Ransomware attacks are being linked to a litany of psychological and physical illnesses reported by infosec professionals, and in some cases blamed for hospitalizations.
A cybersecurity worker in the financial services industry, for example, pinned the stress of remediating ransomware on their heart attack, which ultimately required surgery to sort out.
Another, working for a charity, was hospitalized after their self-care went downhill following a ransomware attack. Dehydration caused by the excessive consumption of coffee, coupled with an insufficient intake of water and pre-existing medical conditions, led to health issues that required medical intervention.
These are just two of the plethora of stories revealed as part of a research piece from the Royal United Services Institute (RUSI) published this week [PDF], examining the untold harms caused by ransomware attacks on organizations and their staff.
It’s well known that cybersecurity pros face a challenging work environment with poor staffing levels and excessive workloads. The industry is as renowned for causing high stress levels as it is for high salaries, and episodes of burnout are so common that infoseccers say the mental and physical toll of dealing with ransomware attacks isn’t sufficiently recognized or appreciated.
One RUSI interview with a security specialist working for a consultancy revealed that a ransomware attack was so mentally damaging, due to their personal identity being so closely tied to their professional success, that the incident drove them to the brink of suicide.
A feeling of personal blame was felt in many other cases too, leading defenders to various states of mental ruin. Some drove themselves to exhaustion, working overly intensely to deal with ransomware for which they felt responsible.
Others described the immediate aftermath of an attack as “horrific,” leading to prolonged low mood. Some were left doubting their abilities, contemplating the decisions made that may have led to the attack – such as implementing sub-optimal controls or checks for vulnerabilities – and the decisions made immediately after the incident, fearing anything they did may worsen the situation.
Closely linked were the feelings of fear and worry, which were widespread. They manifested following different concerns, such as whether the criminals had actually been ousted from the network and whether this would impact the recovery, to the perceived threat of job losses and the infoseccers’ ability to get another position with a “tarnished” track record.
Some cited Post Traumatic Stress Disorder (PTSD) – which the survey’s authors pointed out was not a clinical diagnosis but rather named by respondents in “the non-technical sense used by lay people.” Regardless, that didn’t stop one engineering business from establishing a PTSD support team after recognizing the pressure its IT team was under following an attack.
The lingering threat of regulatory action is also a source of long-term mental strain for defenders, the interviews showed. Data regulators power to fine organizations for incidents that defenders blamed themselves for, was linked to a worsening mental state.
UK education regulator Ofsted’s role, which involves multiple follow-up surveys following a ransomware incident in the schools sector, caused some security staff to say they felt “raw” long after the attack was mitigated.
“While the psychological harm a ransomware attack causes is of course highly context-specific and also depends on the individuals involved and their existing mental health conditions, the interviews stressed the significance, extent, and multiplicity of ways in which victims experience psychological harm,” the report stated.
“Such psychological harm can reach far beyond the immediate response to a specific incident, affecting an individual’s wider professional life and impacting their personal life.”
Reported social harms were plentiful too, with incidents said to have strained relationships both with colleagues and families. Protracted periods of working, including at weekends, so the attack could be remediated as quickly as possible led to less time spent with loved ones and childcare issues.
“Another interviewee, who coordinated incident response, described how he personally provided impromptu childcare for one of their chief IT technicians, so that the technician could be ‘hands-on-keyboard’,” stated the report.
Relationships with co-workers can also take a hit in some cases, and in various ways. Some reported colleagues being grumpier due to increased workloads, while increased complaints became “annoying.”
The financial harms associated with ransomware attacks are almost exclusively focused on the victim organization, the recipient of the ever-lofty ransom demands. However, workers’ wallets also take a hit in cases where members of the IT team or board of directors are fired for their role in the incident, for example.
Payroll issues can also arise, but are rare, RUSI said. Many interviewees said they were able to meet payroll requirements but this was often just because the attack occurred shortly after payday, as was the case with the MSP who tipped us off to the attack at direct debit handler London & Zurich.
In one case, a security pro also had to pay for their own therapy sessions to recover from an attack.
“Many staff members experience different degrees of ransomware harm, which in turn have negative impacts on their professional and private lives,” the researchers said. “Such negative impacts are closely tied to the psychological impact staff members experience, again demonstrating the interconnectivity of harms – as well as the wide range of forms that psychological harm can take.”
The conclusions drawn from RUSI’s interviews come amid a backdrop of increasing ransomware attacks, an increase which Microsoft’s recent data suggests to be in the realm of more than 200 percent.
The researchers also noted that there are no signs of this stopping, largely due to factors including the sheer profitability of the business model and a blind-eye approach from Russian law enforcement. ®