It’s well known that ransomware attacks are one of the most significant cybersecurity challenges facing the world today, and often the financial impact on victims is the most obvious and most discussed consequence. But that’s far from the only cost.
The Ransomware Harms and the Victim Experience project by the Royal United Service Institute (RUSI) and the University of Kent looks to explore and draw attention to the psychological harms and other affects that ransomware can have on its victims and wider society.
“We’ve seen lots of mentions of ransomware, but what we haven’t seen is a focus on the victims and the impact,” said Jason Nurse, professor in cybersecurity at the University of Kent and associate fellow at RUSI, speaking at an event in London to launch the project.
“There’s focus on the financial impact of ransomware, but what we’re especially interested in for this project is what are the harms beyond the financial impact? How are victims, be it organizations or individuals, impacted by ransomware?” he added.
The project aims to draw attention to the disruption ransomware can cause to organisations and individuals. The project wants to provide a framework to make it easier to understand the impact cyberattacks can have on the ‘real world’ and prevent them from causing widespread disruption.
While cyberattacks might be viewed as a problem for the cybersecurity industry, a major incident can have far-ranging consequences, which means ransomware can have a huge impact beyond the problems it causes for IT professionals. The UK’s National Health Service (NHS) got a taste of this impact in 2017 when it was one of the most high-profile victims of the global WannaCry ransomware attack.
While this was not a traditional ransomeware attack – the campaign was launched by North Korea and the malware appears to have got out of hand – it demonstrated the impact a cyberattack can have, as many hospitals and GP surgeries found themselves without access to computer systems and appointments – and patient services were delayed or cancelled.
“A ransomware attack can have such far-reaching and damaging consequences that isn’t a targeted attempt to undermine critical infrastructure per se, it’s an attempt to make money. And in so doing, almost by accident, it actually cripples critical infrastructure,” said Eleanor Fairford, deputy director for incident management at the National Cyber Security Centre (NCSC).
Hospitals and healthcare appear to be particularly vulnerable to ransomware attacks. It is difficult to keep systems up to date with security patches because it’s hard to apply an update to a vital machine that must be online at all times.
This vulnerability means cyber criminals know that hospitals are potentially easy targets. While organizations in many other sectors could potentially work without computer systems, while attempts are made to restore the network without paying a ransom, a healthcare provider might not have that luxury.
In May 2021, Ireland’s Heath Service Executive – responsible for healthcare and social services across Ireland – fell victim to a major ransomware attack. The body didn’t pay the ransom, which was reported to be a demand of $20 million – and even despite receiving the right decryption key, restoring the network was a slow and arduous process that disrupted services for months on end.
Advice from security agencies and cybersecurity professionals is that ransom payments shouldn’t be made as it only encourages further attacks. But that’s hard when key services are under threat.
“We in security often sit in a bit of an ivory tower and we speak about these things academically and theoretically – but we have to remember there are victims at the end of this chain and it impacts their lives,” said Jen Ellis, co-chair of the Ransomware Task Force (RTF).
Just weeks after the HSE incident, another major ransomware attack hit the headlines – this time US meat processor and food production company JBS was compromised by ransomware. The company paid a ransom of $11 million to cyber criminals for a decryption key to help restore the network and food production services, but the attack caused problems for farmers and the livestock industry more broadly.
Another popular target for ransomware gangs has been local government, which – like healthcare – often doesn’t have the budget or staff required to invest heavily in cybersecurity but provides vital services to the local population. Disrupting those services can lead to significant issues.
“It’s less the ransomware itself than the knock-on impact and the human factor – it’s really powerful,” said Fairford, who as an incident responder at the NCSC has been involved in dealing with attacks. “I’ve always been struck by how powerfully it’s felt by those who aren’t the victims.”
For example, in October 2020, the London Borough of Hackney was hit by what the NCSC has since detailed as a ransomware attack. The borough didn’t pay the ransom, but services were disrupted for many months while systems were repaired and restored. For many people living in Hackney, the incident was emotionally and psychologically damaging.
“We’ve had various testimonies – and the testimony from Hackney, people are still tearful when they talk about how they were unable to continue to do their jobs or provide services and look after their community,” said Fairford.
Ransomware is an expensive problem – it cost Hackney more than £12 million to recover from the attack, even without paying a ransom. However, it’s also clear that cost isn’t just a financial one, because there’s a human cost too – one that can be extremely distressing.
That’s why it’s imperative that organizations take action to prevent their networks from falling victim to ransomware in the first place; if cyber criminals can’t get into networks to encrypt them, then they can’t hold organizations – or wider society – hostage.
Steps that organizations can take to bolster their defences against cyberattacks include applying avoiding the use of default passwords across networks, providing all users with multi-factor authentication, and applying security patches as soon as possible after they come out – or to ensure mitigations are in place, so systems that can’t be patched aren’t on networks that are facing the internet.
Only if networks are protected against ransomware, will it stop being a problem for the for tech teams – and the rest of us.