The Internet’s impact on daily life is unquestionable. It provides a platform for communication, ecommerce and interactions between individuals and enterprises around the world. As the human presence in cyberspace grows, so do the incidence of cyberattacks. In particular, ransomware attacks, whereby cybercriminals use sophisticated methods to attack computer networks and encrypted data, are being carried out in record numbers.1
Ransomware is malicious software (malware) that encrypts files on a computer without the owner’s knowledge. Once the system is infected, an onscreen alert advises the victim that the device has been locked or the files have been encrypted, rendering any systems that rely on those files unusable. In some cases, the ransomware may try to infect other related systems. Cybercriminals then demand a ransom in exchange for decryption and, if their demands are not met, they may sell or leak personal data.
Organizations and governments often focus on the financial loss and disruption to services caused by ransomware attacks; however, there may also be significant short- and long-term social and psychological effects on individual victims that are difficult to measure and, thus, are often overlooked. This is a crucial, but poorly understood, consequence of ransomware attacks that could ultimately lead to significant financial loss to organizations and governments due to human costs. Without a complete picture of all damages, organizations’ cybersecurity budgets may stay stagnant, and management will continue to underestimate the level of damage threats can do to organizations.
The Financial Cost of Ransomware Attacks
Nearly US$590 million in ransomware-related payments were reported to US authorities in the first half of 2021, 42 percent higher than the amount reported by financial institutions for all of 2020.2 The US Treasury’s Financial Crimes Enforcement Network projected that ransomware-related payments in 2021 could exceed the total value of payments made in the previous 10 years combined.3, 4
Globally, the cost of damages by ransomware attacks was US$6 trillion in 2021, double that of 2015. The average ransom paid by affected organizations was approximately US$170,000 and the average cost to resolve a ransomware attack reached US$1.85 million. The US Treasury Department estimated the average amount of reported ransomware transactions per month in 2021 was US$102.3 million.5 According to Blackfog, in 2021, government agencies were the top targets for cybercriminals, followed by education, healthcare services, technology, manufacturing and retail.6
Ransomware attacks are increasing every year, with attacks becoming more sophisticated and disruptive.7 Ransomware has become one of the most significant threats to the world’s economies. Authorities may be underestimating the damage to critical infrastructure, which poses a significant risk to essential services and the finance and health sectors.
Recent ransomware attacks around the world include:
- Germany Oiltanking, one of the largest independent operators of tank terminals for oil, chemicals and gases worldwide, was hit by a ransomware attack in January 2022, which disrupted its IT systems and supply chain.8
- A March 2021 ransomware attack against a Victoria, Australia, public health service affected four hospitals and aged care facilities and resulted in the postponement of elective surgeries.9
- An attack against Colonial Pipeline in May 2021 forced the enterprise to shut down systems and disrupted the fuel supply for the east coast of the United States.10
- Kaseya, an IT solutions developer, was attacked in July 2021, preventing users from accessing their systems and data.11
These attacks also have significant social and psychological impacts that may be overlooked and go unreported.
Ransomware attacks can cause significant financial and reputational damage to an enterprise or government agency. In addition to disrupting business operations and critical services, attacks can lead to other malicious activities. It is difficult to quantify the cost of an attack, especially the cost of reputational damage. Often the cost of recovering from an attack is greater than early and ongoing investment in prevention would have been. Financial impacts include:
- Lost productivity—Enterprises cannot operate without reliable computer systems and data. An enterprise that is the victim of a ransomware attack has to shut down operations, causing a ripple effect on employees, customers and other enterprises. For example, the June 2021 attack on JBS Foods caused the suspension of the enterprise’s food-processing operations, and all its workers in Australia were temporarily laid off.12
- Remediation costs—Depending on the scale of the ransomware attack, organizations may need to spend significant amounts of time and money to hire external consultants or vendors to rebuild systems and attorneys to deal with legal liabilities and penalties.
- Financial losses—In addition to the loss of revenue when enterprises have to cease operations and deal with lost data or damaged computer systems, some organizations may decide to pay the ransom to get their valuable data and systems back online. However, in some cases, data restoration is incomplete, even if the ransom is paid.
- Loss of data and files—One of the most devastating effects of an attack is the loss of valuable data and files. Even if the enterprise pays the ransom, there is no guarantee that the system and data will be restored without permanent loss or damage.
The Psychosocial Costs of Ransomware Attacks
Most studies of ransomware attacks focus on the financial impact on victims, including the enterprise itself, its workers, its customers and other related enterprises. However, these attacks also have significant social and psychological impacts that may be overlooked and go unreported.
WannaCry was one of the most well-known ransomware attacks in recent years, and the scale of damage was unprecedented. It infected more than 230,000 computers in more than 150 countries within one day.13 Those organizations affected included healthcare facilities, car manufacturers, telecommunications providers, delivery services and educational institutions. Enterprises closed, production stopped and many enterprises rushed to restore their services. It was the first time a ransomware attack had spread around the world.
Monetary damages from WannaCry were greater than the ransom itself. The estimated recovery cost was nearly US$4 billion. Disruption to healthcare services was also significant. In the United Kingdom, 70,000 devices in the hospital network, including computers, magnetic resonance imaging (MRI) scanners and surgical equipment, were compromised. Affected hospitals across the United Kingdom declared a major incident and stopped all noncritical care while ambulances were diverted to other facilities. Some hospitals paid the ransom to get their data back from the cybercriminals.14
The psychological impact of WannaCry was significant as well. Patients felt helpless, disappointed and frustrated when their operations or treatments were canceled due to the crisis. This corroborates research suggesting that people feel worried, distressed, distrustful and helpless in response to ransomware attacks.15 Studies have also found that victims of cyberattacks may respond more negatively to the effects of the attack than to the attack itself,16, 17 including psychosocial (i.e., emotional and behavioral) repercussions.18 Social impacts include disruption in people’s daily lives, anxiety, and loss of confidence in technology, businesses and government. Psychological impacts include fear, emotional upset and irritation, and can lead to long-term psychological consequences such as anxiety, depression, panic attacks, and posttraumatic stress disorder (PTSD).19, 20 One study suggested that victimization can cause individuals to experience feelings of grief and anger and make them unwilling to adopt new technologies in the future.21 In extreme situations, victims can suffer from anger or rage. In addition, they may blame themselves or be blamed by their employers, families or society for the attack and feel shame. Indeed, the psychosocial trauma of cyberattacks can be similar to that of terrorist threats.22
Anxiety caused by cyberattacks can also lead individuals to change their behavior.23 Emotions not only direct people’s attention, but also motivate their actions. Although everyone acknowledges that the threat of cyberattack is real, each individual handles the threat differently. Some people may react logically, while others may react primitively, based on their feelings.24 People may exhibit protective or avoidance behaviors such as withdrawal, distrust and isolation in an effort to prevent an attack.25, 26
Trust is a key factor in the public’s perception of cyberrisk. The level of trust in a government or an enterprise can influence victims’ response to a cyberattack.27 Therefore, it is crucial that governments and enterprises understand how people react to both risk and actual attacks. Without this awareness, policies may not be effective.
Although there is some acknowledgment of the psychosocial impacts of ransomware attacks in the literature, few reports provide a comprehensive evaluation of the financial, reputational, social and psychological effects. This may be attributable, in part, to the lack of a reliable and standardized method to evaluate the psychosocial impacts of ransomware attacks.
To ensure completeness and accurate identification of the damages caused by ransomware attacks, it is important for governments, enterprises and regulators to establish the appropriate calculation and measurement guidelines to accurately measure the social and psychological impacts of ransomware attacks on victims and reporting mechanisms for organizations to report incidents and disclose damages to the public. Implementing proper reporting mechanisms would provide comprehensive information to obtain management’s support to invest in cybersecurity to prevent future attacks. In addition, reporting incidents and disclosing damages helps organizations demonstrate accountability, which reduces negative reactions to threat and boosts public trust and confidence in the aftermath of a ransomware attack.
For victims, it is important that their frustration, anger, annoyance, anxiety, sense of violation and depressive symptoms are recognized and validated by authorities and healthcare practitioners. It is crucial for victims to overcome the psychological impacts with proper support, including counseling. Increasing community awareness about the potential adverse impacts on victims of ransomware attacks is also essential.
Conclusion
Most ransomware attacks are motivated by financial gain, and the victims’ monetary losses are often the focus because the financial impact can be readily measured. However, there is substantial evidence that ransomware attacks have significant psychological impacts on victims, including anxiety, depression, panic attacks and PTSD. Individuals may feel guilt and shame if they are blamed for the attack, and they may be traumatized and fearful of experiencing another attack. These mental health effects may be exaggerated by the financial, employment and relationship losses that can occur as a result of ransomware attacks.
Like reputational damage, the psychosocial impact of ransomware attacks is difficult to measure. It is important for governments and regulators to take the initiative to study and develop proper tools and standards to identify the victims who are affected by ransomware attacks and measure the social and psychological impacts in monetary terms that can be appreciated by enterprise management. Organizations, authorities and healthcare practitioners have a duty to acknowledge when victims experience and express psychological distress and should be proactive in helping victims access appropriate support. Demonstrating accountability with clear reporting and disclosure helps recover public trust in organizations following a ransomware attack. However, further research is required to develop a standard measurement tool to provide a comprehensive understanding of the damage caused by ransomware attacks on governments, businesses, society and individuals.
Endnotes
1 Thycotic, Ransomware on the Rise, USA, 2022,
https://thycotic.com/resources/ransomware-whitepaper-reduce-risks-respond-attacks/
2 US Treasury Financial Crimes Enforcement Network,
Financial Trend Analysis: Ransomware Trends in
Bank Secrecy Act Data Between
January 2021 and June 2021, USA, October 2021,
https://www.fincen.gov/sites/default/files/2021-10/Financial%20Trend%20Analysis_Ransomware%20508%20FINAL.pdf
3 Melvin, J.; “Data Shows $590M in Ransomware Payments Reported to US in 2021 as Attacks Surge,” The Times of Israel, 16 October 2021, https://www.timesofisrael.com/data-shows-590m-in-ransomware-payments-reported-to-us-in-2021-as-attacks-surge/
4 Op cit US Treasury Financial Crimes Enforcement Network
5 Ibid.
6 Blackfog, “The State of Ransomware in 2021,”https://www.blackfog.com/the-state-of-ransomware-in-2021/
7 Australian Cyber Security Centre (ACSC), ACSC Annual Cyber Threat Report 2020-2021, Australia, 2021, https://www.cyber.gov.au/acsc/view-all-content/reports-and-statistics/acsc-annual-cyber-threat-report-2020-21
8 Pearson, J.; “Shell Re-Routes Oil Supplies After Cyberattack on German Firm,” Reuters, 1 February 2022, https://www.reuters.com/business/energy/shell-re-routes-oil-supplies-after-cyberattack-german-logistics-firm-2022-02-01/
9 Hendry, J.; “Melbourne’s Eastern Health Hit By Suspected Cyber Attack,” iTNews, 18 March 2021, https://www.itnews.com.au/news/melbournes-eastern-health-hit-by-suspected-cyber-attack-562325
10 Tonkin, C.; “Major Meat Processor Hit By Cyber Attack,” Information Age, 1 June 2021, https://ia.acs.org.au/article/2021/major-meat-processor-hit-by-cyber-attack.html
11 Osborne, C.; “Updated Kaseya Ransomware Attack FAQ: What We Know Now,” ZDNet, 23 July 2021, https://www.zdnet.com/article/updated-kaseya-ransomware-attack-faq-what-we-know-now/
12 Op cit Tonkin
13 Hale, P.; “Wanna Cry Ransomware Attack: What You Need to Know,” Acronis, 17 May 2017, https://www.acronis.com/en-sg/blog/posts/wannacry-ransomware-attack-what-you-need-know/
14 Gregory, J.; “What Has Changed Since the 2017 WannaCry Ransomware Attack? Security Intelligence, 1 September 2021, https://securityintelligence.com/articles/what-has-changed-since-wannacry-ransomware-attack/
15 Attrill-Smith, A.; C. Fullwood; M. Keep; D. J. Kuss (Eds.); The Oxford Handbook of Cyberpsychology, Oxford University Press, United Kingdom, 2018, https://www.oxfordhandbooks.com/view/10.1093/oxfordhb/9780198812746.001.0001/oxfordhb-9780198812746-e-35
16 Minei, E.; J. Matusitz; “Cyberterrorist Messages and Their Effects on Targets: A Qualitative Analysis,” Journal of Human Behaviour in the Social Environment, vol. 21, iss. 8, 2011, p. 995–1019
17 Gandhi, R.; A. Sharma; W. Mahoney; W. Sousan; Q. Zhu; P. Laplante; “Dimensions of Cyber Attacks: Social, Political, Economic, and Cultural,” IEEE Technology and Society Magazine, vol. 30, iss. 1, 2011, p. 28–38
18 Kamkar, K.; R. Duquette; “Psychological Trauma and Cybercrime,” Canadian Occupational Safety, 16 April 2021;https://www.thesafetymag.com/ca/news/opinion/psychological-trauma-and-cybercrime/252447
19 Monteith, S.; M. Bauer; M. Alda; J. Geddes; P. C. Whybrow; T. Glenn; “Increasing Cybercrime Since the Pandemic: Concerns for Psychiatry,” Current Psychiatry Reports, vol. 23, 2021, https://link.springer.com/article/10.1007/s11920-021-01228-w
20 Benson, V.; J. McAlaney (Eds.); Emerging Cyber Threats and Cognitive Vulnerabilities, Academic Press, USA, 2020, https://doi.org/10.1016/B978-0-12-816203-3.00004-6
21 Op cit Attrill-Smith et al.
22 Gross, M. L.; D. Canetti; “The Psychological Effects of Cyber Terrorism,” Bulletin of the Atomic Scientists, vol. 72, iss. 5, 2016, p. 284–291
23 Reid, L. W.; J. T. Roberts; H. M. Hilliard; “Fear of Crime and Collective Action: An Analysis of Coping Strategies,” Sociological Inquiry, vol. 68, iss. 3, 1998, p. 312–328
24 Cho, H.; T. Reimer; K. A. McComas (Eds.); The SAGE Handbook of Risk Communication, Sage, USA, 2015
25 Op cit Reid et al.
26 Beckers, T.; M. G. Craske; “Avoidance and Decision Making in Anxiety: An Introduction to the Special Issue,” Behaviour Research and Therapy, vol. 96, 2017, p. 1–2, https://doi.org/10.1016/ j.brat.2017.05.009
27 Rogers, M. B.; R. Amlôt; G. Rubin; S. Wessely; K. Krieger; “Mediating the Social and Psychological Impacts of Terrorist Attacks: The Role of Risk Perception and Risk Communication,” International Review of Psychiatry, vol. 19, 2007, p. 279–288
JOSEPH CHENG | CISA, CRISC, CPA
Is an internal audit manager in Sydney, Australia. He has more than 20 years of experience in IT, IS audit, cybersecurity and governance. Cheng is also a member of the Australian Computer Society.