Main Image Credit Insidious effects: ransomware attacks can result in a range of harms to economies, societies and citizens. Image: ZETHA_WORK / Adobe Stock
Ransomware is the most significant cyber threat facing society today. However, much is still unknown about its impact on our economy, society and citizens. If we are to design effective responses to this threat, we need to appreciate the full range of harms that it causes to victims and society.
Last week, the US Treasury’s Financial Crimes Enforcement Network reported a record year for ransomware payments by US victims in 2021. In all, relevant financial institutions that track ransomware payments indicated the cost rose to $1.2 billion. This is likely only a small percentage of the actual figure, as many victims do not report to the relevant authorities.
Those that research or follow the growth of ransomware as a highly lucrative criminal enterprise have become used to such figures. Indeed, it is the financial impact of ransomware attacks that often receives the most coverage. Such a focus is understandable given the immediate impact of the financial burden of ransomware on victims. Ransom payments, business interruption and privacy liability costs, as well as the expense of hiring incident response firms, negotiators and crisis managers, are all relatively straightforward to categorise, measure and understand.
At the same time, the focus on the financial impact of ransomware on businesses risks making it seem abstract and unrelatable to policymakers and the public. Instead, practitioners, journalists and researchers need to do more to articulate the broader costs of ransomware for national security, societal resilience, and the wellbeing of individuals.
The Threat to Essential Services
This is perhaps best illustrated by looking at the consequences of ransomware attacks against three services essential for any functioning society: healthcare, education and local government services.
During the coronavirus pandemic, ransomware groups have been ruthless in directly targeting hospitals and healthcare providers, showing scant regard for the impact on service providers and patients. Indeed, leaked chat logs from the organised cybercriminal group behind the Trickbot botnet illustrate their callousness. During a wave of ransomware attacks against US healthcare providers in October 2020, one senior member of the group wrote ‘f**k clinics in the US this week… there’s gonna be a panic’.
The consequences for healthcare services and patients can be serious: cancelled operations and chemotherapy sessions, diverted emergency services, and even, reportedly, deaths. Indeed, a study by the Ponemon Institute goes as far as arguing that ‘cyberattacks against hospitals mean higher mortality rates’.
With local councils in the UK dealing with significant budgetary cuts since 2010, ransomware attacks divert increasingly limited resources away from delivering essential services to residents
Other effects are less immediate, but still degrade the quality of care that patients receive. In August of this year, a ransomware attack against Advanced, a major IT provider for the NHS, caused disruption to NHS services that has lasted for months. The incident resulted in a significant backlog in accessing and processing patients’ records, which had to be updated by pen and paper, causing missed GP appointments and delays in house visits. This kind of disruption also increases the workload of administrative and medical staff already under significant strain. The harsh reality is that ransomware attacks have the potential to increase disillusionment about the ability of the UK state to provide reliable healthcare.
Although healthcare is particularly vulnerable to ransomware attacks given the sector’s lack of cyber security maturity, reliance on sensitive data, and continuous operations, it is not the only critical service witnessing an increase in ransomware attacks. Educational institutions are also frequently subject to ransomware, as they are comparatively easy targets. All too often, these attacks are timed towards the beginning of the school or academic year to maximise impact and disrupt studies.
While most ransomware attacks are opportunistic, at least one ransomware group – Vice Society – appears to be deliberately targeting schools and universities, often leaking sensitive files on students and creating significant recovery costs. In the UK, ransomware attacks against the education sector take place in a broader context of acute budgetary constraints and rising energy costs for schools.
Ransomware operators have also frequently targeted local governments around the world, with US local governments particularly badly affected. Like healthcare and education, local governments face financial and resourcing challenges: budgets are tight and dedicated cyber security teams are often small or non-existent. Indeed, a 2021 Sophos survey of local governments found that they were both much more likely to be successfully attacked by ransomware and more likely to pay ransoms than the majority of other sectors.
One of the most notable ransomware attacks against a local government took place in Hackney, London in October 2020. The Pysa ransomware group disrupted several of Hackney Council’s services and even managed to depress the local housing market because council staff could not process land registry searches. As of October 2022, recovering from the incident has cost Hackney Council £12.2 million. With local councils in the UK dealing with significant budgetary cuts since 2010 – Hackney Council had already faced some of the highest cuts in the country – ransomware attacks divert increasingly limited resources away from delivering essential services to residents.
Beyond Financial Harm: The Societal Impact of Ransomware
What are the implications of ransomware attacks against essential services for citizens and society? First, ransomware causes downstream harm to the health, development and quality of life of individuals affected by it. Beyond the immediate impact on physical health, patients and families affected by ransomware attacks against healthcare services have been clear about the toll it can take on their mental health. This is also true for the IT staff, executives and business owners that have to respond to ransomware attacks – negotiating with criminals, placating angry customers, and dealing with massive recovery costs or even the risk of losing a business all cause considerable strain.
If the security of public services and data is perceived to be in doubt, people may lose confidence in the ability of law enforcement and the government to protect them
Second, the cost of recovering from ransomware attacks diverts resources from other priorities. While this clearly harms all types of victims, it is particularly acute for providers of public services. Given current budgetary restraints for public services in the UK, money spent on recovering from ransomware is money that could be spent on other pressing issues.
Finally, attacks against public services may also undermine citizens’ trust in the state. If the security of public services and data is perceived to be in doubt, people may lose confidence in the ability of law enforcement and the government to protect them. One recent study of a ransomware attack against a hospital in Düsseldorf, Germany observed a sharp reduction in the local population’s trust in the government and security agencies following the attack. The expectation that governments and law enforcement will protect essential services from organised criminal groups is not an unreasonable one.
Understanding the Victim Experience
So, what can be done? The first step is to improve our awareness and understanding of the experiences of ransomware victims, and the full range of harms and second-order effects on individuals, organisations, the economy and society.
If there is one thing that governments, practitioners and researchers can agree on, it is that we do not have sufficient data on those that have succumbed to ransomware attacks. Reporting is still limited, and many victims do not want to publicly discuss their experiences. Part of the reason is the reputational damage that may result from disclosure, particularly as ransomware operators have evolved and refined their tactics to increase leverage against victims by embarrassing them publicly. As the BBC’s cyber security reporter, Joe Tidy, made clear at a recent RUSI event, it is extremely hard to get information out of victims – a problem which has been exacerbated by a recent trend towards describing ransomware attacks in very vague terms (‘malware incidents’ or even just ‘cyber attacks’) in press releases and public statements. This has also not been helped by the broader culture sometimes seen in the cyber security community and the media of shaming the poor cyber security practices of victims, or governments’ language reproving victims who choose to pay ransoms.
Furthermore, the reality remains that indirect effects of ransomware attacks are often not recorded by victims. There is often a focus on response and recovery, and not on documenting the long trail of harms that can result from an incident. This is, in some ways, natural, as victims of crime often want to move on and forget – but it is also a wasted opportunity, as tracking the longer-term effects is key to understanding the broader implications of ransomware for society and policy responses.
Above all, improving our collective knowledge of the broader impact of ransomware requires empathy, humility and openness.
This Commentary is part of a joint project between RUSI and the University of Kent on Ransomware Harms and the Victim Experience.
The views expressed in this Commentary are the authors’, and do not represent those of RUSI or any other institution.
Have an idea for a Commentary you’d like to write for us? Send a short pitch to email@example.com and we’ll get back to you if it fits into our research interests. Full guidelines for contributors can be found here.
Research Analyst for Cyber, Technology and National Security
Dr Jason R. C. Nurse
Associate Fellow; Associate Professor in Cyber Security, University of Kent