Why Resilience Must Replace Ransom

Uploaded on 2025-08-19 in TECHNOLOGY--Resilience, FREE TO VIEW

The UK government’s proposal to ban ransom payments by public sector bodies marks a new era in how organisations are expected to confront ransomware. While the ban currently applies to the NHS, councils and critical infrastructure, the direction of travel is unmistakable.

Regulation is tightening, enforcement is rising and the space for quietly settling an incident behind closed doors is disappearing.

This is happening against a backdrop of escalating attacks by groups like Scattered Spider, a cybercriminal collective whose recent campaigns have shown just how vulnerable even sophisticated organisations can be. Over the past three months, Scattered Spider has successfully breached UK retailers, insurers and global airlines, relying not on exotic malware, but on social engineering and speed. They impersonate employees, bypass MFA with clever phishing, and once inside, move quickly to exfiltrate data or trigger extortion.

Social Engineering Is Outsmarting Traditional Defenses

In many of these cases, the point of failure wasn’t a firewall or a zero-day exploit, it was a person. The criminals don’t even need to deploy ransomware to be effective. The threat of leaking sensitive data is pressure enough.
That’s why the UK’s proposed ban is so significant: it removes the ransom payment option from the table, forcing organisations to rethink how they plan for, respond to and recover from cyber incidents. Even for commercial entities that are not (yet) covered by the ban, the bar is still rising.

Any intent to pay a ransom must now be reported to the government in a similar way to how certain cyber attacks and data breaches must be reported to the Information Commissioner's Office (ICO). Businesses may be told outright that paying could breach sanctions depending on the attacker’s origin.

The Identity Kayer Is Now The Attack Surface

Identity has quietly become the most exploited layer in the security stack, with attackers increasingly targeting the people behind the systems to bypass external security controls and move across the network undetected. As organisations move more services to the cloud and expand their user base to include contractors, suppliers and third parties, the number of identities to protect has drastically expanded and attackers are using that sprawl to their advantage.

Understanding who is doing what on the network is critical to combat this risk. When security teams can’t trace activity back to a user, legitimate or malicious, it becomes nearly impossible to respond effectively. This is especially true once attackers are inside the perimeter, where they often blend in using real credentials and legitimate tools.

Visibility Is No Longer Optional

Resilience is existential. Organisations must be prepared to continue operations even if systems are offline. They need the ability to detect and respond before attackers escalate. Most crucially, they must be able to demonstrate exactly what happened, not just to regulators, but to customers, partners and insurers.

This is where visibility into networks and identities shows value. Modern attackers, especially groups like Scattered Spider, move laterally with incredible speed once inside a network. Traditional endpoint controls are often bypassed or disabled early in the attack chain.

But deep, real-time visibility across the network can reveal the subtle cues attackers depend on such as the misuse of credentials, unusual access to sensitive areas or the stealthy shifting of data from one system to another.

More than just enabling detection and response, strong visibility supports accurate, timely reporting, which is becoming a legal necessity. With new rules expanding disclosure requirements and enforcement powers, being able to show what happened, when, and how is now seen as essential by regulators and insurers. It's a key part of proving accountability and can mean the difference between regulatory cooperation and punitive action.

From Passive Defense To Active Resilience

Resilience in this case means having eyes on everything - especially the activity attackers don’t want you to see. It’s about knowing not just where your defenses are, but what’s happening behind them. Organisations need to be able to act before damage spreads, before trust is broken and before a ransom is even demanded.

What the government is mandating for public services now will almost certainly influence private-sector expectations tomorrow. Legislation may compel some sectors to act, but the rationale is clear regardless. When paying a ransom is off the table, the only viable path forward demands readiness, transparency, and operational strength.

Jamie Moles is Senior Technical Manager at ExtraHop

Image: Joshua Koblin

You Might Also Read: 

What Businesses Should Be Doing Instead Of Buying More Tech:

If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« The Cybersecurity Talent Crisis Isn’t Going Away - Build, Don’t Buy

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Trulioo

Trulioo

Trulioo is a leading global identity and business verification company providing secure access to data sources worldwide to instantly verify consumers and businesses online.

CynergisTek

CynergisTek

CynergisTek is a top-ranked cybersecurity and information management consulting firm dedicated to serving the healthcare industry.

TorGuard

TorGuard

TorGuard is a Virtual Private Network services provider offering secure encrypted access to the internet.

Halon

Halon

Halon is a flexible security and operations platform for in-transit email.

Slovak National Accreditation Service (SNAS)

Slovak National Accreditation Service (SNAS)

SNAS is the national accreditation body for Slovakia. The directory of members provides details of organisations offering certification services for ISO 27001.

Tier1Asset (T1A)

Tier1Asset (T1A)

T1A is Europe’s leading IT refurbisher. We offer certified data erasure using blancco on site and at our facilities, providing environmentally sound disposal of your used equipment.

Injazat

Injazat

Injazat Data Systems is an industry recognized market leader in the Gulf region for Information Technology, Data Center and Managed Services.

Presidio

Presidio

Presidio is a leading North American IT solutions provider focused on Digital Infrastructure, Business Analytics, Cloud, Security & Emerging solutions.

MorganFranklin Consulting

MorganFranklin Consulting

MorganFranklin Consulting is a management advisory firm that works with businesses and government to address complex and transformational technology and business objectives including cybersecurity.

SOC Prime

SOC Prime

SOC Prime is the only Threat Detection Marketplace where researchers monetize their content to help security teams defend against attacks easier, faster and more efficiently than ever.

Telesystem

Telesystem

Telesystem empowers businesses across the USA with a range of innovative network, communication and collaboration solutions.

Arcserve

Arcserve

Defend your data with Arcserve all-in-one data protection and management solutions designed to be the right fit for your business, regardless of size or complexity.

Ironblocks

Ironblocks

Ironblocks is a pioneering cybersecurity firm that specializes in delivering comprehensive, end-to-end security solutions for the rapidly evolving Web3 ecosystem.

NewEvol

NewEvol

Don’t React, Evolve! Outsmart threats with real-time AI-powered dynamic defense capability of NewEvol all-in-one cybersecurity platform.

Synersoft BLACKbox

Synersoft BLACKbox

Synersoft, the maker of path-breaking and disruptive technology for SMEs, now branded as BLACKbox, is an incubated and invested portfolio company of CIIE - IIM-Ahmedabad.

ThreatMate

ThreatMate

ThreatMate empowers businesses with comprehensive tools to detect, protect, and remediate against cyber threats.