“There was a bit of PTSD every time I walked through the office door”: Ransomware harms and the factors that influence the victim organisation’s experience

Ransomware is a pernicious contemporary cyber threat for organisations, with ransomware operators intentionally leveraging a range of harms against their victims in order to solicit increasingly significant ransom payments. This article advances current research by engaging in a topical analysis into the depth and breadth of harms experienced by victim organisations and their members of staff. We therefore enhance the understanding of the negative experiences from ransomware attacks, particularly looking beyond the financial impact which dominates current narratives. Having conducted an interview or workshop with 83 professionals including ransomware victims, incident responders, ransom negotiators, law enforcement and government, we identify a wide array of severe harms. For organisations, the risk of business interruption and/or data exposure presents potentially highly impactful financial and reputational harm(s). The victim organisation’s staff can also experience a range of under-reported harms, which include physiological and physical harms that may be acute. We also identify factors that can either alleviate or aggravate the experiencing of harms at organisational and employee level; including ransomware preparedness, leadership culture and crisis communication. Given the scale and scope of the identified harms, the paper provides significant new empirical evidence to emphasise ransomware’s positioning as a whole-of-organisation crisis phenomenon, as opposed to an ‘IT problem’. We argue that the wider discourse surrounding ransomware harms and impacts should be reflective of the nature of the real-term experience(s) of victims. This, in turn, could help guide efforts to alleviate ransomware harms, through improved organisational ransomware preparedness and tailored post-ransomware mitigation.