It’s no secret that ransomware is on the rise, as this escalation is echoed across numerous industry reports. The Verizon 2025 Data Breach Investigations Report (DBIR), for instance, starkly illustrates this reality, revealing that ransomware (with or without encryption) was present in 44% of all breaches reviewed. This marks a substantial 37% increase from their previous annual report. These findings support KnowBe4’s own Threat Lab data that highlights a 57.7% increase in ransomware payloads present in phishing attacks between November 1, 2024 and February 15, 2025 compared to the previous three month period.
We have seen this trend in the global media too: Marks & Spencer (M&S) and Co-op are just a couple of examples of major organisations hit by ransomware attacks in the last year alone.
Given the widespread and disruptive nature of these incidents, many have started to question how effective ransomware bans would be on reducing ransomware attacks.
The Underreporting Epidemic
You would expect a rise in ransomware to also mean a rise in ransom payments, but this has not been the case. According to the 2025 DBIR, the median amount paid to ransomware groups has decreased to $115,000 from $150,000 the previous year. This overall trend of decreased ransom payments is also echoed in the ENISA Threat Landscape 2024 report, where enhanced cybersecurity measures, robust backup and intensified law enforcement efforts are attributed as key factors for this decline.
However, is this truly a decline, or merely a reflection of under-reporting?
Consider the recent M&S ransomware case: the multinational retailer publicly declined to state whether a ransom was paid. If even such a high-profile incident can remain ambiguous in official data, it raises serious questions about the countless smaller, unreported incidents that never garner national headlines. This significant “dark figure” of cybercrime makes it challenging to ascertain the true financial impact and prevalence of ransomware.
Currently, organisations may fail to report a ransomware incident and any linked payment for a number of reasons, including reputational damage, legal implications, competitive disadvantage, lack of clear reporting mechanisms…The list goes on. But, it is clearly acknowledged that the data we see on successful ransomware cases is unlikely to be reflective of reality.
Therefore, some jurisdictions are considering a total ban on payments.
A Proposed Ban in the United Kingdom
In the UK, the government has proposed a potential ransomware payment ban for public sector bodies and operators of critical national infrastructure, following strong support in a recent public consultation.
A key rationale behind this proposal is that “the ban would target the business model that fuels cyber criminals’ activities and makes the vital services the public rely on a less attractive target for ransomware groups.”
The proposal also includes other significant implications: mandatory incident reporting for organisations not subject to the ban, including any intention to pay a ransom; government advice and support for ransomware victims; and an ongoing commitment to maintaining resilient offline backups and recovery strategies.
However, the critical question remains: would banning ransom payment lead to a decrease in ransomware activity?
Expert Insight on Ransom Payment Bans
When asked generally on their thoughts about ransom bans (not specifically on the UK proposals), KnowBe4 experts shared:
Anna Collard, SVP content strategy & evangelist at KnowBe4 Africa:
“I believe that criminalising ransom payments penalises victims twice – once by the attackers and again by the law, which is unjust and counterproductive.” Anna warns that making payments illegal could “drive victims underground, resulting in underreporting, less cooperation with authorities, and less visibility into the true scale and tactics of ransomware operations.” Instead, Anna advocates for mandatory reporting as a more balanced solution that supports transparency and improves threat intelligence. She highlights that “many victims face no-win scenarios where payment is the only viable option to recover data or protect lives,” suggesting that encouraging openness and collaboration, alongside investing more in resilience and prevention, is preferable to “shifting blame to the victims.”
Javvad Malik, lead cybersecurity advocate at KnowBe4:
Javvad’s position on the matter is a little starker. Generally, he views ransom bans critically, stating “that’s like asking if we should ban umbrellas to stop it from raining.” While acknowledging that ransom payments fund criminal activity, he argues that “banning payments without providing alternatives is like telling someone they can’t use an umbrella in a storm but not offering them a raincoat or shelter.” Like Anna, Javvad warns that general bans would “drive the problem underground and organisations will stop reporting incidents. We’ll lose valuable threat intelligence, transparency, and most importantly trust.” He concludes that “banning ransom payments is the wrong mindset. We need to focus on how we can make ransom payments unnecessary and until we do, let’s not punish victims who are just trying to survive.”
Jack Chapman, SVP of Threat Intelligence at KnowBe4:
Jack highlights a more positive view on banning ransomware payments, stating that it “is the only viable deterrent to cybergangs in the long term.” He argues that payments directly fund future attacks and the development of criminal enterprises, making a ban essential to “strip the pockets of threat actors.” Furthermore, paying ransoms can “put a bright red target on an organisation’s back,” showcasing willingness to engage and making them susceptible to repeat attacks or broader criminal exploitation. Chapman supports a widespread ban generally, believing that if all organisations commit, it would “undermine decades of threat actors’ research and development,” significantly decreasing the success of ransomware as a criminal weapon.
Building Your Own Storm Shelter: Organisational Resilience
As the UK government continues to navigate the complexities of ransomware, proposing a payment ban for public sector bodies and critical national infrastructure, the effectiveness of such measures remains a subject of debate. While we await to see if these governmental proposals will be fully enacted and how they will shape the future landscape of ransomware incidents and payments, one truth holds immediate relevance for all organisations.
Regardless of future legislation, the most impactful defence against ransomware lies in stopping it at the source. This requires a proactive and multi-layered approach, encompassing intelligent security technology combined with personalised, relevant, and adaptive security awareness coaching. By fortifying digital defences with advanced tools and empowering every individual within the organisation to recognise and resist social engineering tactics, organisations can build a strong security culture that significantly reduces their vulnerability to the escalating ransomware threat. Lastly, we need sound incident response processes to bounce back quickly when or if an incident happens.
