Beyond the headlines of stolen data and financial losses, a new report has shed light on the silent struggle of ransomware victims: their mental well-being.
The psychological and physiological impact ransomware attacks have on individuals must be addressed by all incident response stakeholders, a report by the Royal United Services Institute (RUSI) outlined.
“When a ransomware attack impacts an organization, yes it causes disruption of services, but also there’s people within the organization, for example staff members, that all of a sudden cannot go home to their families,” noted Dr Jason Nurse, a University Reader in Cybersecurity at the University of Kent, when speaking to Infosecurity during Infosecurity Europe 2024.
Nurse contributed to the RUSI research paper, titled ‘Your Data is Stolen and Encrypted’: The Ransomware Victim Experience, published on July 2, 2024.
The new paper offers novel insights into the psychological experience of victims going through a ransomware incident, including what factors make their experience better or worse and what policy measures can help reduce harm to their well-being, Nurse explained.
Speaking with Infosecurity, Daniel Card, owner of PwnDefend and incident response specialist who has responded to high-profile attacks like WannaCry, said the RUSI report shines a light on the often-overlooked subject of the impact of cyber-attacks on the victims and responders.
“One thing when I go to an incident I say to people…make sure everyone drinks, eats and gets sleep. If people aren’t right, then the response isn’t right,” Card commented.
The report highlighted how line managers should be sensitive to workloads and the psychological, physical and other harm the ransomware attack has on both the organization and its staff members.
Public Policy Needs to Address Ransomware's Psychological Toll
The report stated in its recommendations that “mitigating the psychological impact of ransomware attacks needs to be at the center of the support given to (potential) victims preparing for and responding to a ransomware incident.”
Speaking about the report upon its release, Nurse said: “As the challenge and prevalence of ransomware attacks grow, it’s essential that governments make supporting the victims of attacks a priority in the development of their cybercrime and cyber resilience strategy.”
Public policy on ransomware must center on measures that mitigate victims’ harm, the report said. This includes acknowledging and mitigating the psychological impact on victims.
It called for more public funding on free mental health services, including therapy tailored to individuals affected by ransomware in the UK.
Third-party services that play a vital role in working with victim organizations ought also to recognize the importance of efforts that mitigate the psychological impact of ransomware attacks.
The report even suggested that cyber-insurance policies should provide coverage for mental health counselling during and after incidents.
Need for Improved Support from UK Agencies in Ransomware Attacks
The RUSI’s findings also highlighted some confusion over the input that government agencies, like the UK’s National Cyber Security Centre (NCSC) and law enforcement, can have in supporting victims.
The research found that victims are often uncertain where to turn for assistance. Therefore, the authors recommended that the NCSC provides more clarity on when and how it can support victims.
It also found that the UK’s Information Commissioner’s Office (ICO) can be slow to respond when contacted about incidents. This makes incident response more challenging for security teams.
Ongoing engagement in with UK’s ICO was a prominent ‘long-tail’ negative experience cited by victims who were interviewed in the report.
Victims routinely engaged in an ongoing exchange of letters with the ICO for months or years after the core elements of their ransomware recovery were complete.
The ICO provides a vital service in overseeing compliance with data protection regulations, with a focus on protection of individuals’ personal data.
The RUSI report recommended that the ICO maintain continuous assessments to maximize efficient triage and completion of investigations, enabling timely closure and/or accountability for organizations.
“Unfortunately, governments can move quite slow, rightly so in how they have to be careful in how they consider things. Ransomware attackers however are moving extremely quickly,” Nurse noted in his interview at Infosecurity Europe.
Cybersecurity Still Low Priority for Many Organizations
The report noted that despite continued awareness campaigns, cybersecurity is still, all too often, a low priority for many organizations.
Card said the scale of the challenge is “massive” and most organizations continue to have a weak security posture.
All organizations must consider themselves potential victims of ransomware attacks, the RUSI report said, and must therefore continue to improve their cybersecurity and cyber hygiene measures.
The RUSI paper is part of a series of research publications resulting from a 12-month research project, ‘Ransomware Harms and the Victim Experience’, conducted by RUSI and the University of Kent. The project is funded by the UK’s NCSC and the Research Institute for Sociotechnical Cyber Security.