The United Kingdom’s government is planning to ban public sector and critical infrastructure organizations from paying ransoms after ransomware attacks.

The list of entities that would have to follow the new proposed legislation includes local councils, schools, and the publicly funded National Health Service (NHS).

“Ransomware is estimated to cost the UK economy millions of pounds each year, with recent high-profile ransomware attacks highlighting the severe operational, financial, and even life-threatening risks. The ban would target the business model that fuels cyber criminals’ activities and makes the vital services the public rely on a less attractive target for ransomware groups,” the UK government said.

“We’re determined to smash the cyber criminal business model and protect the services we all rely on as we deliver our Plan for Change. By working in partnership with industry to advance these measures, we are sending a clear signal that the UK is united in the fight against ransomware,” Security Minister Dan Jarvis added.

Under these new measures, businesses not covered by the proposed ban will be required to notify the government if they intend to make a ransom payment, seeking guidance on whether such payments could violate laws regarding transfers to sanctioned cybercriminal groups, many of them based in Russia.

A mandatory reporting system is also being developed to provide law enforcement with essential information to track down attackers and support the victims.

The announcement follows the UK government’s public consultation in January, which proposed a targeted ban on ransomware payments for all public sector bodies and critical national infrastructure, as well as measures to prevent ransomware payments and require mandatory reporting of ransomware incidents.

As noted at the time, ransomware is considered the greatest cybercrime threat in the UK and is treated as a risk to the UK’s national security by both the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA).

In recent years, multiple high-profile UK organizations have been hit by ransomware attacks, including the NHS and the British Library.

More recently, BleepingComputer first reported that British retailer giant Marks & Spencer (M&S) was breached in an April ransomware attack where a DragonForce encryptor was used to encrypt virtual machines on VMware ESXi hosts, forcing M&S to stop accepting online orders and leading to a significant impact on business operations at its 1,400 stores.

The Co-op experienced another cyber incident, confirming that the attackers stole data from many current and former members. Harrods also disclosed that it was forced to restrict internet access to some sites after threat actors attempted to breach its network.