CyberWire Daily - Understanding the multi-tiered impact of ransomware. [Research Saturday]
Episode Date: March 9, 2024This week we are joined by Jamie MacColl and Dr. Pia Hüsch from RUSI discussing their work on "Ransomware: Victim Insights on Harms to Individuals, Organisations and Society." The research reveals so...me of the harms caused by ransomware, including physical, financial, reputational, psychological and social harms. Researchers state "Based on interviews with victims and incident responders, this paper outlines the harm ransomware causes to organisations, individuals, the UK economy, national security and wider society." The research can be found here: Ransomware: Victim Insights on Harms to Individuals, Organisations and Society Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities, solving some of the hard problems,
and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
It's known by most people as RUCI, and it's the oldest defense and security think tank
in the world. I think one of the oldest think tanks in the world. It was founded in 1831
by the Duke of Wellington. And historically, it's predominantly been associated with military
history, the military sciences, until the last few decades when it's moved into kind of broader
security areas, much like, you know, global security has changed in the last
several decades. Our guests today are Jamie McCall, a research fellow in cybersecurity,
and Dr. Pia Hoosh, a research analyst. They're both from the Royal United Services Institute,
commonly known as RUSI. The research we're discussing today is titled Ransomware,
Victim Insights on Harms to Individuals, Organizations, and Society.
Well, let's dig into this research itself.
What prompted you and your colleagues to take on this topic?
What prompted you and your colleagues to take on this topic?
So I've been interested in ransomware for quite a long time.
I used to work in cyber threat intelligence. And when I started in that, it was when targeted ransomware was first becoming a phenomenon.
So when Samsung was coming through targeting local governments and hospitals in the US.
And I moved into public policy about three or four years ago.
And at that point, people were starting to pay attention to ransomware
and the national security community sort of public policy community but it still wasn't really considered a kind of national security issue in the way it is today
and and this specific research was was prompted by the real lack of kind of insights and transparency
that there is in um around kind of what victims go through and and the harm that ransomware is creating for victims.
So yeah, it's something that I was thinking about for a long time and something that I
knew would be very challenging just because you may know as a journalist how difficult
it is to get victims of ransomware or any cybersecurity incident really to speak about their experience.
Yeah. So Pia, I would love to dig into the framework that you all have here in the research here. In the section on the ransomware harms, you organize it into first order, second order, and third order harms. Can we go through
those one at a time and describe what we're talking about here? Yes, of course. So for the
first order harm, we are looking at the organization and its staff members that have been directly
hit by the ransomware attack. So think about an organization and their staff members
or a school and the teachers or the hospital and any staff members who work there.
They experience a wide range of harm. It could be on the organizational side, it could be financial,
it could be reputational and so on. And then on the individual side, it could be financial, it could be reputational, and so on.
And then on the individual side, you might experience psychological harm, again, financial harm, but also reputational harm or weakening of social links.
And so let's continue on to the second order.
For the second order victims, we're looking at more indirect victims.
So this could now be individuals who are patients at a hospital that's been affected, students at a
school that's been impacted. But also if you're an organization and anyone in your supply chain
might experience a ransom or attack, then you're still a victim. But in our framework, you're a second-order victim in that instance.
One of the things that I found fascinating in the research was kind of the distinction between the organization itself and the employees, the people who work there.
Can you take us through that difference?
difference? Yes, in our research, we wanted to distinguish between the two because the priorities and the way you experience a ransomware attack might differ. So if you're an organization,
in particular, it's senior management, you might be very concerned about the financial implications
of a ransomware attack. That's because to some businesses, a ransomware attack can have existential consequences or an existential risk.
So your main priority is how to stop any business interruption and how can you quickly go back to business as usual.
Whereas if you're an individual working at an organization that had a ransomware attack, or if you're perhaps part of the IT team working to counter the ransomware attack,
then you're primarily experiencing stress and anxiety. It's really the psychological
harm that hits you the most. Jamie, can I hand it over to you to talk about the third order harms?
Yeah, so the third order harms is what we characterize as the cumulative effect of
ransomware incidents on a country's national security economy or society.
The reason we wanted to focus on that as a category
was to really try and emphasize to, I suppose, policymakers in particular,
but also industry and the general public that it's quite easy to forget how many ransomware incidents
we've seen over the last several years against critical national infrastructure, against small
businesses. And our feeling is that the cumulative effect of that is actually having an impact on
the UK, the US's national security, on their economies, on society, of that is actually having an impact on, you know, the UK, the US's national
security, on their economies, on society, whether that is because of, you know, particularly in the
US, the number of ransomware attacks you've seen against healthcare providers. In the UK, we've had
a lot of ransomware attacks against primary and secondary schools over the last several years,
attacks against primary and secondary schools over the last several years you know which does have consequences for you know the education of our of our children um but also in terms of
national security you know no firm is safe and that includes know, critical companies and logistics.
And
yeah,
so the idea was really
just to
highlight how bad
the problem has got.
We'll be right back.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024,
these traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface, making apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously verifying every request based on identity and context, simplifying security management with AI-powered automation, and detecting threats using AI to analyze over
500 billion daily transactions. Hackers can't attack what they can't see. Protect your
organization with Zscaler Zero Trust and AI. Learn more at zscaler.com security.
it's interesting to me that at least my perception is is that that element is is not as emphasized as the other so we talk about the financial loss and the the reputational impact but
the notion of the impact on broader society,
I think it's underreported.
To me, I can't help wondering,
Pia, I'm curious on your take on this.
Is there like an escalation of the notion
of kind of ambient anxiety?
You know, that there's this thing that could happen
and you don't know who's going to be hit next.
I think the reason why it's underreported
that it's such a national security threat and the wider societal implications is because it's
really hard to demonstrate that. The further away you get from the immediate victim, the harder it
is to actually demonstrate that the harm occurs as a result of a ransomware attack.
A lot of the victims we talked to experienced a ransomware attack during or after the pandemic.
So a lot of the consequences occurred at the same time as they were assessing,
is this a result of the pandemic or does this come from a ransomware attack?
So it's really hard and then
that's hard for an individual organization let alone on a national um national level on a society
level to trace back where certain trends and um yeah harms come from so i think that's why we
we don't talk about the national level enough i think there there is an ambient anxiety about cyber attacks, but I think that tends to
more be about kind of hostile state activity. So predominantly Russia, China, Iran, North Korea.
And I think that's also a sort of comfort zone for policymakers. They understand why
those states are a threat
and kind of have an existing framework to think about combating it.
I don't think that we've really wrestled with the idea
that there is a highly disruptive form of cybercrime
that can cause as much harm, I would argue, as anything that Russia, Iran,
North Korea, and China could do. Well, the third section in the research talks about the
implications for policy and future research. Can we go through some of the highlights from that?
Can we go through some of the highlights from that?
What are you recommending here to policymakers?
So unusually for a policy paper,
we haven't actually kind of recommended anything specific at this stage because the project is still ongoing.
There are certainly implications in the paper
for public policy around cybersecurity
and around national security
more generally. The main one, as I've just touched on, is that I think we believe that
ransomware should be treated in the same way as nation-state cyber threats are in terms of how law enforcement intelligence agencies are resourced
and tasked. So that's one important takeaway for us. And then I think a couple of others,
and Pia's already touched on this, but we are very keen for people to start thinking about ransomware and cybercrime more generally
as something that causes harm beyond just the financial losses,
which are much easier to understand and quantify.
And one thing that we really pick up on the research
is the psychological harm to staff
and individuals downstream from a ransomware attack.
And we had some quite harrowing conversations at times
with people that either owned companies
or worked at companies affected by ransomware.
And it had taken quite a significant toll on their mental health,
personal lives, social lives.
And I think that's something that tends to get missed with cyber
because it is something that is quite intangible to most people.
From most people's perspective, it's something that happens in a virtual space
rather than the physical environment.
Pia, what are your insights when it comes to aspirational policies here?
Yeah, I would also say that one of the other implications that follow from the research was that particularly when you look at second and third order harm so harm
experienced more indirectly this tends to disproportionately affect those who are already
vulnerable think about the patient in the hospital waiting for a treatment think about perhaps a
student already like very young person think about someone in a council who is receiving benefits
from a local council then unable to receive them. These are already people who are in vulnerable
position to begin with, but they might be more affected by some of the ransomware attacks and
the indirect harm that they're experiencing. Just because if you're in a more privileged position,
you might be not receiving benefits in the first place, or you might be able to afford private
healthcare. But it's really where ransomware attacks target those public service providers
that indirect victims who are already vulnerable feel a disproportionate amount of harm.
Where do you hope that this research leads? What are next steps here for you and your colleagues?
We're publishing a second paper based on the same interview data that really dives deeper into the victim experience and what makes the victim experience better or worse.
So we're exploring the factors that can help victims, but also the factors that make it particularly bad going through a ransomware incident.
And that paper will follow up with some detailed policy recommendations,
what policymakers but also victims, service providers such as incident response teams can do,
and then also the public sector, of course, what they can do in order to mitigate ransomware harm and help the victims.
Jamie, any final thoughts?
Yeah, I mean, one of my hopes with the research is that it contributes to the wider public debate about whether to treat ransomware
as a national security issue or not.
about whether to treat ransomware as a national security issue or not.
Because I think quite a lot of,
and maybe this is more in the UK and Europe than the US, and there have been kind of senior national security figures in the US
that maybe have been more vocal about it than in the UK.
But I think in a lot of ways,
people have been paying lip service
to ransomware as a national security threat.
So, you know, that'd be the odd speech about it,
maybe the odd interview.
But when you actually look at resourcing,
legislative changes,
how it's prioritized within intelligence agencies.
I don't personally think much has changed.
And I think it's quite important that we kind of overcome the cultural bias,
I think, within the national security community that doesn't treat serious and organized cybercrime
with the respect that it deserves.
Our thanks to Jamie McCall and Dr. Pia Hoosh for joining us.
They are both from the Royal United Services Institute.
The research is titled Ransomware, Victim Insights on Harms to Individuals, Organizations, and Society.
We'll have a link in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
The Cyber Wire Research Saturday podcast is a production of N2K Networks.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Elliot Peltzman.
Our executive producers are Jennifer Iben and Brandon Karpf.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next time.