Sleepless nights, PTSD and strokes: inside the human cost of ransomware

For all the prominence of ransomware and the chaos left in its wake, most conversations around attacks tend to focus on the financial damage. Companies have blamed ransomware for insolvencies, while the global financial cost of ransomware attacks totals hundreds of billions of pounds. 

But there is another, less frequently discussed cost: the huge emotional and physical toll on the people left dealing with the aftermath of attacks. 

Two new reports, The Ransomware Victim Experience from defence thinktank RUSI and an accompanying academic article for the Journal of Cybersecurity, outline just how devastating these attacks are to victims’ health and wellbeing.

The psychological impact of ransomware 

The reports paint a grisly picture for the people involved, with attacks impacting everything from organisational wellbeing to family lives and the mental and physical health of victims. One person claims the ordeal contributed to a stroke that they suffered shortly afterwards. A senior executive, meanwhile, suffered from “a little bit of PTSD” every time they returned to the office and even reported feeling suicidal. 

“There’s so much that impacts the IT team, the security team and other people across the business,” says report co-author Jason Nurse, who is a reader in cybersecurity at the University of Kent. “Psychologically, it’s significant. It really hits people quite hard. Often people aren’t keen to return to work.”

As attacks were ongoing, many security professionals said they were unable to sleep or eat properly and worked extremely long hours to restore normalcy. At the height of the pandemic, some staff were required to work together in small rooms for long stretches at a time while they tried to restore systems. This heaped on additional pressures and contributed to their feelings of anxiety. One victim was sent to hospital with panic-induced heart palpitations as a result of the attacks.

“The reality is that security teams need to drop everything because the business cannot function unless this is addressed,” adds Nurse.  “There’s pressure from other teams and external stakeholders and you have a very limited number of people that have to think about how they’ll respond. How do we engage? What do we say? How do we tackle this? Often the survival of the business comes down to this small set of people.”

Response teams often cannot go home. They are working around the clock, tired and stressed and the pressure piles up the longer incidents go on. Some incident response firms, the researchers found, developed in-house confidential trauma counselling for clients – with around 20% of victim organisations making use of the service after the fact. Many of the victims found that they could not return to the office after the attack and soon moved on to other roles.

Exploiting the human psyche

Taking advantage of human fallibility is an essential component in any cyber attacker’s arsenal. Not just in tricking victims to open a malware “payload” but in pressuring people on the receiving end to pay too. 

With the advent of ransomware-as-a-service – where core teams develop malware, then affiliates pay to access and deploy it – targeting businesses is easier than ever. Competition between cybercrime groups and law enforcement has led to an arms race to create more effective tools and methods. 

At the same time, cybercriminals are also under pressure to devise new kinds of social engineering to convince their victims to open those payloads and to extort them more efficiently once that data is encrypted. 

Now criminals are increasingly extorting victims twice: first by encrypting their data and then by threatening to dump it in public channels if they are not paid. New groups such as Volcano Demon are even using high-pressure sales tactics like cold-calling to extort their victims, where they ring up targets to discuss their options for getting their data back. 

“Attackers have had to be more devious in their approaches to get people to pay, engage and respond,” says Nurse. “They try to get under people’s skin and into their minds to understand: how can we exploit people? How can we pressure them? How can we touch all of their pressure points to increase the likelihood of them paying?” 

When the very nature of these attacks is rooted in exploiting human psychology, it’s little wonder they take a psychological toll. 

Why employee wellbeing improves resilience 

Employee wellbeing is rarely a consideration when assessing cybersecurity. Yet RUSI’s research found that organisations with comprehensive wellbeing initiatives and high morale were among the most effective for protecting employees. Businesses where employees felt valued were more likely to weather the ransomware storm. 

“High company morale made a big difference going into an attack,” says Nurse. “And good, strong leadership – thinking about preparation and things like existing key resiliency practices before an incident took place.”

Unsurprisingly, building a strong security culture helped staff withstand the blows. But ‘soft’ measures also went a great deal towards helping businesses bounce back from ransomware. For instance, organisations benefited from having a set of trusted advisors internally who were prepared to respond to ransomware and could be the calm voices in the room in a sea of understandable panic. Meanwhile, setting up corporate communication channels and strategies before attacks occurred also resulted in better outcomes.

In the midst of dealing with an attack, it was also crucial to plan ahead for continuity by introducing rota systems in case the issue was not resolved quickly. While staff may have had to work long hours, small measures went a long way, such as bringing food carts into the room, allowing employees to go home for a couple of days before returning or paying for nearby hotels. 

After incidents occurred, businesses that continued to take employee welfare seriously and provided access to psychological health or support services performed better. And they also tended to fare better when they quickly engaged with trusted third parties to help alleviate problems. 

Putting support measures in for IT staff is essential not only for their own health, the researchers found, but also for the health of the organisation once everything was up and running again. One financial services firm said that offering core IT colleagues gardening leave after the crisis was resolved would have saved the company from “months and months” of sickness leave. 

A long-lasting challenge for security leaders is becoming integrated with the rest of the business. All too often, security or IT teams might feel siloed or that they are perceived as a blocker to business operations. This report underscores the fact that these security practices are essential to business continuity, especially in crisis situations. And in those situations, providing cybersecurity teams with additional support is essential.