seymour, 2026, published by RUSI with permission of the authors.

The views expressed in this Commentary are the authors', and do not represent those of RUSI or any other institution.

For terms of use, see Website Terms and Conditions of Use.

Have an idea for a Commentary you'd like to write for us? Send a short pitch to commentaries@rusi.org and we'll get back to you if it fits into our research interests. View full guidelines for contributors.