Juliette Hudson, CTO of CybaVerse, looks at the impact of the UK’s ransomware payment ban on manufacturers.
In July 2025, the UK government concluded its consultation on a ransomware payment ban, announcing it would move forward with the legislation. In a statement from the government, it was revealed that operators of Critical National Infrastructure, government bodies and public authorities, would be banned from making payments to ransomware actors, while a mandatory reporting scheme would be introduced for organisations, requiring them to disclose ransomware payments to government.
Some critical manufacturers are likely to be banned from making payments to threat actors entirely, while others will be covered by the mandatory reporting scheme. Given that manufacturing is one of the hardest hit industries with ransomware, the new policy will have a substantial impact on the sector. So how can the industry prepare?
Impact of ransomware on manufacturers
Over the last few years, manufacturing organisations have suffered from massive ransomware attacks that have disrupted their operations and caused significant financial losses. According to data from Comparitech, ransomware attacks on manufacturers have caused an estimated $17bn in downtime since 2018. These incidents have disrupted operations at 858 manufacturers worldwide, with each day of downtime costing an average of $1.9m. When it comes to attacks on manufacturers, it’s not just data loss that causes the greatest damage. In many cases, operations are thrust to a standstill because Operational Technology (OT) is connected to the IT environment. To limit damages, many manufacturers shut down physical operations to stop the spread of infection, however, every day systems are down, money is lost.
This also often results in manufacturing organisations opting to pay demands in a bid to get systems back online quickly. However, with some manufacturers soon being prohibited from paying threat actors, or others being forced to disclose payments to the government, this fallback option may soon be removed.
In Comparitech’s report it was also highlighted that despite the high volume of attacks, ransom payment disclosures are rare. Among 858 cases, only eight companies confirmed payments. This ultimately means that many demands are being paid under the radar, out of fear of negative publicity.
We don’t know how many of these payments reinstated access for organisations, or how many actually got their data back, but we do know paying threat actors is never a wise move. Trusting threat actors will restore access and return all data back in its original form, without leaking it at a later date, is never guaranteed. However, with the new mandatory reporting requirement, this could put manufacturers off paying demands out of fear of negative backlash.
Organisations rarely want to admit to paying demands as it is seen to fund criminal activity, so with the mandatory reporting requirement, this will likely put manufacturers off paying out of fear of the negative backlash they could receive from customers and stakeholders. Therefore, with payments either banned outright, or being subject to disclosure, this could mean manufacturers can no longer rely on this fallback option, meaning strong defences are more critical than ever.
When it comes to protecting manufacturers against ransomware, these organisations must first get an understanding of their network, ensuring all assets are inventoried, whether IT or OT. This inventory will provide a holistic overview of the entire environment so organisations can understand what is running on their networks and, most importantly, what needs to be secured. Once organisations have carried out an asset inventory, they should work on network segmentation and segregation.
Limiting crossovers between IT and OT is essential. Ransomware attacks are generally executed via the IT estate, but attackers can then pivot to OT. Organisations want to limit these instances, because attacks on OT are far more costly and disruptive. In the most secure environments, OT and IT networks are completely segregated to limit the risks of widespread infection.
In addition to these best practices, manufacturers should also adopt multi-factor authentication for all employees to limit credential-based ransomware attacks, and they should adopt 24/7 managed detection and response to ensure malicious activity is continually monitored for, and any potential threats can be identified and remediated quickly. Incident response is another best practice, as this allows organisations to rehearse their response to attacks, identifying gaps in a safe environment, while allowing employees and stakeholders to practise their roles.
However, given that security is a livelihood issue, and no longer just confined to IT assets, some manufacturers will feel safer in the hands of expert security partners. These partners have in-depth knowledge of attack activity, plus they also possess platforms which enable them to manage security more efficiently. The UK’s decision to ban ransomware payments and enforce mandatory reporting will reshape how manufacturers respond to cyberattacks, stripping away a controversial fallback option, while placing unprecedented pressure on defences.
Preparation is essential, because once the legislation takes effect, resilience will be the only path forward.
