‘Your data is stolen and encrypted’: the ransomware victim experience

This paper aims to understand the wide range of harm caused by ransomware attacks to individuals, organisations and society at large.

More individuals and organisations in the UK and globally are becoming victims of ransomware. However, little is known about their experiences. This paper sheds light on the victim experience and identifies several key factors that typically shape such experiences. These factors are context specific and can either improve or worsen the victim experience. They include the following:

- Timing of an incident, which may happen after a victim has increased their cyber security measures or at an already stressful time for an organisation, such as the beginning of a school year.

- Level of preparation in the form of strong cyber security measures and contingency plans explicitly tailored to respond to a cyber incident.

- Human factors, such as the workplace environment and pre-existing dynamics which are often reinforced during an incident. Good levels of unity can bring staff together during a moment of crisis, but a lack of leadership or a blame culture are likely to aggravate the harm experienced during the incident.

- Engagement with third-party service providers, such as those providing technical incident response or legal services, can alleviate the negative aspects of the victim experience by providing critical legal, technical or other help. However, they may aggravate the harm by providing poor services or losing valuable time in responding to the incident.

- A successful communications campaign is highly context- and victim-specific. It must include external and internal communications with staff members not part of the immediate response to ensure a good workplace culture.

For support, many victims turn to public sector institutions such as law enforcement. Expectations for technical support and expertise from law enforcement are generally low, but victims feel especially unsupported where phone calls are not returned and there is no engagement or feedback loop. The National Cyber Security Centre enjoys a better reputation. However, there is widespread uncertainty about its role and the thresholds that must be met for it to provide support. This poses a reputational risk.

Understanding how ransomware attacks are personally felt by victims and what factors aggravate or alleviate the harm they experience is key for policymakers seeking to implement measures to minimise harm as much as possible.