It's well known that ransomware attacks are one of the most significant cybersecurity challenges facing the world today, and often the financial impact on victims is the most obvious and most discussed consequence. But that's far from the only cost.
The Ransomware Harms and the Victim Experience project by the Royal United Service Institute (RUSI) and the University of Kent looks to explore and draw attention to the psychological harms and other affects that ransomware can have on its victims and wider society.
"We've seen lots of mentions of ransomware, but what we haven't seen is a focus on the victims and the impact," said Jason Nurse, professor in cybersecurity at the University of Kent and associate fellow at RUSI, speaking at an event in London to launch the project.
"There's focus on the financial impact of ransomware, but what we're especially interested in for this project is what are the harms beyond the financial impact? How are victims, be it organizations or individuals, impacted by ransomware?" he added.
The project aims to draw attention to the disruption ransomware can cause to organisations and individuals. The project wants to provide a framework to make it easier to understand the impact cyberattacks can have on the 'real world' and prevent them from causing widespread disruption.
While cyberattacks might be viewed as a problem for the cybersecurity industry, a major incident can have far-ranging consequences, which means ransomware can have a huge impact beyond the problems it causes for IT professionals. The UK's National Health Service (NHS) got a taste of this impact in 2017 when it was one of the most high-profile victims of the global WannaCry ransomware attack.
"A ransomware attack can have such far-reaching and damaging consequences that isn't a targeted attempt to undermine critical infrastructure per se, it's an attempt to make money. And in so doing, almost by accident, it actually cripples critical infrastructure," said Eleanor Fairford, deputy director for incident management at the National Cyber Security Centre (NCSC).
Hospitals and healthcare appear to be particularly vulnerable to ransomware attacks. It is difficult to keep systems up to date with security patches because it's hard to apply an update to a vital machine that must be online at all times.
This vulnerability means cyber criminals know that hospitals are potentially easy targets. While organizations in many other sectors could potentially work without computer systems, while attempts are made to restore the network without paying a ransom, a healthcare provider might not have that luxury.
"We in security often sit in a bit of an ivory tower and we speak about these things academically and theoretically – but we have to remember there are victims at the end of this chain and it impacts their lives," said Jen Ellis, co-chair of the Ransomware Task Force (RTF).
Another popular target for ransomware gangs has been local government, which – like healthcare – often doesn't have the budget or staff required to invest heavily in cybersecurity but provides vital services to the local population. Disrupting those services can lead to significant issues.
"It's less the ransomware itself than the knock-on impact and the human factor – it's really powerful," said Fairford, who as an incident responder at the NCSC has been involved in dealing with attacks. "I've always been struck by how powerfully it's felt by those who aren't the victims."
For example, in October 2020, the London Borough of Hackney was hit by what the NCSC has since detailed as a ransomware attack. The borough didn't pay the ransom, but services were disrupted for many months while systems were repaired and restored. For many people living in Hackney, the incident was emotionally and psychologically damaging.
"We've had various testimonies – and the testimony from Hackney, people are still tearful when they talk about how they were unable to continue to do their jobs or provide services and look after their community," said Fairford.
That's why it's imperative that organizations take action to prevent their networks from falling victim to ransomware in the first place; if cyber criminals can't get into networks to encrypt them, then they can't hold organizations – or wider society – hostage.