Ransomware: Victim Insights on Harms to Individuals, Organisations and Society
Jamie MacColl, Dr Pia Hüsch, Dr Gareth Mott, James Sullivan, Dr Jason R. C. Nurse, Sarah Turner and Nandita Pattnaik
16 January 2024Long Read
Ransomware incidents remain a scourge on UK society. Based on interviews with victims and incident responders, this paper outlines the harm ransomware causes to organisations, individuals, the UK economy, national security and wider society.
- The research reveals a wide range of harms caused by ransomware, including physical, financial, reputational, psychological and social harms.
 - We set out a framework of:
Â
- First-order harms: Harms to any organisation and their staff directly targeted by a ransomware operation.
- Second-order harms: Harms to any organisation or individuals that are indirectly affected by a ransomware incident.
- Third-order harms: The cumulative effect of ransomware incidents on wider society, the economy and national security.
Â
- Building on an existing taxonomy of cyber harms,
1.
this framework will enable policymakers, practitioners and researchers to categorise more case studies on ransomware incidents and to better explain new and existing types of harm to the UK and other countries.
 - Ransomware is a risk for organisations of all sizes. The findings from this paper highlight that ransomware can create significant financial costs and losses for organisations, which in some cases can threaten their very existence. Ransomware can also create reputational harm for businesses that rely on continuous operations or hold very sensitive data – although customers and the general public can be more forgiving than some victims believe.
 - The harms from ransomware go beyond financial and reputational costs for organisations. Interviews with victims and incident responders revealed that ransomware creates physical and psychological harms for individuals and groups, including members of staff, healthcare patients and schoolchildren.
 - Ransomware can ruin lives. Incidents highlighted in this paper have caused individuals to lose their jobs, evoked feelings of shame and self-blame, extended to private and family life, and contributed to serious health issues.
 - The harm and cumulative effects caused by ransomware attacks have implications for wider society and national security, including supply chain disruption, a loss of trust in law enforcement, reduced faith in public services, and the normalisation of cybercrime. Ransomware also creates a strategic advantage for the hostile states harbouring the cyber-criminals who conduct such operations.
 - Downstream harm to individuals from ransomware is more severe when attacks encrypt IT infrastructure, rather than steal and leak data. There is no evidence from this research that the ransomware ecosystem is exploiting stolen or leaked personal data in a systemic way for fraud or other financially motivated cybercrimes. At present, exploiting stolen data for other activities is less profitable than extortion-based crime that takes away victims’ access to their systems and data. This finding may inform victim decision-making on when they should and should not consider paying a ransom demand.
 - The next paper from this project will outline what kinds of measures can reduce or mitigate many of the harms described in this paper.
WRITTEN BY
Jamie MacColl
Research Fellow
Cyber
Dr Pia Hüsch
Research Fellow
Cyber
Dr Gareth Mott
Research Fellow
Cyber
James Sullivan
Director, Cyber Research
Cyber
Dr Jason R. C. Nurse
Associate Fellow; Associate Professor in Cyber Security, University of Kent
Sarah Turner
Nandita Pattnaik
Expert on the security dynamics of a connected home environment.
- Jack BellMedia Relations Manager+44 (0)7917 373 069JackB@rusi.org
Footnotes
1.:
Ioannis Agrafiotis et al., ‘A Taxonomy of Cyber-Harms: Defining the Impacts of Cyber-Attacks and Understanding How They Propagate’, Journal of Cybersecurity (Vol. 4, Issue 1, October 2018), pp. 1–15.