Ransomware attacks against high-profile organizations are depressingly common, and by now we’re all used to the miserable sequence of events.
First, there’s a burst of interest in the incident itself; the race to find out which gang of ransomware crooks is behind the attack, which backdoor was left open to let them in, what data was stolen or encrypted – and whether a ransom was paid.
And then interest wanes because there is almost always another big ransomware attack and the whole cycle starts again.
But not everyone moves on.
The real effects of a ransomware attack may take months, or even years, to materialize and the psychological harm that comes from being caught up in an attack is rarely considered. A paper from the respected defense and security think tank Royal United Services Institute (RUSI) takes a look into the consequences of ransomware attacks and exposes the real, and usually forgotten, pain that these incidents can create.
As it describes, attacks create a ripple effect that hits every corner of the business; the front-line tech staff, the execs tasked with deciding a plan of action, the organization struggling to stay operational, and even the customers and clients.
It’s a vital reminder that the cost of ransomware goes well beyond the immediate financial and reputational impact on organizations.
Ransomware’s life-altering impact
RUSI’s Interviews with victims and incident responders revealed that ransomware creates physical and psychological harm, or as the report puts it bluntly: “Ransomware can ruin lives”.
We tend to think in the abstract when it comes to data. It’s a cold word, one that can feel a little detached from the realities of what is being stored. Yet, if we take the word ‘data’ and replace it with ‘company accounts’ or ‘my life’s work’, the effect of an attack on businesses and individuals becomes a little clearer.
RUSI writes about teachers losing 20 years’ worth of work in an attack on their school, and how in exit interviews they cited the loss of their work as the tipping point for quitting for good. Another victim described how the ransomware attack led to lower morale among employees, which in turn had a knock-on effect as people started to leave.
Cyber security professionals already lose sleep to work-related stress and the strain of dealing with a ransomware attack can be overwhelming. The report details an employee who felt compelled to leave their firm because their account had been used by a hacker. In one case, the stress was so great that the company hired a post-traumatic stress disorder (PTSD) support team.
In many cases, the IT team found attacks extremely stressful because they feel a direct responsibility for protecting an organization’s systems. If leaders don’t dissuade these notions and look after security professionals, churn could weaken their position further.
There’s also guilt inherent to IT teams, as workers may feel they could have done more to flag issues and blame themselves for ransomware attacks and data breaches. This can also be reflected in redoubled efforts on the ransomware response, which can exacerbate burnout.
Perhaps most shockingly, even physical health also suffers in the wake of ransomware attacks. “Physical harms reported by interviewees ranged from minor ailments (for instance, weight changes) to serious health issues (such as heart attack or stroke),” the report reads.
Far more common were the aforementioned sleep deprivation, fatigue, and burnout. It’s a grim catalog that might leave you thinking that ‘Something’ must be done.
The problem is that when it comes to ransomware, finding that ‘Something’ is extremely hard, at least for now.
Cyber security whack-a-mole
The ransomware plague has continued for years thanks to a cruel alignment of factors – geopolitical and technical – that make these attacks easy to carry out, lucrative, and hard to trace. Even worse, it’s almost impossible to stop the attacks or take action against ransomware groups.
IT systems are hard to secure. There are bugs in every piece of software and few organizations have the money, the skills base, or the focus to close off every gap in their defenses.
With new vulnerabilities appearing all the time, patch management can be a losing battle for firms and the scale of the problem can lead to problems being ignored. The problem, of course, is that we have become reliant on these systems. It’s almost impossible to think of an organization or business that could survive long if cut off from its data and computers.
Beyond this, the rise of cryptocurrency means that gangs can demand a ransom that is easy to pay but hard for police to track. While crypto payments aren’t anonymous, that doesn’t seem to bother the gangs too much as most of them are based in Russia where the state has no interest in pursuing cases against them.
As Ciaran Martin, former chief executive of the UK’s National Cybersecurity Centre noted recently, we have consistently underestimated just how much cyber crime breaks our model of policing. “For the first time in human history, it is possible to inflict sustained, large-scale criminal damage on another country without the perpetrator or a single accomplice setting foot in it,” he writes.
So if the ransomware gangs themselves are likely to be out of the reach of the law for the next few years at least, we need to look at different approaches to this crisis. We need to look at ransomware differently.
RUSI’s report is a vital reminder that there is always a human story behind technology. It’s a reminder that ransomware isn’t a problem for the techies, it’s a problem for all of us.
That means holding the tech industry to a higher standard when it comes to security, ensuring organizations big and small are able to keep their own systems up to date, and educating staff about the risks through tools such as online cyber security courses. It’s critical that leaders ensure they have a plan for when things go wrong and understand why ransomware attacks happen even to small businesses.
Ransomware isn’t a crime against computers, but a cynical attack on teachers, entrepreneurs, students, patients, and customers. It’s far from a victimless far-away digital crime: instead, it’s one where the victim is anyone and everyone.