The UK government has signalled that a ban on ransomware payments for public sector organisations will come into force later in 2026. The policy rationale is straightforward: paying ransoms funds criminal groups, validates the business model, and encourages further attacks. Stop the money flowing, and the incentive diminishes.
The logic is sound. The consequences for the private sector — particularly SMBs in public sector supply chains — are worth thinking through carefully before the ban takes effect.
What the Ban Actually Does
The proposed ban prohibits public sector bodies — central government departments, local authorities, NHS trusts, schools, and other publicly funded organisations — from paying ransoms to attackers. Mandatory reporting of ransomware attacks would accompany the ban, so the government gets visibility of who is being hit and how.
For public sector IT teams, this changes the calculus significantly. Right now, some organisations pay quietly and recover quickly. Under the ban, that option is gone. Recovery depends entirely on whether backups are adequate. If they aren't, the consequences are operational disruption, data loss, and public accountability — with no ransom payment as an escape valve.
The effect on attackers is more nuanced than it first appears.
Attackers Follow Profitability
Criminal ransomware groups — including those with state backing — operate as businesses. They target organisations where the probability of payment is highest relative to the effort required to compromise them.
Public sector organisations have historically paid because recovery is slow, the political pressure to restore services is intense, and the alternative — extended disruption to public services — is hard to justify. The ban removes that pressure point.
When a segment of the market stops paying, attackers don't stop operating. They redirect to where payment is still possible. Private sector organisations — and specifically SMBs that lack the security resources of large enterprises — become comparatively more attractive targets.
This is not speculation. It's the observed pattern from previous policy shifts and market changes in the ransomware ecosystem. When one avenue closes, volume moves to the next available target.
The Supply Chain Risk Is Specific
If your business provides services to public sector clients — IT support, professional services, facilities management, data processing, logistics — you are part of a supply chain that is actively targeted. Attackers know that compromising a supplier is often easier than compromising the end client directly, and that a supplier breach can cascade upward.
This cuts both ways. First, you may be targeted specifically because of your public sector connections. Second, your public sector clients are under increasing pressure to assess and document the security posture of their supply chain. NHS procurement, local authority contract renewals, and central government supplier assessments are all moving toward requiring demonstrable security controls — not declarations of intent.
Cyber Essentials certification, and increasingly Cyber Essentials Plus, is becoming a baseline requirement for public sector contracts rather than a differentiator. If you're in a public sector supply chain and don't hold CE or CE+, the window to secure renewals on current terms is narrowing.
The Practical Shift in Attacker Targeting
The change isn't just about who attackers target — it's about how they approach the attack. When public sector organisations can no longer pay, attackers targeting the private sector have less reason to offer decryption keys at all. Payment bans in other jurisdictions have been associated with a shift toward more destructive attacks: data exfiltration and threatened publication rather than encryption and ransom.
This matters for backup strategy. A backup that protects you against encryption may not protect you against exfiltration. The two threats require different controls:
- Encryption attacks: Immutable, tested backups with sufficient retention to predate the intrusion.
- Exfiltration attacks: Data classification, access controls, monitoring for unusual outbound data movement, and incident response capability.
The most resilient organisations address both. Most SMBs currently address neither adequately.
What to Have in Place Before the Ban Takes Effect
The ban is expected later in 2026. That's not a long runway if your current backup and security posture needs work.
On backups specifically:
- Immutable copies that cannot be encrypted or deleted by an attacker with admin access
- At least one copy isolated from your primary environment (air-gapped or with strict access controls)
- Retention windows long enough to predate a dormant attacker — 30 days minimum; 90 days for organisations with elevated risk exposure
- Tested restoration — not just backup jobs completing, but verified recovery to a known-good state
On supply chain security:
- If you hold a public sector contract, review what security requirements are in it and whether you currently meet them
- Check whether CE or CE+ is required for renewal — if it's not required yet, assume it will be
- Know what customer data you hold, where it is, and what access controls protect it
On monitoring:
- Unusual outbound traffic, access at odd hours, and lateral movement within your network are the indicators of an attacker preparing for an exfiltration attack
- These are not detectable from backup logs — they require active monitoring
None of this requires enterprise-scale resources. Managed services exist specifically to fill these gaps for organisations that don't have the internal team to do it.
IronFell's managed backup service provides UK SMBs with immutable, tested, offsite backup as a fully managed service. If you supply to the public sector and aren't certain your current posture is adequate, the time to find out is before an attack — not during one.
Talk to IronFell about your backup and resilience position — no jargon, no hard sell.