The Scourge Of Ransomware
Victim Insights on Harms to Individuals, Organisations and Society
Jamie MacColl, et al. | 2024.01.16
Ransomware incidents remain a scourge on UK society. Based on interviews with ransomware victims and incident responders, this paper outlines the harms to organisations, individuals, the UK economy, national security and wider society.
The research reveals a wide range of harms caused by ransomware, including physical, financial, reputational, psychological and social harms.
We set out a framework of:
-
First-order harms: Harms to any organisation and their staff directly targeted by a ransomware operation.
-
Second-order harms: Harms to any organisation or individuals that are indirectly affected by a ransomware incident.
-
Third-order harms: The cumulative effect of ransomware incidents on wider society, the economy and national security.
Building on an existing taxonomy of cyber harms, this framework will enable policymakers, practitioners and researchers to categorise more case studies on ransomware incidents and to better explain new and existing types of harm to the UK and other countries.
Ransomware is a risk for organisations of all sizes. The findings from this paper highlight that ransomware can create significant financial costs and losses for organisations, which in some cases can threaten their very existence. Ransomware can also create reputational harm for businesses that rely on continuous operations or hold very sensitive data – although customers and the general public can be more forgiving than some victims believe.
The harms from ransomware go beyond financial and reputational costs for organisations. Interviews with victims and incident responders revealed that ransomware creates physical and psychological harms for individuals and groups, including members of staff, healthcare patients and schoolchildren.
Ransomware can ruin lives. Incidents highlighted in this paper have caused individuals to lose their jobs, evoked feelings of shame and self-blame, extended to private and family life, and contributed to serious health issues.
The harm and cumulative effects caused by ransomware attacks have implications for wider society and national security, including supply chain disruption, a loss of trust in law enforcement, reduced faith in public services, and the normalisation of cybercrime. Ransomware also creates a strategic advantage for the hostile states harbouring the cyber-criminals who conduct such operations.
Downstream harm to individuals from ransomware is more severe when attacks encrypt IT infrastructure, rather than steal and leak data. There is no evidence from this research that the ransomware ecosystem is exploiting stolen or leaked personal data in a systemic way for fraud or other financially motivated cybercrimes. At present, exploiting stolen data for other activities is less profitable than extortion-based crime that takes away victims’ access to their systems and data. This finding may inform victim decision-making on when they should and should not consider paying a ransom demand.
Introduction
The UK’s National Cyber Security Centre (NCSC) recently assessed that ransomware remains one of the most acute cyber threats facing the UK. In 2023 alone, companies and public bodies affected by ransomware incidents in the UK included the Royal Mail, outsourcing firm Capita and an NHS trust. In late May 2023, one cybercrime group exploited a critical software flaw within a file transfer platform (MOVEit), reportedly impacting over 60 million individuals and more than 2,600 organisations worldwide. In the UK context, this incident enabled attackers to compromise a third-party HR company, likely exposing employees’ personal data – including company IDs and national insurance numbers from organisations such as British Airways, Boots and the BBC – to organised cyber-criminals. This may have been the largest ransomware incident of 2023, with a Russian-based threat actor linked to the CL0P ransomware operation claiming responsibility and demanding ransom payments in exchange for deleting the data. It demonstrated ransomware threat actors’ ability to continue to evolve their tactics and scale their operations to affect multiple victims in one operation.
The threat from ransomware shows no signs of abating, thanks to its profitable and innovative business model, poor cyber security practices in many organisations, and a permissive law enforcement environment in Russia. No sector is off limits as threat actors continue to target public and private sector organisations, schools, hospitals and local government.
However, the victims of these attacks rarely share their experiences. There are many reasons for this reticence, including legal reasons, reputational concerns, or even plain fear – ransomware groups use aggressive language and methods to increase the victims’ propensity to pay a ransom. Consequently, the lack of reporting to law enforcement and cyber security agencies, and limited transparency on the part of victims (including in terms of communicating with the media) means that there is scant understanding of the range of harms experienced by victims during and after such incidents. This research paper addresses that gap, by speaking to victims or others associated with an incident.
By shining a light on the harms experienced by victims, this research provides a clearer picture of the harm caused by ransomware and therefore also the economic, societal and national security risks posed by ransomware groups to the UK and beyond. This is important for policymakers and industry, as a more holistic understanding of the harms stemming from ransomware will allow government to make more informed policy prioritisation choices so as to reduce the threat and help law enforcement, incident responders and organisations to better support victims.
At present, much of the coverage of ransomware focuses on the financial harm inflicted by ransomware incidents. This is understandable, as financial harm is a highly relevant impact that is both tangible and, at times, measurable. For example, media coverage often addresses the immediate financial impact of ransomware in the form of ransom payments and business continuity costs. Similarly, several studies focus on the cost of data breaches or other cyber incidents, including ransomware attacks. This paper does not seek to play down financial harm – indeed, ransomware causes wider financial harm than is usually recognised, but there are few studies that attempt to make a macroeconomic impact assessment of the harm from ransomware beyond the cost to a particular organisation.
However, there are a range of other harms from ransomware too, beyond the obvious financial impacts. These harms go beyond just affecting the direct victim of an incident – indirect victims can include other organisations, communities and individuals – and can be physical and psychological in nature. There is a real human impact to ransomware attacks that is yet to be fully grasped and measured. Although some reporting has tried to focus on this aspect by exploring the impact of incidents on students and council tenants, or by exploring the psychological and long-term harms caused by ransomware, such reports remain few and far between.
Ransomware can ruin lives. This paper addresses the broader harms caused by ransomware, ranging from individual victims through to UK national security and prosperity. By engaging with victims and those associated with an incident, such as incident responders, insurers, lawyers, law enforcement officers and government officials, this research uncovers unique insights into a range of harms from ransomware. The findings should not only alert more policymakers to the scourge of ransomware, but also lead to a serious rethink about the resources required to combat ransomware in a meaningful way, both in the UK context and more widely.
Structure
This paper comprises three chapters. Chapter I sets outs out the tactics and techniques used by ransomware threat actors to cause harm. Chapter II details the harms that result from ransomware attacks, in an analysis based on interview data, workshops and public reporting; impacts from ransomware incidents are listed as first-, second- and/or third-order harms respectively. Chapter III sets out important implications for policymakers and practitioners to consider.
Methodology
This paper is part of a 12-month research project on “Ransomware Harms and the Victim Experience”. The project is funded by the UK’s NCSC and the Research Institute in Sociotechnical Cyber Security, and conducted by RUSI and the University of Kent. The paper’s aim is to understand the wide range of harms caused by ransomware attacks to individuals, organisations and society at large.
The paper focuses on the question of what harms (for example, physical, economic, societal, psychological) ransomware incidents cause to organisations and individuals in the UK, and to the UK more broadly.
The data collection and analysis for this paper entailed a literature review, semi-structured interviews and workshops. One strength of the research approach is that participants were encouraged to speak freely about their own experience of ransomware attacks.
-
Literature review: This consisted of a literature review of publicly available sources on ransomware harm and ransomware victims. It included a non-systematic review of publicly available academic and grey literature, including surveys and reports conducted by stakeholders in the ransomware ecosystem. The initial literature review was conducted in August and September 2022.
-
Semi-structured interviews: The primary dataset for the paper is based on 42 semi-structured interviews with victims of ransomware attacks and with subject matter experts from across the ransomware ecosystem, including individuals from the insurance industry, government and law enforcement, as well as incident responders. Interviews were conducted between November 2022 and March 2023, and were anonymised to allow individuals to speak openly about potentially sensitive issues. The research team then analysed the interview transcripts using NVivo data analysis software. Throughout this paper, an anonymised coding system, based on Table 1, is used to refer to interview data in the footnotes.
-
Workshops: In November 2022 and February 2023, the research team conducted two online workshops with key stakeholders from UK government, the insurance and cyber security industries, lawyers and law enforcement. Attendees included a mix of interviewees and new participants, using contacts established during the interview phase. The first workshop was used for data gathering and had 26 participants; the second was used to validate and reassess themes identified in the first workshop, the literature review and in interviews, and had 21 participants.
The paper focuses primarily on the harm caused in a UK context, but it also draws on experiences from other countries, such as the US. A small number of international participants were included in this research project.
▲ Table 1: Interview Participants (Non-Victims/Victims).
Definitions
For the purpose of this paper, a “victim” is any person or organisation that experiences harm as a result of a ransomware attack. This term can apply to individuals and organisations that are directly impacted, and to those that are indirectly affected and experience harm as a result. The term “harm” refers to any negative impact the victim may experience, which could be of a financial, physical, psychological, reputational or other nature. These underlying definitions are intentionally broad, allowing this paper to examine the full range of harms and victims that are impacted by ransomware attacks.
Limitations
A number of factors limit the generalisability of the research’s findings. First, the victim interviews should not be considered representative of a “universal” victim experience. As identified in the research, there is variation in the harms experienced by different victims. Additionally, the interviews included more public sector than private sector victims, with a very limited number of small and medium-sized enterprises (SMEs) represented. Moreover, there may also be a self-reporting bias, given that the interview data is based on organisations that were happy to speak about the harm they experienced.
Second, the observations made in this paper are primarily about the UK. While many businesses – victims and those that are part of the cyber security ecosystem alike – provide services globally, the focus of this research rested on incidents and victims in the UK and their interactions with the UK cyber security ecosystem, including UK law enforcement and government.
I. Ransomware: Tactics and Targeting
Ransomware has historically been defined as a form of malware that disrupts a user’s access to their computer system through encryption or locking. However, in recent years “ransomware” has become a catch-all term for different types of cyber extortion – including data theft. As such, this paper follows the Ransomware Task Force’s broader definition of ransomware as activity where threat actors compromise computer systems and demand a ransom for the restoration or non-exposure of encrypted and/or stolen data and systems.
Creators of Harm: The Ransomware Ecosystem
Ransomware, after nearly a decade of growth and innovation, is a highly profitable criminal enterprise supported by a diverse and professionalised ecosystem.
Although there is no fixed business model for ransomware threat actors, a recent joint report by the UK’s NCSC and the National Crime Agency (NCA) outlined three broad business models that all cause harm to UK victims:
-
The “buy-a-build” model, which usually involves smaller groups of less experienced cyber-criminals obtaining existing ransomware code to develop.
-
The “in-house” model, where the same organisation responsible for developing the ransomware also conduct the operations (although they may still rely on other parts of the cyber-criminal ecosystem for other services necessary to monetise ransomware).
-
The “ransomware-as-a-service” (RaaS) model, which involves collaboration between groups/individuals who develop and maintain the infrastructure and tools behind ransomware operations, and “affiliates” who conduct operations for a percentage of profits. This model has become dominant in the ransomware ecosystem and has enabled operators to scale and increase the volume of attacks, thereby increasing the amount of harm ransomware causes.
Ransomware operations are also supported by specialists in the criminal ecosystem, such as botnet operators, initial access brokers (who specialise in gaining access to victims’ networks), negotiators and money launderers.
Methods of Harm: Extortion Tactics and Techniques
Ransomware criminals are profit-driven and have developed a range of tactics and techniques to extort payments from victims. These methods rest on causing harm (or the fear of potential harm) to victims to pressure them into ceding to threat actors’ demands. Cyber-criminals use two primary extortion methods, although these are supported by a range of additional extortion tactics and techniques to increase their leverage.
Primary Extortion Methods
-
Encryption: Encrypting data is the most common tactic used by ransomware threat actors. This approach involves gaining access to a victim’s network, escalating privileges and accessing as many systems as possible before deploying malware that encrypts files and delivers the ransom note. Although early “pray-and-spray” ransomware campaigns only targeted individual endpoints, ransomware affiliates now aim to compromise domain administrator accounts so as to encrypt thousands of computers within a single organisation in one go. To maximise disruption and harm, threat actors will often spend time seeking out the critical systems and backups before encrypting them. These attacks can be particularly harmful to organisations that rely on maintaining continuous operations.
-
Data theft: Since late 2019, cyber-criminals have also adopted so-called “double extortion” tactics, stealing victims’ data as well as encrypting it, then threatening to leak it unless the ransom is paid. Data theft can be a particularly useful tactic for targeting organisations with sensitive intellectual property, safeguarding data (such as schools) or medical data. Stolen financial information, including accounting and insurance policies, can be used to help threat actors design negotiation strategies and set ransom demands. Recently, some ransomware operations have foregone encrypting victims’ data altogether, and just stolen it. This trend is in part driven by larger organisations’ efforts to improve their resilience against ransomware by introducing offline backups and other measures, but also by the emergence in 2022 and 2023 of ransomware operations that exploit vulnerabilities in file transfer services, enabling criminals to steal data from dozens or even hundreds of victims at a time.
Secondary Extortion Methods
After encrypting systems and/or stealing data, ransomware threat actors often use additional methods to raise the stakes for victims and disrupt their response and recovery.
-
Data leak sites: Since adopting data theft tactics, ransomware operators have also launched “name-and-shame” leak sites, on both the dark and clear webs, where they can name victims and leak data. This shames victims, but also serves as a warning to future victims who might consider refusing to pay. Threat actors can also draw additional attention to data leaks through social media or by contacting journalists.
-
Harassment of employees and customers: More aggressive ransomware threat actors will also directly contact an affected organisation’s employees or customers. This method can be untargeted – for instance, cold calling a company’s phonelines in the hope that an employee will pick up; or more targeted – such as directly contacting executives or sending stolen personal data to relevant employees. This can be particularly embarrassing – and involve reputational risk and commercial consequences – if cyber-criminals send stolen data to a victim’s customers or users. Some reporting suggests that ransomware threat actors are adopting more extreme forms of harassment as victims’ willingness to pay ransoms decreases.
-
DDoS attacks: Ransomware threat actors have also been known to use distributed denial-of-service (DDoS) attacks to increase disruption to victims’ digital infrastructure. However, industry reporting indicates that this is not a widely used tactic: for instance, a report by the cyber security vendor Unit 42 (part of Palo Alto Networks), suggested that only 2% of the ransomware incidents they responded to in 2022 involved a DDoS attack as part of the extortion attempt.
▲ Figure 1: The CL0P Data Leak Site Lists New Victims. Source: Cyberint, “CL0P Ransomware: The Latest Updates”, 23 October 2023.
Who Experiences Harm: Ransomware Targeting and Victimisation
Ransomware threat actors are largely agnostic about who they choose to target, which means that almost any organisation is a potential ransomware victim. However, there are several considerations that, to varying degrees, appear to influence ransomware targeting and victimisation.
-
Opportunism: Ransomware affiliates either gain access to organisations themselves or use specialist access brokers. In either case, organisations are typically compromised through opportunistic tactics and techniques that are designed to gain access to a wide range of victims through scanning for internet-facing vulnerabilities or poorly secured remote desktop protocols, or via phishing campaigns. This makes organisations and sectors that underinvest in or mismanage IT infrastructure and cyber security particularly vulnerable to ransomware.
-
Nature of business/organisation: Some ransomware threat actors appear to prioritise organisations that are incentivised to quickly resolve incidents. Criminals often seek targets for whom it is critical that their operations provide certain products or services in a timely manner. Alternatively, being attuned to the potential regulatory and reputational risks that the exposure of customer or client data can entail, they might prioritise organisations that hold sensitive information. This means that victims may be targeted by virtue of the vulnerabilities linked to their industry sector. While some ransomware actors adopt a risk-averse avoidance of critical national infrastructure (CNI) sectors (although this is unlikely to be an absolute commitment to avoid disrupting such sectors), others prioritise their targeting based on the assumption of an increased likelihood of payment. Some ransomware groups were relentless in their targeting of healthcare organisations during the Covid-19 pandemic, while one more recent ransomware operation, Vice Society, has focused on targeting and stealing sensitive data from education providers in the US and the UK.
-
Size of organisation: Some threat actors deliberately target larger organisations. So-called “big game hunting” ransomware operations aim to generate sizeable pay-outs from large corporations. However, size does not matter for most ransomware threat actors, and reporting from Coveware, a specialist ransomware response firm, consistently highlights that the median ransomware victim is a medium-sized organisation.
Taken together, these factors emphasise that a wide range of organisations (and by extension, their employees and customers, or users of their products and services) can be harmed by ransomware. The rest of this paper examines the impact of ransomware on organisations, individuals and society.
II. Ransomware Harms
This chapter identifies the range of harms that organisations, individuals and countries such as the UK experience as a result of a ransomware incident. The findings build on existing research that analyses or categorises ransomware or cyber breach harms. Existing research has, for instance: drawn a distinction between “direct” and “indirect” harms to a victim (particularly financial); explored cumulative impacts, such as reduced employee productivity; emphasised the potential societal impacts arising from protracted CNI downtime; articulated the risk of tangible loss of reputation; considered psychological harms experienced by impacted individuals; and reflected on the broader range of impacts that may be experienced by clients, including hospital patients and school students.
To improve understanding of the different types of harm caused by ransomware across society and to help understand the scale of the policy challenge, this paper uses a framework with three categories:
-
First-order harms: Harms to any organisation (and its staff) directly targeted by a ransomware operation.
-
Second-order harms: Harms to any organisation or individuals that are indirectly affected by a ransomware incident (e.g. organisations that are customers or clients of a victim, or individuals that are customers of a victim or use a service that is disrupted).
-
Third-order harms: The cumulative effect of incidents on wider society, the economy and national security.
▲ Figure 2: The Three Different Categories of Ransomware Harms, and Who/What They Affect.
Figure 2 illustrates how ransomware attacks can cascade through the supply chain, economy and society, distinguishing between harms that are experienced by organisations, individuals and countries. Some harms impact the organisations directly targeted by ransomware, others impact organisations and individuals indirectly affected by ransomware.
This analysis draws on a 2018 taxonomy of cyber harms, which identifies five broad types of harm: physical or digital; financial or economic; reputational; psychological; and social or societal. These five themes are applied to the three categories in the framework to illustrate the range of harms that organisations, individuals and countries can suffer. Each order of harm is contextualised using an author-generated figure, the content of which was derived from interviews and workshop data.
Crucially, this framework is not intended to be definitive. It builds on previous research and should be added to in the future. We urge policymakers, researchers and practitioners to continue to identify new types of harms based on further case studies and personal experiences, particularly with regard to sectors not represented in our evidence base. New types of harm will no doubt emerge as ransomware operators find new ways to harm and extort their victims.
First-Order Harms
The first category involves harms to the organisations and staff directly targeted by ransomware. Interview and workshop data highlighted areas of convergence and divergence between “organisation” and “staff” harm, to the extent that it is necessary to distinguish overtly between the two. The distinction between an organisation and individuals (and the harm they experience) is less apparent for small business owners or sole traders. They typically do not distinguish between the organisation and themselves, and might not have any other employees.
▲ Figure 3: Categorisation of First-Order Harms to Organisations and Their Staff.
First-Order Harms to Organisations
At the organisational level, this research has identified three main types of harm caused by ransomware: physical/digital harm to systems and data; financial harm; and reputational harm. While general reporting on ransomware harms often focuses on the immediate financial harm, for example, when media reporting stresses the size of a ransomware payment, the research data indicates that the range of harm experienced by the victim organisation is much broader. The following section identifies themes that emerged from the research data.
- Digital and Physical Harm
This category of harm describes negative impacts on an organisation’s digital and physical systems, and on its data. Broadly, such harm results from the effects of ransomware threat actors’ efforts to encrypt systems or steal data, and sometimes, in turn, from defenders’ efforts to contain an incident.
Ransomware attacks involving encryption can have a profound negative impact on an organisation’s IT infrastructure. Several of the victims interviewed revealed that their servers had been encrypted by the ransomware in their entirety, with one victim in the education sector losing access to more than 10,000 computers as a result. The impact becomes even more significant if ransomware operators are also able to encrypt or delete any backups. Interviewees also highlighted how common it is for cyber-criminals to deploy ransomware at the end of the week or during public holidays, when organisations are slower to react and defend themselves.
The extent of disruption to IT infrastructure from ransomware varies from incident to incident. One government agency described how, in the aftermath of the ransomware deployment, “we had lost access to all of our systems and … all of our data. We were right back to being a non-digital non-IT organisation”. Indeed, a number of interviewees highlighted how, in the absence of key digital services, ransomware often forces organisations to return to operating by “pen and paper”.
In other cases, ransomware can be isolated to a single server or IT function, either because it fails to deploy as planned or because security controls or resilience measures are (at least partially) effective. However, even in these cases, the effort to contain ransomware can still have significant impacts on the delivery of business operations. Several interviewees highlighted how they had to disconnect or isolate their IT infrastructure from the internet for several days – or even weeks – while they assessed the extent of the attack and removed the threat actor’s access to their networks. The impact from drastic incident response measures can be as harmful to operations as the initial infection.
A ransomware attack and the subsequent recovery efforts can also result in prolonged reduced performance of IT infrastructure. Although some victims are able to recover within weeks or months, interviewees reported that recovery efforts can sometimes stretch into years. One interviewee from the professional services sector emphasised that their company still had trouble with impacted financial systems several years after the incident. Hackney Council, which was targeted by cyber-criminals using Pysa ransomware in October 2022, took more than two years to recover fully from the incident. And if backups are encrypted or destroyed, organisations may lose access to data permanently. One interviewee from the education sector, for instance, highlighted how teachers permanently lost teaching material following an attack against their academy trust, with some losing 20 years’ worth of resources.
Ransomware can also harm physical systems and processes. Although most ransomware operations lack the capability to directly compromise industrial control systems (ICS) and operational technology (OT), the disruption of IT infrastructure can cause cascading operational impacts. Indeed, the increasing convergence of IT and OT leaves physical infrastructure more vulnerable to ransomware. One notable example is the 2019 ransomware attack on Norsk Hydro, a Norwegian aluminium and hydroelectric producer, which caused several plants to shut down at great cost. A small number of the victims interviewed for this research paper used ICS as a core part of their business or operations, but most did not. Nonetheless, several interviewees highlighted examples where disruption to their IT digital infrastructure had knock-on effects on their operations. These included schools that lost access to CCTV, fire control systems, and doors and gates, and a victim in the education sector that lost control over fridges and freezers containing sensitive research.
- Financial Harm
Victims of ransomware attacks experience a wide range of financial harm. Some forms of financial harm – such as the cost of a ransom payment – can be measured relatively easily, with studies finding that both ransom demands and incident response costs are steadily increasing. Other aspects of financial harm are harder to quantify, such as the cost of missed opportunities and reduced productivity. This means that there is limited understanding of the long-term financial harm caused by ransomware attacks.
Overall, interview data confirmed that, in line with wider public reporting, primary attention rests on immediate financial harm, for example in the form of the additional costs encountered from a ransom payment, or losses arising from business interruption. One notable finding is that interviewees from victim organisations frequently reported that senior leadership would make assessments of the cost of the given ransomware incident, although it was challenging to disaggregate the overall costs of the ransomware incident from other fiscal shocks that occurred in the same timeframe as the incident, such as the Covid-19 pandemic. These assessments would typically have a tightly restricted readership. The interviews also confirmed that many organisations generally have limited understanding of the overall financial impact a ransomware attack has on the organisation, particularly with respect to financial harm that is not covered by an insurance policy, or which plays out over the long term. Therefore, the data represented here is subject to the same limitations: assessments of financial impact are unlikely to be definitive, and there is a need for further research in this area. Given the scale and depth of ransomware as an impactful form of contemporary cybercrime affecting almost all organisational sectors, it is important to further collective understanding of the scale of this harm to individual organisations and the wider economy.
- Additional Costs
Immediate financial harm spans the cost of paying the ransom itself and hiring external parties to help with the response to the incident – for example, incident response teams and lawyers, but also PR professionals. Often, the costs of hiring such third parties far exceeds the demand for the ransom payment. Some providers, such as lawyers, are costly, especially when incidents are complex. The high additional costs of hiring help from third parties are financially challenging where they are not covered by insurance, especially for small companies or for public service providers with limited financial reserves.
Additional costs may also be incurred from paying existing staff overtime, or from hiring new (or temporary) staff. A victim from the education sector, for example, paid employees extra during the initial response phase, but also hired a cryptocurrency broker to facilitate access to cryptocurrency.
But additional costs can also occur in less expected ways: one victim in the education sector was no longer able to charge students for school meals, and as a result had to cover the cost of food in the interim. Some companies also offered to pay for counselling services for their staff, but these costs are typically not covered by insurance. Some organisations also paid for credit monitoring for their employees.
Many victims also face additional costs due to increased insurance premiums. While interviewees were often able to renew their cyber insurance policy after a ransomware attack, they had to do so at a higher cost.
In the immediate reaction to a ransomware attack, additional costs may arise when replacing technology, as a ransomware attack often infiltrates many devices, or impairs communications for the victim. The victim may have to acquire additional devices, as was the case for one interviewee, who described how their company replaced all its employees’ phones after a ransomware attack. When phone systems in a local government entity failed due to a ransomware attack, extra telephones and mobile phones had to be acquired to enable staff to communicate with local citizens. Another victim purchased large numbers of Chromebook devices to access their Microsoft 365 environment so as to enable communication between employees and with clients.
Further significant, long-term costs are accrued when improving cyber security measures and updating IT networks. While these measures are not always strictly required in response to a ransomware attack, such incidents often create the impetus for increased cyber security measures and spending. The costly decision to “build back better” is often deemed necessary or even overdue, but not covered by insurance. As a victim in the education sector said, “It’s all a lot of money, but money we should have spent a year earlier”.
Other long-term costs stem from regulatory fines, although in the UK it is not clear how many fines have been issued to victims of ransomware by the Information Commissioner’s Office. Moreover, decisions on these fines are often only delivered months or even years after an attack, in the meantime weighing on a victim’s mental health and limiting their ability to move on after the incident. Similarly, litigation costs may also only arise months or years after the ransomware attack has occurred. Again, victims often require legal support during these processes, dragging out the additional costs incurred for hiring third parties such as data protection lawyers.
While some additional costs come in the form of clearly defined bills, others are harder to directly trace back to the ransomware attack. One example of this is the additional cost of employee turnover. While some individuals might lose (or leave) their jobs directly as a result of an attack and need to be replaced, employees’ decisions to leave often have more than one cause. A ransomware attack may be a contributing factor or the tipping point in a decision process, for example due to the stress or anxiety the attack evoked. Other influencing factors – such as the Covid-19 pandemic or an organisation’s existing internal dynamics – make it hard to isolate a ransomware attack as the sole factor causing employee turnover. Nevertheless, exit interviews in the education sector revealed that some teachers leaving the profession cited the ransomware attack as a tipping point, due to some of their data being lost to the attack – something they felt their employer should have protected them from. Another victim described how the ransomware attack led to lower morale among employees, which in turn had “a knock-on effect as people started to leave. It makes those people that are on the fence of … leaving make that decision”. Low morale and other such intangible influences take a long time to overcome, the interviewee noted.
For other interviewees, ransomware incidents were clearly the reason why people left their jobs, for example due to stress levels experienced during the ransomware response or because the person’s account had been used by the hacker (and, although this was not their fault, the repeated mentioning of their name throughout the response led to them leaving the organisation in question).
Higher costs due to employee turnover may also arise because experienced IT staff receive more attractive employment offers from elsewhere. An interviewee in the engineering sector explained that “trying to hold on to people who are battle-tested in that kind of space is extremely difficult because everybody wants them”.
In addition, higher costs may occur where staff needs to be – temporarily – replaced due to burnout or other psychological harm. For example, one interviewee described how staff were unable to return to work for months after the ransomware response due to the high stress levels experienced.
Finally, victims often experience a more intangible type of cost: opportunity costs, wherein budgeting is disrupted by the need to redirect resources away from other objectives. A recent survey of 100 directors of UK firms impacted by ransomware identified that their organisations cut operating costs by an average of 17% following their ransomware incident.
The impact of opportunity costs is likely to affect all victims operating with constrained finances, but may be particularly noticeable for victims in the public sector, such as councils, schools or hospitals, which are already running on tight budgets and have little ability to build back reserves. One interviewee in the public sector described how further cuts in funding put them in a worse position now than they were when the attack occurred, and that, in order to build back reserves, the organisation had to be particularly frugal in its spending and to increase revenue sources. In other ways, opportunity costs stem from reductions in productivity or from diverting staff from other pressing priorities to work on recovering from an incident.
Ransomware victims thus encounter additional costs in many ways, some of which are better anticipated than others. These additional costs often exceed the ransom demand by a significant degree. Moreover, many additional costs only occur in the long term, such as litigation costs or the cost of building back IT networks. Long-term costs can also arise as a consequence of other harms, for example when new employees need to be hired after former employees leave their positions or need to be replaced due to burnout. Some of these costs are covered by insurance providers, but where this is not the case, ransomware victims often have limited insights into the long-term additional costs they face.
- Financial Losses
As well as the additional costs a victim organisation may face due to a ransomware attack, it may also experience a number of financial losses; indeed, small businesses may face the threat of going out of business. Even where the financial losses do not present an existential threat, they can nevertheless be significant. The following paragraphs provide some examples of the kind of financial losses that can occur.
Business interruption accounts for the majority of financial losses after a ransomware attack – for example, when a company is unable to produce products or provide services to customers. The high financial impact of business interruption was confirmed by a 2022 study of cyber insurance claims for ransomware that found that the average cost of business interruption amounted to $657,000. Similarly, the interview data confirmed the significant financial harm caused by business interruption. One incident responder recalled working with manufacturing firms that were “losing tens, if not hundreds, of millions of euros or pounds a day because … their manufacturing lines were flying [disrupted]”. Business interruption also affected a victim in the charity sector, where the memberships team was unable to collect money from renewed membership subscriptions. As the annual direct debit collection was no longer working, the renewal process (worth £3 million) had to be delayed by a month. Business interruption, including delayed payments, is thus not only a significant financial harm but can also lead to reputational harm if a victim is no longer able to provide their services. While there are generally few examples of organisations going out of business or facing insolvency solely due to a ransomware attack, financial losses due to business interruption can be a significant influence in causing a business to shut down.
This factor is closely linked to financial harm caused by loss of expected income, for example where a victim organisation had to cancel several reservations for a venue it offers as a conferencing space. Delay to another victim’s project meant that an education institution was unable to secure funding for further related research. Loss of expected income is of course closely related to the loss of clients. While often mentioned as a feared consequence, loss of clients is often difficult to directly attribute to the ransomware attack. An interviewee in the insurance business explained that although most insured parties do not lose a significant proportion of their customer base, this may happen in certain sectors (in the technology sector, for example, where customers display lower risk tolerance). For organisations that provide immediate services, losing clients may be a more tangible harm, for example in the construction industry, where the inability to provide a service would lead to the client immediately looking for a different supplier.
Beyond the financial loss caused by loss of clients or expected income, ransomware attacks also result in a loss of time: the time that is needed to respond and recover. Ransomware attacks are highly disruptive, requiring the attention not just of IT staff but of staff from all departments. Financial harm also arises from time being spent responding to the ransomware attack, rather than on the usual tasks. As a victim in the education sector said, “The time cost is immense … The time cost of not only recovering, but not doing the work that you could have been doing”.
Due to these financial losses and additional costs, interviewees widely regarded ransomware as a severe risk for organisations and potentially even as “business ending … if you haven’t got your data, you don’t have a business”. An executive of a micro-enterprise noted that they would have lost their house and their company would have gone bankrupt if they had not had the cushion of cyber insurance.
While public reporting has highlighted some cases of organisations permanently ceasing to trade after a ransomware incident, none of the victims interviewed reported that their organisation had ceased to be a going concern as the result of a ransomware attack. Interviewees from the ransomware recovery ecosystem (for example, incident responders and cyber insurers) were also hard-pressed to identify concrete cases where an organisation had ceased trading altogether. This may indicate a degree of selection bias: for example, organisations that were unable to afford incident response or did not have cyber insurance would not have been on these professionals’ radar. The limited cases of this kind that interviewees could recall tended to relate to the healthcare sector – such as a fertility clinic holding highly sensitive data – where it was the combination of business interruption and irrecoverable reputational harm that resulted in the business folding.
- Reputational Harm
Alongside any financial impact, harm to their external reputation is often a primary concern for victim organisations. Victims fear reputational harm arising either from media reporting or because customers and clients realise that the organisation is unable to provide a particular service. In some instances, victims have a contractual or regulatory – if not a moral – obligation to disclose that they have experienced a ransomware incident. Such incidents are, however, typically perceived as reflecting organisational weakness, and victims – who are also often subject to victim blaming – often fear that this will affect their reputation and professional credentials. A victim in the technology sector felt that “we were humiliated in front of the customer”, while another victim, in the education sector, confirmed that their “biggest bit of damage was probably reputational and confidence”.
The driver behind such fear is the assumption that reputational harm in turn also leads to financial harm, for example due to loss of expected income or loss of clients. One employee at a manufacturing company recollected that customers would repeatedly ask about the ransomware incident even months after the attack, and that rumours about customers’ leaked personal data added to the reputational harm done. As a result, the company was perceived as being less safe, and questions were raised about whether larger competitors were a safer choice for doing business with, indicating that this perception could have resulted in/contributed to a loss of orders. Furthermore, the employee also noticed an impact on customer relations, as open communication with customers was prohibited, resulting in a feeling of lost trust among customers, who thought the employee knew more than they were telling. This echoes a risk highlighted more widely in reporting on the subject: that, where there is an alternative supplier, the reputational fallout from a ransomware incident can include the loss of existing and future customers. In 2023, the hosting firms CloudNordic and AzeroCloud experienced ransomware attacks which irrevocably removed some hosted client data; the director of the companies said publicly that he did not expect many customers to remain with them.
Reputational harm is often especially impactful for smaller firms providing professional services, particularly where there is an “implied and contractual level of confidentiality” – for example, in legal or accountancy firms. Customers perceive that it is part of these organisations’ duty – but also their business model – to guard customers’ personal information, which is often of a sensitive nature. In these instances, the disappointment and loss of trust increases the risk of reputational harm. Victim blaming after an attack can further aggravate reputational harm, including via social media platforms. While less pertinent for some of the interviewees at organisations that are less exposed to direct financial implications as a result of reputational damage (for example, because they are public sector organisations with no real competitors), reputational harm can thus have a significant impact on organisations.
However, while the fear of reputational harm heavily influences victims’ decision- making, some interviewees, including crisis communications experts and lawyers, indicated that reputational harm may not be as severe as has been assumed in the literature. One interviewee did not think that there is “stigma attached to being the victim of a cyber attack in the same way that there was inthe past”. Some victims said they had supportive clients or, in the case of schools and universities, students. A victim in the professional services sector found that the attack “did not do damage to our reputation as much as one might think, clients were quite sympathetic”.
Nonetheless, the extent of reputational harm caused by a ransomware attack appears to be highly contingent and based on a range of factors. Some interviewees, for instance, highlighted that sympathy is likely to be dependent on the context of the incident and the nature of the business. One interviewee noted that their inability to speak openly about the incident led to increasingly strained interactions with clients.
Some interviewees also indicated that, if data exfiltration occurred, “the risk of reputational harm is much greater”. The same is true if customer services are interrupted. An interviewee at a professional services provider found that clients were “reasonably sympathetic” as long as the company was still able to provide the relevant services and secure their data. Other interviewees highlighted that the timing, cadence and tone of client communications was an important consideration for minimising harms to the organisation, its staff, clients and other third parties. While each ransomware case will be different, it was emphasised that there was a balance to be struck between transparency and opacity, particularly with a public audience. Such assessments are speculative, but again illustrate the prominence that the fear of reputational harm has for victims.
Another important finding from the interview data was that reputational damage can also occur within the impacted organisation itself. This is particularly likely where internal communication is poor, and especially among employees who are not directly involved in responding to the incident and who may, as a result, feel excluded. A victim in the professional services sector, who found that external reputational damage was not as significant as expected, said that the attack was indeed “more damaging to our internal reputation”, adding that the attack’s impact on morale made the organisation a bad place for people to work and that people were leaving as a result, with the organisation’s reputation as an employer also suffering.
Finally, victim organisations are often concerned about experiencing reputational harm as a result of media reporting. The interviewees for this project only mentioned a small number of examples of negative reporting in the media. Individual cases are not discussed here, given the risk of inadvertent attribution, but the interviews made clear that the fear of negative press often meant that victims – particularly those in the private sector – were less likely to be transparent about the attack. One victim spoke of negative publicity on social media.
First-Order Harms to Staff
In addition to the harm experienced by an organisation itself, the individuals who work for (or own) an organisation that has fallen victim to a ransomware attack are also directly impacted. As an interviewee in the charity sector put it, “everyone was affected in a way, but just to different degrees”. The degree to which staff members experience harm depends on a number of factors, including the extent to which they are involved in the immediate incident response and whether there are underlying issues, such as pre-existing health conditions. This section provides an overview of the different ways in which staff members may be negatively impacted by a ransomware attack, including psychological, physical, financial, reputational and social harm.
- Psychological Harm
In contrast to public reporting, which often focuses on the financial harm of ransomware attacks, our interviews stressed that the first-order harm employees experience is primarily of a psychological nature. Interviewees repeatedly emphasised that psychological impacts are often overlooked in the wider discourse on ransomware attacks.
Psychological impacts are naturally perceived at an individual level and are therefore highly subjective. The categories of psychological harm listed here are therefore not based on medical definitions but are guided by the interview data and by the words that individuals used to describe their feelings. Furthermore, psychological and physical harms are often closely interlinked, especially where psychological harm has physical consequences, such as mental burnout leading to tiredness or physical exhaustion. The distinction between the psychological and the physical is thus not always straightforward, but, to avoid duplication, not all harms are listed in both categories.
Primarily, experiencing and responding to a ransomware attack creates considerable stress for the individuals involved. For example, an interviewee from the engineering sector confirmed, “There’s a huge amount of pressure and stress that everybody was under”, to the extent that their company hired a post-traumatic stress disorder (PTSD) support team.
While stress was widely reported, the interview data shows that individuals experience different forms of stress, depending on their position and allotted tasks. An interviewee in the professional services sector explained how management- and board-level employees felt stress due to financial concerns, while people in the middle management tier were stressed by the extremely long workdays, including particularly stressful communications with the threat actor.
Stress is often particularly grave for individuals in involved IT teams. One external service provider went so far as to state that “the IT staff – they’re the main victims of crime here”. An interviewee from the education sector explained that the human toll on the IT service was especially severe due to their detailed understanding of the gravity of the situation, adding that the impact on the IT team was, however, often not talked about. As the technical details of attacks are often difficult to understand, the wider perception is that “magical IT will come and sort it all out”, obscuring how stressful this experience can be for the IT team. Stress is also particularly prominent for IT teams because they feel a direct responsibility for protecting an organisation’s systems.
Although stress is thus often acknowledged as a harm inflicted by ransomware attacks, the interview data implied that the more detailed impact of stress, particularly on IT teams, is often overlooked and insufficiently addressed. This is particularly regrettable, as in some instances stress on staff is so significant that it leads to other harms such as burnout or other sickness, leading personnel to leave their jobs or to be absent temporarily on sick leave.
Along with stress, victims also often described a feeling of confusion and loss of orientation in the initial phase of a ransomware attack, especially where victims were not familiar with technical details or did not yet have enough information to form a full picture of the situation. The loss of orientation may be rooted in there being insufficient preparation or procedures in place, while confusion can also stem from victims questioning why they have been attacked, or from uncertainty among staff about what is going on and how they should respond.
As is the case for other categories of harm, victims noted that emotional reactions to ransomware attacks also varied with time. For example, a victim in the education sector said that “those first few hours are quite horrific actually, until you get into a position where you start working out what the facts are”. Others described feelings of very low mood in the first week after the attack. One victim recalled a burdensome feeling that they “for the foreseeable future belonged to the criminal underworld”.
Some victims of ransomware attacks were also said to be angry, for example when an insurance provider recalled client interactions with victims who were angry at the attackers, questioning why they had been targeted. Other interviewees said that former employees whose data was exfiltrated were also less sympathetic but “much more angry”.
Initial reactions of panic in the wake of a ransomware attack can also cause psychological harm. One interviewee said “there was a terror about what might happen next”. On a related note, worry was a typical harm experienced by victims, for example worry about reputational risk, but also, while responding to an attack, worry about whether they were taking the right actions. An external counsel noted that “it’s a harm in itself of distress and worry of making the wrong decision”. A victim in the education sector spoke of a fear of recovering the IT systems too quickly, in case criminals still had access to the networks. Fear of a repeated incident also affected other victims: when receiving suspicious emails or similar, even after the ransomware incident had been dealt with, victims experienced a sense of “PTSD” (in the non-technical sense used by lay people), for example saying that “there was a bit of a PTSD about every time I walked through the office door”. Others described a sense of fear over potential job losses as a result of the ransomware attack. These feelings underline how personally victims experience an attack, and how a ransomware incident casts a shadow over their personal and professional life.
The interviews revealed a number of further emotional harms that were experienced in response to ransomware attacks, stressing how wide-ranging the psychological impacts can be. The difficult decision about whether to pay the ransom demanded often weighs heavily on victims and is not a purely financial or risk management decision: it often raises feelings of guilt, an aspect often overlooked when considering the seemingly binary decision to pay or not to pay. A victim in the education sector described how challenging it was to make a decision in this context, given that they believed “it’s not ethical to pay the ransom”. This concern had, however, to be balanced against students’ potential delay to their studies. While the interviewee believed it was ultimately right to pay the ransom in this instance, they also stressed that “we’re not happy with the decision of paying”.
Related to the feeling of guilt are feelings of shame and self-blame. An interviewee from the charity sector said “we all blame ourselves” – a human reaction that was difficult to overcome. Some members of IT teams can feel particularly responsible, often because they feel that they knew about potential system problems and did not raise them sufficiently, subsequently blaming themselves and burning themselves out working on the ransomware response. Again, this underlines the overlooked – but heightened – impact that ransomware attacks have on the mental wellbeing of IT teams in particular.
Interviews also highlighted that ransomware attacks caused feelings of doubt and resignation among victims, again underlining how personal the attack is felt to be by its victims. One interviewee said the incident made them doubt everything they had done. Similarly, another interviewee said that the incident made them question whether they had run their business properly, because “at that time you second guess yourself, [and] that adds to the mental anxiety”. Another victim described a sense of doubt about whether they were doing enough, but also a feeling of resignation “to the fact that if someone wants to get in [and] if they have enough time and enough energy and enough effort – they’ll get in”.
Recent research shows that the range of psychological harm experienced, and its severity, can affect victims’ mental health. Indeed, interviewees overwhelmingly felt that this aspect was often overlooked in popular discourse. One victim concluded that “the overall piece is that we very rarely talk about the mental health impact of these events”.
Like other categories of harm, psychological harm continues far beyond the immediate timeframe of the incident, creating an additional mental health burden and making it challenging for victims to move on after the incident. Victims repeatedly mentioned concerns over the role of the Information Commissioner’s Office and the impact that the prospect of being fined had on their mental state. The challenge of moving on mentally after an incident was also reported by an interviewee in the education sector, who said that subsequent Ofsted surveys revealed that “some staff are still very raw about this. When you ask them about workload, they may well say the ransomware attack … made our lives hell”. Another victim felt “a real disappointment” given that their company was ultimately unable to find out how the attacker gained access to their systems. Indeed, one victim went as far as to say that the attack made them feel like they had “failed”. Another victim found the ransomware attack “actually really traumatic” (especially given their strong identification with success in business, and in their own business in particular), indicating that this had brought them close to suicide.
Interview data shows that not only is the psychological impact of ransomware incidents overlooked in the short term, but that the long-term psychological impact of attacks is even less likely to be noticed (or sufficiently addressed) than immediate harms such as stress.
While the psychological harm a ransomware attack causes is of course highly context specific and also depends on the individuals involved and their existing mental health conditions, the interviews stressed the significance, extent and multiplicity of ways in which victims experience psychological harm. Such psychological harm can reach far beyond the immediate response to a specific incident, affecting an individual’s wider professional life and impacting their personal life. Interviewees repeatedly noted that the psychological impact of ransomware attacks is insufficiently recognised, not only by the broader public, but also in academic and/or industry studies and within the organisations responding to such attacks.
The research data demonstrates how central the psychological impact is to victim experience and how varied the psychological harm is, especially for IT teams. In turn, such psychological impact on individuals also has financial impact for victim organisations, for example where it affects productivity, when staff suffer burnout and need replacing, or in terms of other forms of employee turnover.
- Physical Harm
Victims’ physical health also suffers in the wake of ransomware attacks. Physical harms reported by interviewees ranged from minor ailments (for instance, weight changes) to serious health issues (such as heart attack or stroke). While not a commonplace occurrence, one law enforcement interviewee noted that they knew of a member of IT staff at an organisation who took their own life following a ransomware incident. Far more commonly, interviewees reported sleep deprivation and follow-on impacts, with employees falling asleep at the office or reporting problems sleeping at home. One victim reported that “the fatigue on people was extreme”, referring to physical but also mental exhaustion, illustrating how closely linked the two harms are. This is also true for harms such as burnout, which can manifest in both mental and physical ways. Other reported physical impacts included weight loss and dehydration.
One interviewee even reported health issues within their team that resulted in hospitalisation, with employees not looking after themselves well in the immediate response to a ransomware attack, for example by drinking too much coffee and not enough water (which in this instance resulted in the need for hospital checks because of pre-existing heart complications). In a more grievous example, a victim experienced a heart attack and required surgery, citing the stress of managing the incident as a key factor. Physical harm is thus closely linked to the mental harm experienced, such as stress and anxiety; this can be especially grave where victims have underlying health conditions (albeit this is the exception rather than the rule).
- Financial Harm
While wider reporting of ransomware incidents often focuses on the financial impact for organisations or the economy more broadly, the interview data stresses that financial harm is also experienced by individual staff members. (The distinction is, of course, somewhat superfluous in the case of sole traders or freelancers, whose individual financial situation is hardly distinguishable from that of their business.)
Employees can suffer financial harm as a result of a ransomware attack, for example if they lose their job as a result of the attack – an outcome that is more likely for members of the IT team or an organisation’s board members. An external counsel reported that, especially where a publicly listed company pays the ransom, board members are likely to be changed within six months to a year.
While many victims reported that their organisation was still able to meet payroll despite the ransomware attack, this was often because the incident came just after staff had been paid, or otherwise that it had been a close call with regard to meeting payroll during response to the incident. Not being paid, or being underpaid (for example, because a recent pay rise has been ignored due to fallback to earlier backups of personnel data), is thus another way in which a ransomware attack can financially impact staff members. Another example of harm was described by one victim, who paid for their own therapy sessions (which were not covered by insurance) and had to cancel holiday plans in order to make time to respond to an attack.
- Reputational Harm
Like organisations, individual staff members may also be concerned about suffering reputational harm as the result of a ransomware attack. This is particularly true for IT staff, who often feel that they may not have done enough to prevent the incident from occurring. They might also be blamed by board members or other senior staff for not doing what might superficially be considered “doing their job”.
Reputational harm is also a problem for staff who might have clicked on a malicious link (allowing ransomware to access the organisation’s systems) or whose credentials have been abused during the attack. Even if they were not necessarily responsible for the breach, their reputation might suffer if they are erroneously assigned blame by superiors or colleagues. Blaming individuals and contributing to their reputational harm might also cause them further psychological harm.
- Social Harm
In addition to the psychological, physical and financial harm caused, a ransomware attack can also impact employees’ professional lives, and the social relations between members of staff, and their relationships outside work.
For example, the psychological harm experienced by staff members can have wider impacts on social relations within an organisation or team, potentially leading to strained relationships with colleagues. One victim described employees as being “grumpier”, amid increased workloads and diminished pastoral care. Others noted the negative effect on morale and said that the repeated complaints of colleagues were “annoying”. Work relationships might also become strained if external help is hired. One victim described how the in-house IT team felt challenged when an external IT team was hired as additional help, with poor integration leading to duplication of efforts and resources.
The impact of ransomware attacks is, however, also felt beyond social relations in a professional context, extending into private and family life. Some victims reported missing out on personal or family life. One victim described “a personal toll”, particularly given increased commuting demands and long working hours. The impact on personal life was also felt by a victim in the technology sector who described a “work–life balance loss through extended hours of working weekends”. Another interviewee, who coordinated incident response, described how he personally provided impromptu childcare for one of their chief IT technicians, so that the technician could be “hands-on-keyboard”.
Those staff members who are not part of an organisation’s “core” ransomware response team also experience harm to their professional and private lives, although the nature of the harm may differ from that of those forming part of the “inner circle”. Those outside the immediate response team might feel “like really nobody had a handle on it” and feel left out of the communication loop, receiving little information about what is going on. Understandably, there is also a degree to which professional and personal life entwine, particularly where staff pursue their work as a personal passion. Interviewees also noted that some staff treated the ransomware attack as an opportunity – or impetus – to resign from their role or take retirement; for instance, educational staff who had lost many years’ worth of teaching materials. Another interviewee noted that staff who had been with their organisation for decades felt a form of “love” towards the archives of data that they had personally collected during their career, and felt bereft at the loss of this data.
Many staff members experience different degrees of ransomware harm, which in turn have negative impacts on their professional and private lives. Such negative impacts are closely tied to the psychological impact staff members experience, again demonstrating the interconnectivity of harms – as well as the wide range of forms that psychological harm can take.
This section has illustrated the categories of harm experienced by direct victims of ransomware attacks: that is, the organisations and staff members who experience the ransomware attack. Organisations face potential digital/physical, financial and reputational harm, while staff members may encounter financial, reputational, psychological, physical and social harm. Importantly, though, harm is also felt beyond these first-order harms, extending to those who indirectly experience harm as a result of a ransomware attack. The following sections illustrate what these second- and third-order harms can look like.
Second-Order Harms
The second category of harms involves organisations and individuals indirectly harmed by ransomware. The former group includes organisations that are customers/clients or in the supply chain of a victim entity that has had its IT systems encrypted or data stolen, while the latter group – individuals – refers to the customers or users of a public or private organisation that provides services or holds data.
The research conducted for this paper highlights that, the further “downstream” we get from the initial impact of the attack, the more challenging it is to effectively characterise and illustrate harms to organisations. However, the research has been able to identify a range of second-order harms to organisations and individuals through the interviews with direct victims, third-party experts and law enforcement, and via academic literature and media reporting. The results of a ransomware-harm modelling exercise conducted as part of this project and published as an academic conference paper have also been important in highlighting the different types of harms that can indirectly affect individuals, particularly healthcare patients and residents of local authorities that are affected by ransomware.
Taken together, the various types of second-order harms from ransomware operations help emphasise their long tail and wide reach, shedding light on the various ways in which individuals are impacted by ransomware attacks. Ransomware attacks that disrupt the operations of businesses and public services have cascading effects that harm the lives of citizens of the UK and many other countries.
▲ Figure 4: Types of Second-Order Harms Affecting Downstream Organisations and Individuals.
Second-Order Harms to Organisations
As illustrated in Figure 4, ransomware operations have the potential to create a range of second-order harms for organisations and their employees, even when they are not directly targeted.
Ransomware attacks on outsourced IT services, such as managed service providers or cloud hosting providers, can harm organisations’ digital systems and data. A 2022 ransomware operation against Rackspace Technology, a cloud hosting provider, encrypted Microsoft Exchange email servers and caused thousands of SMEs to lose access to email services for several days. A more recent ransomware attack against CloudNordic, a cloud services provider, resulted in customers losing all their data after the company’s backups were deleted.
Disruptions to organisations’ supply chains and subsequent harms are not limited to ransomware attacks on technology providers. Nor are they a rare exception, with data indicating that 52% of firms say that one of their suppliers has experienced a ransomware attack. Physical supply chains can be particularly sensitive to ransomware harm: attacks against organisations in sectors such as manufacturing and logistics can create cascading effects that spread financial and reputational harm down the supply chain as suppliers and customers experience delays and loss of trust. One interviewee from the manufacturing sector, for example, highlighted how a ransomware attack against their company resulted in delays to their customers’ operations; in some cases, this resulted in customers finding new suppliers. Interviews also highlighted that being downstream from a ransomware attack can be even more challenging than being at the epicentre, as access to information about the attack may be much more limited. As a breach response lawyer argued, second-order harms may be “in a way, slightly worse, because you’re reliant on [the organisation experiencing the ransomware attack] for information … but they’re not going to be able to give you complete information in the early stages”. In some cases, suppliers experiencing ransomware attacks may even attempt to pretend the ransomware attack is not happening in an effort to reduce their own reputational harm.
In this sense, first- and second-order harms are not discrete – rather, they are closely linked. Severe second-order harms are likely to multiply the extent of harm or pressure on the direct victim organisation. For instance, an insurance claims handler recalled supporting an industrial system supplier to the fast food industry. The victim emphasised to the interviewee that their clients had zero tolerance for downtime; kitchens were supposed to be operating at full capacity in a context where fryers and other equipment would routinely break down, warranting rapid repair. If the victim could not return to operations within a matter of hours or days, they would be “booted off” contracts worth millions of pounds.
It is also increasingly common for organisations to have data stolen by ransomware threat actors via their suppliers’ systems. When Capita, a major provider of outsourced IT services in the UK, was targeted by cyber-criminals using BlackBasta ransomware, more than 90 of its customers had data stolen.
Listing all the various potential types of financial, reputational, physical, psychological and social second-order harms to organisations and their employees from ransomware is beyond the scope of this paper, given that the interviews and workshops focused predominantly on the experiences of direct victims. However, it is reasonable to conclude that second-order harms may take a similar form to the first-order harms listed in the previous section, since they ultimately stem from disruption to business operations and the theft of data. In this sense, the harms experienced by third parties can be comparable to those experienced by the direct victim (rather than being seen as vicarious nuisance). As one breach response lawyer articulated, “If you’re reliant on someone that has an incident, you can’t do business as a result of their incident, then clearly you’re in a pretty similar position in a way, insofar as you may not be able to do business properly”.
Second-Order Harms to Individuals
Ransomware also creates a range of second-order harms – some of which are sector specific – for individuals downstream from the initial victim. Here, the term “individuals” refers to customers or users of goods and services, including people from groups such as hospital patients or schoolchildren. Given the digital dependencies of most businesses and service providers in modern economies and societies, individuals have significant exposure to ransomware harms. This paper’s research shows that individuals who are already vulnerable, such as patients seeking medical treatment or people receiving benefits, are disproportionately impacted by the indirect harm caused by ransomware attacks.
- Physical Harm
There is a growing body of evidence that ransomware causes downstream harm to the physical health of individuals, most significantly when such harm reduces health outcomes at hospitals after attacks. Many ransomware groups have been ruthless in directly targeting hospitals and healthcare providers, showing scant regard for the impact on essential services and patients.
As the attack on Ireland’s Health Service Executive (HSE) by the Conti ransomware group illustrates, the disruption of IT services can cause cascading harms to clinical services and patients. Attacks against hospitals have forced elective surgeries to be cancelled and disrupted patient services such as cancer treatments. During the HSE attack, for instance, radiation therapy stopped at five centres, while 513 patients had their cancer treatment disrupted. In other cases, ransomware attacks have caused emergency services to be diverted to other hospitals; in critical care services, where minutes or hours can determine whether a patient lives or dies, these kinds of diversions can reduce survivability and recovery. One recent report has suggested that between 2016 and 2021, between 42 and 67 Medicare patients in the US died as a result of ransomware incidents, while several surveys and studies indicate that ransomware attacks are linked to increased mortality rates at affected hospitals. In a recent survey of healthcare professionals in the US by the Ponemon Institute, for example, 24% of respondents said their hospital experienced an increase in excess deaths following a ransomware attack.
Other effects may be less noticeable, but nevertheless still degrade the quality of care individuals receive. Losing access to electronic health records, for instance, forces doctors and nurses to revert to pen and paper; this reduces productivity, which in turn limits the number of patients that can be treated. In the longer term, patients whose detailed records inform choices about their treatment receive less effective care if those records are inaccessible or corrupted.
Ransomware can affect individuals’ physical health even if their healthcare provision is not disrupted. The attack on Hackney Council, for example, contributed to delays in repairs to social housing stock. According to reporting, one resident’s home suffered damp, mould and leaks after the council lost access to records about the property. Disruptions to the provision of social care can also cause physical harms: a disabled resident in Hackney told a journalist that the ransomware attack had prevented her from accessing social care services for several months – “I could not wash myself. I couldn’t wash my own hair”. These examples highlight how ransomware attacks against local government entities can be particularly harmful, due to the range of basic services these entities provide, further emphasising that it is the already vulnerable who are disproportionately affected by the second-order harms caused by ransomware attacks. Policymakers must consider what policy measures can be taken to protect these vulnerable people from such harm.
In extreme circumstances, the exfiltration and release of data also has the potential to expose individuals to varying degrees of personal physical risk. This stems from an emergent trend in which ransomware operators exfiltrate data from organisations that hold highly sensitive personal data – for instance, schools and law firms. A severe example highlighted in interviews was the possible doxing of relocated domestic abuse survivors following the theft of data from a law firm; the malicious public release of such data could put such individuals and those around them at extreme personal risk. An interviewee from the education sector recalled feeling relief when they realised that the ransomware operators involved in their attack had gained access to commercial data – including payroll – but did not get access to pupil safeguarding data.
- Financial Harm
Ransomware also has the potential to harm individuals financially. In some cases, second-order financial harm can stem from disruption to particular financial services or goods; or, in a small number of cases, from the risks associated with stolen and leaked personal financial information.
In the UK, ransomware operations against local authorities have disrupted residents’ ability to access housing benefits, again disproportionately impacting those who were already vulnerable. One senior leader at a council described the “massive disruption” to local residents, recounting that “people couldn’t pay their rent”. Hackney Council’s housing benefit services were also significantly impacted, and in July 2022 a news report suggested that a family of seven living in Hackney had been forced to leave their home because the council was unable to update their housing benefit payments. A UK law enforcement officer said that disruptions to state benefits “might stop [residents] being able to put food on the table for their kids”. Critically for policymakers, these examples highlight how personally ransomware attacks are experienced, and how already vulnerable groups are disproportionately affected by them – problems that require nuanced consideration when designing policy responses.
More intangible are the potential downstream impacts from ransomware attacks on the costs of goods and services for individual consumers. Although this research did not uncover specific evidence of price rises for consumers following ransomware attacks, a study by IBM highlights that 62% of firms affected by ransomware raised their prices in the aftermath. It is reasonable to expect that some price rises may be directly felt by individuals, particularly for consumer-facing services.
There is also a small possibility that individuals whose personal data is stolen by ransomware operators may be personally extorted or defrauded by other cyber-criminals in the ransomware ecosystem. On a small number of occasions, threat actors have tried to personally extort individuals whose data has been stolen as part of a ransomware operation, the most notable example being the theft of healthcare data from a Finnish therapy provider by cyber-criminals, who then also extorted patients. However, interviewees highlighted that this example is likely to be the exception rather than the rule.
An insurance claims interviewee recalled an attack on a private school, wherein the ransomware operators directly contacted pupils’ parents before delivering the ransomware payload. These fraudulent emails offered parents a 10% discount on forthcoming school fees if the parents made an expedited payment (to a false payment address). This reflects the relatively new ransomware attack model of “triple extortion”, wherein the threat actors not only encrypt and exfiltrate data held by the direct victim organisation, but also target secondary parties (clients) to solicit additional payments.
Media reports on ransomware, particularly incidents involving large stolen datasets, often speculate that stolen and leaked personally identifiable information and financial details might be used for identity theft and fraud. However, the research conducted for this paper suggests that ransomware operators or other cyber-criminals are not monetising stolen personal data in a systematic way. Interviewees and workshop participants from incident response, law firms and law enforcement all emphasised there is little evidence that ransomware operators are cleaning and aggregating stolen data in a way that would allow them to sell it to other cyber-criminals or use it for financial fraud.
There are likely several reasons why ransomware criminals do not currently exploit stolen data for further criminal gains. First, for the time being, it is simply much more profitable for criminals in the ransomware ecosystem to engage in or enable extortion-based crimes. Second, it is costly and time consuming to host, clean and aggregate stolen data in a way that would be useful and monetisable. A ransomware negotiator noted that a personal record for an individual was likely to be worth between $1 and $4, thus offering limited profitability unless the dataset was ordered in a readily hostable and saleable format. The saleability of such data is also likely to be hampered by the cost of server storage and the unreliability of darknet-hosted platforms. As a lawyer involved in breach response explained, lawyers and forensic experts often take weeks or months (with the use of specialist software) trying to figure out what type of data has been stolen during a ransomware incident, a process which cyber-criminals are unlikely to have the resources or inclination to emulate.
Taken together, these factors suggest that the potential financial harm to individuals from data stolen by ransomware threat actors is not as significant as many people believe. While policymakers must be aware that further extortion from leaked data is a possibility, this impact should not be overestimated, although this should certainly not distract attention from the concrete psychological harm that victims experience (and which is currently often overlooked). However, this does not rule out cyber-criminals or other threat actors exploiting this data in the future, particularly if technological changes enable them to aggregate it more efficiently.
- Psychological Harm
Ransomware can also cause psychological harm to individuals who are not involved with the immediate response or who do not work for the targeted organisation. Although the research conducted for this paper does not include interviews with victims from outside (direct) victim organisations, other sources such as media reporting, academic literature and our interviews with subject matter experts illustrate some of the negative impacts from ransomware on individuals’ mental health and wellbeing.
First, ransomware attacks that cause downtime for essential services like healthcare, local government and education can cause stress, anxiety, confusion and fear for the individuals who use these entities’ services. Beyond the immediate impact on physical health stemming from ransomware attacks on healthcare services, the mental health effects on patients and families have also been made clear in news coverage. Delays to important test results or outpatient services like cancer treatments or elective surgeries can cause distress and anxiety for patients and their families, as the attack against HSE illustrated. The interruption of local government services such as social care, housing and child benefits, and council housing can also lead to stress and even anger among affected residents.
Second, the rise of double-extortion ransomware operations has created additional psychological harms for individuals whose data has been stolen and leaked.
Although the concrete risk of fraud and identify theft related to data stolen by ransomware threat actors appears to be low, this is not the dominant public perception. As one incident response practitioner suggested, “you can’t necessarily reassure [people] who, through no fault of their own, have had all of their details compromised”.
▲ Figure 5: Ransomware Incidents Involving Exposure of Personal Data. Source: Alexander Martin, Ransomware Attacks Hit Record Level in UK, According to Neglected Official Data’, The Record, 12 September 2023.
As highlighted in Figure 5, a range of personal data can be impacted by ransomware incidents. When particularly sensitive data, such as private photos or medical records, is stolen and leaked, it has the potential to create psychological harm such as considerable levels of stress, anxiety and embarrassment for individuals.
Additionally, one legacy of the recent surge in ransomware attacks targeting schools is the exposure of large amounts of safeguarding data and other sensitive pupil records. Following a ransomware attack against Minneapolis schools in March 2023, threat actors leaked intimate and graphic reports about students that included descriptions of sexual assaults, domestic violence and mental health issues. Many of the most sensitive files were posted on Twitter and Facebook, increasing the chance of families and pupils discovering them. Although none of the UK schools interviewed had pupil data stolen and leaked, one leader at an academy trust emphasised that the attack on their schools caused fear among pupils, as they understood they were being targeted by criminals. And while the Minneapolis schools example comes from a US context, similar events could also occur in the UK. Moreover, the fact that ransomware threat actors are finding it harder to monetise their operations means that there is a risk of them adopting the kind of extreme “shaming” tactics like the ones used in the Minneapolis schools incident.
It is worth emphasising that first-order harms to organisations and second-order harms to individuals can flow in both directions. For instance, a client’s psychological distress may be sufficient for secondary victims to file legal action against organisations compromised by ransomware. In a recent case, patients launched a lawsuit against a cosmetic surgery provider after their pre- and post-operation photographs were leaked by ransomware operators.
Second-order harms to organisations and individuals largely resemble the first-order harms. For organisations that experience indirect harm because a supplier has suffered a ransomware attack, this means they can still experience financial, reputational or physical/digital harm, but also often lack first-hand information about the evolving situation. Like the staff members who are direct victims of a ransomware attack, individuals outside the targeted organisation can also experience financial, psychological, or physical harm indirectly in the wake of the attack. Finally, although the risk to individuals due to ransomware operators’ theft of personal data is currently low, this calculus could change in the future if cyber-criminals develop the intent and capability to exploit such data.
Third-Order Harms
This category of harms describes the cumulative effects of ransomware incidents on a state’s economy, society and national security. Taken together, these harms emphasise the threat ransomware poses to states, as well as to organisations and individuals. It should be noted, however, that there are significant knowledge gaps about the impact of ransomware at a national level. This makes it challenging to assess the severity of the harm caused by ransomware to the UK and other countries, and creates the risk that governments will not prioritise and properly resource responses to ransomware. This chapter draws on examples from both the UK and other countries.
▲ Figure 6: Third-Order Harms to the Economy, National Security and Society.
- Economic Harms
Ransomware has the potential to create considerable economic harm at a national level. However, there are significant challenges to be overcome when assessing the cost that ransomware exacts on the UK economy.
As highlighted elsewhere in this paper, ransomware operations generate costs and losses for victims, reduce productivity, lead to missed opportunities for growth, and disrupt supply chains, in turn spreading financial harms downstream to businesses of all kinds and scales. Disruptions of specific sectors or of individual companies that have significant market share of niche (but essential) products for global or national supply chains also have the potential to cause economic harm. One recent example of this was a ransomware attack against MKS, a US manufacturer that produces specialist parts and tools that are essential for companies making semiconductor chips. The incident caused disruptions to the semiconductor supply chain – an essential component of modern digital infrastructure and the global economy. As the challenges posed by Covid-19, geopolitical tensions and energy price rises have highlighted in recent years, disruptions to supply chains can have a wide range of negative effects that reach into all corners of a modern economy.
The sensitivity of modern globalised supply chains means that disruption to the operations of just one contributory logical element – for instance, imports at ports – have the potential to cause economic harm at scale. An interviewee with first-hand experience of a protracted ransomware event in a developing country noted that its society had “a total dependency on the customs system. Therefore, when this service disappeared, the imports and exports disappeared, the fruits were lost by the docks, they rotted. The technological products that we import, they were blocked. Everything was scarce in the country”. Developed countries are also vulnerable to societal harms resulting from attacks on freight-related systems. A November 2023 incident against a shipping firm – responsible for 40% of Australian goods traffic – left shipping containers stuck at Australian ports. This incident reportedly threatened the supply of Christmas goods, risked higher inflation, and raised the prospect of a future interest rate increase.
However, while it is possible to describe the types of economic harms that ransomware causes a country, it is considerably more challenging to accurately calculate economic costs and losses. In order to assess the scale and scope of economic harm to the UK from ransomware, reliable costings for incidents are required, as well as aggregated quantitative data.
Existing governmental, law enforcement and regulatory reporting mechanisms have several limitations in this regard. The UK Information Commissioner’s Office has published data showing that since Q2 2019, there have been 1,940 ransomware incidents in the UK that required notification due to the risk to personal data. However, data protection reporting is not focused on financial costs, and many attacks may not require ICO notification if the incident only encrypts servers that do not hold personal data. Reporting of ransomware incidents to law enforcement, meanwhile, is likely much lower. The UK’s NCA, for instance, has estimated that less than 10% of victims report ransomware attacks to Action Fraud (the UK’s national centre for reporting fraud and cybercrime). Moreover, existing Action Fraud reporting mechanisms are not designed to capture the variety of costs and losses that ransomware imposes.
As noted in the section on first-order financial harms, surveys and other forms of research by cyber security vendors can shed some light on mean/median financial costs. Sophos’s annual survey on ransomware includes figures on ransom payments, recovery costs and loss of business (although the 2023 version did not include these for the UK), while IBM’s annual Cost of a Data Breach report also includes the average cost of a ransomware attack. Coveware, an incident response firm specialising in ransomware, also produces quarterly reports on mean/median ransom payments and incident length. However, there is no standardised approach for calculating the costs and losses from ransomware, or their long-tail financial impact on other organisations, individuals or the economy. As a 2021 report from the US’s Cybersecurity and Infrastructure Security Agency highlighted, there are considerable barriers to putting a value on the economic harm of ransomware and cyber incidents, be it for an individual victimised organisation or a country’s economy as a whole.
- Harms to National Security
Ransomware is now widely considered to be a threat to national security in the US, Germany, Canada and the UK, among others. Two primary harms to national security emanate from ransomware: the disruption of CNI and strategic sectors, with knock-on effects on economic prosperity and public safety; and the strategic advantage that ransomware can create for hostile states.
Ransomware operations targeting CNI in a number of different countries are now well publicised. The disruption of emergency services, energy infrastructure, telecommunications and healthcare has demonstrated the ability (or potential) of ransomware threat actors to cause harms to public safety. In some cases, ransomware operations have explicit implications for national defence. There are now several examples of cyber-criminals targeting defence and aerospace companies, disrupting defence supply chains, or stealing sensitive data on intellectual property or military personnel.
The growth of ransomware has also created strategic advantages for some states hostile to the UK and its allies. In the case of North Korea, ransomware operations by threat actors linked to the North Korean state are primarily financially motivated and aim to generate revenue for the regime.
Meanwhile, the Russian-speaking ransomware ecosystem provides a number of advantages to the Russian state. Although the Russian state does not direct all cyber activity that emanates from within its borders, it provides a safe harbour, maintains close ties to some cyber-criminals or groups, and co-opts them or their capabilities for its own needs. In 2019, the US Treasury highlighted the direct relationship between Evil Corp, a Russian cyber-criminal organisation responsible for a number of ransomware attacks, and Russia’s Federal Security Service (FSB); the same US Treasury advisory note suggested that Maksim Yakubets, one of the leaders of Evil Corp, was directly tasked by the FSB to conduct cyber espionage on its behalf. In a similar vein, the organised cyber-criminal group linked to the Conti ransomware operation was reportedly tasked by the FSB to collect intelligence on researchers at Bellingcat, an investigative non-profit organisation whose reporting has frequently embarrassed the Kremlin.
The ransomware ecosystem also provides more indirect benefits to the Russian state. Russian intelligence units can benefit from using services, malware or tools developed by the criminal ecosystem to augment their own capabilities or provide plausible deniability for their own operations. Moreover, while the vast majority of ransomware operations conducted by Russian cyber-criminals are financially, rather than ideologically, motivated, the fact that they harm the economic and societal resilience of the Kremlin’s adversaries in North America and Europe is a useful by-product.
- Societal Harm
As has been argued elsewhere, ransomware creates a range of societal harms. Disruption of basic services, the diversion of resources from other priorities, and citizens’ potential loss of trust in the state to protect them all illustrate the impact of ransomware on modern societies. These types of harm are arguably less well understood or prioritised than those that more obviously affect economic prosperity and national security.
As highlighted earlier in this paper, the disruption of healthcare providers can degrade the quality of care that individual patients receive. Several participants stressed that the HSE incident in Ireland was one of the most impactful ransomware cases they had seen. Harms to patient care can extend beyond the blast radius of an incident: one study in the US, for instance, showed that any hospitals physically adjacent to a hospital directly disrupted by a ransomware attack also experienced drops in their quality of patient care. On a broader scale, ransomware operations targeting the healthcare sector can have cascading impacts that undermine the state’s ability to provide or protect healthcare services. In national healthcare systems like the UK’s NHS, single incidents can have systemic effects. In August 2022, for example, a ransomware operation against Advanced, a major NHS IT provider, caused disruption to NHS services that lasted for months, degrading the quality of patient care and increasing the workload of administrative and medical staff who were already under strain.
The impact of ransomware on educational institutions also has societal implications. Although the UK government does not currently designate education as part of the country’s CNI, it plays an essential role in maintaining the development of a well-functioning society. Ransomware operations targeting the sector have grown in frequency, with one ransomware threat actor, Vice Society, seemingly deliberately targeting schools and universities. Although none of the interviewees from the education sector believed that the incidents involving their schools or universities caused lasting harm to students’ education or outcomes, such attacks create significant recovery costs for victims, and are often timed to coincide with the beginning of the school or academic year so as to maximise disruption.
Beyond the immediate impact on the quality of life, wellbeing and development of citizens, ransomware operations against basic services also create significant opportunity costs and diversion of resources away from other priorities. Although these impacts also affect other organisations affected by ransomware, these types of harms, when inflicted on providers of public services, have societal implications. In the UK, ransomware attacks involving the NHS, state education or local authorities take place within a broader context of acute public spending constraints. At the time of writing, for instance, Hackney Council had spent £12.2 million on recovering from the attack in 2020, having previously experienced nearly a decade of some of the highest budget cuts in the country. One interviewee from a UK local authority described how their council had been forced to use up most of its reserves to recover from an attack, diverting resources from other pressing issues.
Finally, the prevalence of ransomware has the potential to undermine trust in the state. The workshops and interviews highlighted the low level of confidence that many victims and ransomware response providers have in the ability of the UK government (or law enforcement) to protect UK organisations or disrupt ransomware threat actors. If citizens perceive the security of public services and data as being in doubt, they may lose confidence in the ability of law enforcement and government to protect them. One recent study of a ransomware attack against a hospital in Düsseldorf, Germany observed a sharp reduction in the local population’s trust in the government and security agencies after the attack. At present, though, there is little evidence that ransomware specifically has caused the UK public to lose trust in the NCSC or in law enforcement, although this could change if there were to be a significant attack against CNI.
While it is often challenging to directly link specific developments to a ransomware attack or to put a number on the financial cost of third-order societal harm caused by such attacks, the interview data has illustrated repeatedly that the harm caused by ransomware attacks has implications for wider society and national security, be it due to the interplay of cyber-criminals and state actors, or to the cumulative effects of ransomware harms on individuals, organisations, the economy and society at large.
III. Implications for Policy and Future Research
This paper has described the wide range of harms that ransomware attacks can cause and has provided examples of how victims – organisations as well as individuals – and countries experience these harms. In doing so, it starts to fill the knowledge gaps surrounding the ways ransomware causes harm to organisations, individuals and the UK as a whole. Deeper knowledge of these vectors of harm is critical to designing better responses to the ransomware threat and mitigating harm to victims. Several key findings from the research are important for pushing forward ransomware policy and future research. The next paper from this project will provide recommendations on how to mitigate some of the challenges laid out below.
1. There is generally a low level of understanding of the long-term economic impact of ransomware attacks.
At the time of writing, there are ongoing efforts within the UK government to calculate the economic impact of ransomware on the UK. Mobilising political will, prioritising intelligence and law enforcement resources, and building industry support for combating ransomware are to some extent all predicated on a clear costing of the harm being done to businesses and the UK economy. This paper has highlighted the wide range of costs, losses and downstream economic harms that must be included in any effort to calculate the economic impact of ransomware on the UK, but also the numerous challenges in doing so. For example, the costs of psychological harm caused to victims (impacting their productivity) and the long-term costs that might arise from additional staff turnover do not seem to be captured in interviewees’ financial assessments, which focus predominantly on immediate costs – especially those that are recoverable via insurance. Including long-term and indirect costs, although methodologically challenging, would paint a more accurate picture of the true financial harm caused by ransomware.
In addition to these reporting challenges for governments and law enforcement, there is little evidence that victims or ransomware response services are collecting data on the full range of financial costs and losses from ransomware. This is partly due to the methodologically challenging nature of this task, but such data gathering is also hampered by the fact that many victims may not be resourced to assess the impact of incidents on their finances; moreover, victims sometimes have very little interest in dwelling on incidents. A number of interviewees highlighted that their organisation wanted to “move on” in the aftermath of a ransomware attack, with little desire to measure or quantify long-term financial harms.
Just as victims are unlikely to have a comprehensive understanding of the financial harm inflicted, no stakeholder in the ransomware ecosystem possesses the long-term insights or general overview that would make possible an assessment of the wider economic harm. The other parties in the ecosystem (for instance, incident responders, insurers, legal counsel, law enforcement and regulators) only have limited insights into specific aspects of the financial harms and are therefore unable to collate all the information that is needed to make a comprehensive assessment of long-term financial harm. Likewise, it is unlikely that any other party would feel it was their responsibility to take on such a burdensome task. Consequently, it is unlikely that we will attain a comprehensive picture of long-term financial harm in the near future, meaning that the current figures probably underestimate the level of financial harm, since they are unlikely to have taken into account other forms of indirect additional costs or financial losses.
2. Reputational harm is a major concern for organisations, but may be overestimated by victims in some contexts.
Although the interview data confirmed that victims have a considerable fear of reputational harm, and that this often guides their response to incidents, the actual degree of reputational harm stemming specifically from data theft/exposure is not always as significant as imagined. Customers and clients can be forgiving, potentially indicating a wider societal acceptance that cyber security breaches cannot always be prevented. However, poor communication practices, both internally and externally, may have significant reputational consequences, as may the risk of data exfiltration. Reputational harm is also to some extent business- and sector-specific, and tightly interconnected with financial harm. Businesses that rely on continuous operations or that hold particularly sensitive information are more susceptible to reputational harm, which can lead directly to financial harm. Public sector organisations, on the other hand, are less exposed to reputational harm given that they often have a monopoly on the provision of basic services and that their funding is less dependent on reputational standing. While reputational harm should not be overlooked, the fact that such harm is often not as serious as some victims fear has important implications for organisations which believe that, in order to protect their reputation, they need to pay ransoms so that ransomware threat actors will delete stolen data.
3. There is currently little evidence that exfiltrated data is systematically exploited for further criminal activities.
Although there is wider concern about the potential for leaked data obtained in ransomware attacks to be exploited for fraud or other criminal activity, we have not found evidence that the ransomware ecosystem is exploiting stolen and leaked data in a systematic way. For the time being, exploiting stolen data is less profitable than extortion-based crime. While developments in cybercrime (particularly the skills and methods of large-scale data analysis) are likely to impact criminal practices in the future – with criminals potentially revisiting previously exploited data – our research indicates that such data is currently not being systematically exploited for criminal gains. This finding has implications for victims who believe they should pay ransoms to mitigate some of the risk from stolen and exfiltrated personal data.
4. Psychological harm to staff and individuals is significantly overlooked, both in public discourse and in organisational responses to ransomware attacks.
While the fear of reputational harm among victims is perhaps overstated in many instances, the opposite is true with regard to the psychological impacts of ransomware attacks, which are relatively neglected. Interviews highlighted that the psychological harm to staff is significantly overlooked, both in wider reporting and in organisational responses to ransomware attacks. Interviewees also repeatedly stressed that IT teams in particular suffer the psychological impacts of ransomware attacks. To reduce the harm caused by ransomware attacks, addressing the psychological impact on staff (and other individuals) needs to be at the centre of responses to a ransomware incident. This would involve not only raising awareness of potential psychological harm, but also ensuring that crisis management best practices focus on mitigating psychological harm.
5. The second- and third-order harms from ransomware attacks disproportionately affect vulnerable groups.
Ransomware attacks start by harming technology and organisations, but ultimately lead to harm to individuals. However, the effects on individuals are not felt equally. As noted above, within organisations, certain members of staff will likely experience more harm than others. Similarly, the external, downstream effects of ransomware may affect certain groups disproportionately. This is underlined by the impact that attacks on schools, hospitals, law firms that hold sensitive data, and local government services, have on vulnerable groups such as schoolchildren, healthcare patients and residents who rely on benefits or social care.
6. Government responses to ransomware must focus more on highlighting and reducing societal harms, rather than focusing solely on economic harms.
By targeting essential public services and other forms of CNI, ransomware harms the physical and mental health, development and prosperity of UK citizens. However, the enduring focus on the financial costs of ransomware risks making wider societal impacts seem abstract and unrelatable to policymakers and the public. In the simplest terms, ransomware has the potential to ruin lives. More openness and clarity about the impact of ransomware on society may help to galvanise efforts, boost resources and increase the political will to find solutions. People – whether politicians or individual citizens – might be more likely to publicly categorise the cumulative effect of ransomware as a societal or national security risk if they knew that many cyber-criminals, some harboured by hostile states, regularly disrupt the services that are an essential part of modern society such as GP appointments, schools, and having rubbish bins collected by local councils.
This paper has underlined how impactful ransomware is upon individuals, organisations and wider society. Different forms of harm are felt by a wide range of individuals and groups, who are impacted directly or indirectly. To foster a better understanding of the necessity and nature of policy interventions, it is vital that policymakers understand the scale and breadth of ransomware harms. While ransomware crime is an intractable contemporary issue with no immediate solution, action, where it is applied, should seek to increase resilience and alleviate harms. Greater attention urgently needs to be paid to the human impact of ransomware attacks, be it the psychological harm often overlooked in the wider discourse or the fact that vulnerable groups such as patients and benefits recipients are disproportionately impacted by ransomware harm.
Conclusion
Ransomware attacks remain a threat to individuals and organisations across the UK and indeed the globe. While the wider focus of reporting is often on the financial implications of ransomware attacks, this paper has set out a detailed analysis of different kinds of harm experienced directly or indirectly by ransomware victims and by society at large.
The interview data has suggested a framework including first-, second- and third-order harms to assist in distinguishing between those directly impacted by ransomware, those indirectly impacted, and the cumulative effect ransomware has on society at large. Within each order of harm, this paper identified several categories of harm, such as financial, psychological or reputational harm, and provided numerous examples of how such harm is experienced by victims.
Key findings based on this research underline that the psychological impact of ransomware attacks is significantly overlooked, and that currently no-one has a full understanding of the economic impact of ransomware attacks, such that the cost of the long-term and indirect financial harms is likely to be missing from current estimates of the economic harm caused by ransomware attacks. While the reputational harm stemming from a ransomware attack is a valid concern for some companies, especially those whose clients expect a higher level of privacy (such as customers of legal or financial services), the danger of reputational harm is often overestimated by victims. Similarly, the feared impact of exfiltrated data being used to cause further harm through financial fraud or other crime was not confirmed by interviewees. Instead, interview data showed that groups that are already vulnerable, such as benefits recipients or healthcare patients, are disproportionately impacted by ransomware harm. Finally, the paper found that government responses to ransomware attacks must focus on preventing societal harm.
The paper’s detailed account of the ways in which ransomware attacks negatively impact individuals, organisations and society offers new insights into the actual harm caused by ransomware attacks. Although naturally limited, given that it reflects interview data and contemporary criminal activities that must be expected to evolve, the framework proposed in this paper will allow policymakers and practitioners – as well as those preparing for a potential cyber incident – to understand the ways in which victims are negatively impacted by ransomware attacks. This knowledge provides a critical baseline understanding for taking effective steps to mitigate such harm, both when responding or preparing for individual instances but also when designing policy interventions to tackle the ransomware threat. The framework further offers a valuable starting point for future analysis and data gathering, as findings from further research can be incorporated into the framework.
Jamie MacColl is a Research Fellow in cyber threats and cyber security. His research interests include cyber security, the evolution of the cyber threat landscape, the role of emerging technologies in security and defence policy and the uses of history in policymaking. Current research projects focus on cyber insurance and cyber risks related to the Globalisation of Technology.
Pia Hüsch is a Research Analyst in cyber, technology and national security. Her research focuses on the impact, societal risks and lawfulness of cyber operations and the geopolitical and national security implications of disruptive technologies such as AI.
Gareth Mott is a Research Fellow in the Cyber team at RUSI. His research interests include governance and cyberspace, the challenges (and promises) of peer-to-peer technologies, developments in the cyber risk landscape, and the evolution of cyber security strategies at micro and macro levels.