After the crisis comes the blow – the mental impact of ransomware attacks

With ransomware attack volumes increasing by 105% each year, one would expect that by now we know everything there is to know about this phenomenon. Indeed, knowledge has increased tremendously on subjects such as who performs ransomware attacks, which methods of attack are used, how we can set up our systems to prevent ransomware attacks, how we can forensically analyse our systems once an attack has taken place, and how we can recover our systems as quickly and securely as possible. There have been tremendous increases in knowledge on the visible, tangible impact of attacks, such as the operational impact and the monetary impact.

But, what about the human side of all of this? Does ransomware have an invisible – maybe long lasting – impact on the people involved? What can we expect in terms of the mental impact of ransomware effects, and perhaps more important, what can we do to minimise the negative effects of ransomware attacks on people’s wellbeing? Northwave – an integral cyber security company – conducted unique research to get insight on the mental impact of ransomware attacks. This research consisted of three parts, tackling all major players involved in ransomware attacks. First, our own employees who come to the scene in case of ransomware attacks, our Computer Emergency Response Team (CERT), filled out questionnaires. Second, we conducted in-depth interviews with executives and IT managers of companies that were victimised by ransomware. Third, 315 employees of those same companies completed a questionnaire, including employees who were directly involved in responding to the ransomware attack (30%), employees who were indirectly involved or had a supporting role (30%), and employees who were not directly involved in responding to the attack (40%). The result of this research is outlined in this article.

What is ransomware?

Ransomware is a form of malicious software that encrypts your computer systems or files. This means that you are unable to access any file on your servers and computers. For companies, this usually means that they are unable to perform key business processes, because important (communication) systems and files are unreachable. The threat actor demands a significant sum of money to provide the keys needed to regain access to your data. Nowadays, criminals use several other methods to put additional pressure on companies to pay the ransom. They will not only demand a ransom, but also threaten to leak sensitive data on so called “leak sites” which often reside on the Darkweb. Sometimes criminals will also call employees of the company for even further pressure or even launch other forms of attacks like DDoS.

When people think about the threat actors responsible for ransomware attacks, they often envision ‘the lone boy in the attic’. However, this is no longer a realistic image. We see that ransomware groups are highly professional operating organisations with lots of expertise. This sophistication means that recovery from an attack is difficult and time consuming. Companies are usually not just offline for one or two days, but on average for 23 days. This means that on average, it will take more than 3 weeks to get basic systems up and running again. During this long period of downtime, there is uncertainty about the future, nobody knows if the company will be able to survive. C-level executives are often used to working under such high levels of pressure, being away from home a lot, and making complicated decisions under unclear circumstances. But others involved in the process, such as members of the IT team or people responsible for crisis-communication, are usually not used to the enormous pressure, responsibility, and immense workload. Therefore, it is not hard to imagine that this time will have a great impact on people’s psyche.

The timeline of the mental impact of a ransomware attack

We see that the mental impact of ransomware attacks occurs in roughly three phases, spanning approximately the first week after the attack, the first month after the attack, and the first year after the attack.

Phase 1: week 1 – crisis

During the first week of a ransomware attack, oftentimes the whole business comes to a standstill. It is crisis, chaos. IT, management and the Northwave CERT are working 12-16 hours per day, including the weekends. At this point, it feels doable for most team members, because of the adrenaline pumping through everyone’s veins. However, the pressure is enormous. As one IT manager said in our interview “I think we went through all stages of the grieving process. I almost kicked out a glass door”.

People sense helplessness, employees are motivated to help, but don not know how and where to start. The feeling of guilt is common, because ‘we should have seen this coming’ and ’we should have done more to prevent this’. Perhaps most common is the feeling of worry, not in the least about job security, as senior management is asking who is to blame.

The stress, the irregular schedules, and junk food, will result in many physical complaints. This includes headaches (44% of employees directly involved in resolving the attack, and 48% of CERT team members), neck- and backpain (30% of employees directly involved, and 34% of those indirectly involved), and trouble sleeping (63% of employees directly involved, 52% of employees indirectly involved, and 52.4% of CERT team members). IT directors and mangers also mentioned high blood pressure in interviews, in one case even resulting in a heart attack. These symptoms emphasize the need of regular breaks. Indeed, taking breaks and having time to relax alone is considered very important by the majority (86%) of CERT team members.

Oftentimes, these first symptoms of mental health problems are ignored: People are in crisis mode, so they pay little attention to the impact the crisis may have on their wellbeing. Yet, we also see the first cases of people dropping out: Two out of nine IT managers reported that they had to send IT personnel home because they were completely jaded. Those who remain start coping in different ways, IT directors and mangers mentioned getting comfort in food or drinks, and some even start smoking again.

This was just week one, and it will not be over soon.

Phase 2: first week to first month – from crisis to incident

After the first week, we can see that the first basic functionalities are getting back online, but most of the key processes are still down or running manually. The IT team is now not only responsible for recovering all systems from the attack, but they are also responsible again for delivering support to the IT systems that are up and running already.

At this point, adrenaline is running out. People get exhausted. Nevertheless, pressure keeps rising. Pressure from people’s personal life, as families do not understand why people miss out on important occasions such as Christmas, just because of work. At this point, 48% of CERT team members report feeling guilt towards private life. One IT manager indicated: “I had to re-introduce myself to my wife and children at home because I had worked such long days. I was very on edge at home.”

There is also pressure from colleagues who are not directly involved: Why is the recovery taking so long? Why does everyone suddenly have to make new passwords and use two factor authentication? The IT team is still in over their ears in the crisis, but colleagues already start to ask questions about regular projects. This results in negative thoughts and rumination for 60-75% of those indirectly or directly involved in the attack, and even for those employees not involved in the attack, about half report rumination.

By the end of the month the heat of the crisis is over. With most systems up, Northwave has left, leaving the IT team on their own. The impact of the crisis is becoming more and more evident. Sleeping problems (40%), headaches (29%) and tiredness (57%) remain for those directly involved in resolving the attack. Moreover, about one in four employees report feeling regular intense emotions such as anger and sadness. Two out of the nine interviewed managers indicated that they gained about 7-10 kilos of weight, because of lack of time for sporting and relaxation. As one CIO mentioned, “I only focussed on work, even when I was off, I did not have the energy to do hobbies. If I did something fun anyway, I felt guilty towards work, I never had the idea that it was enough”.

And it still is not over.

Phase 3: first month to first year – from incident to project

More than one month after the hack, business as usual is resuming. The IT team is still working on the long tail of the recovery. It has become a project – implementing security improvements, recovering the last systems, migrating others – it feels like it never stops. Phone calls outside of office hours still seem to startle everyone within the team, ‘did it happen again?’

Because for most employees it’s business as usual again, they start to forget about the crisis. We can feel that the sympathy for the IT team is dripping away. At the same time, the IT team is still feeling worn-out after weeks of crisis and months of pressure. And because their colleagues’ sympathy and understanding is decreasing, they are struggling to talk about their experiences, resulting in more turnover within IT roles. These long-lasting effects have an impact on turnover: 18% of those directly involved in the attack report that they have considered or are still considering changing jobs It is noteworthy that we distributed our questionnaire amongst employees via the companies themselves, thus, people who may have changed jobs outside of the company are not included in the sample. Moreover, more than half of managers and IT personnel report in interviews that several employees have been absent from work for a prolonged period, for months to even a year after the attack.

So, the crisis has faded but the invisible impact continues to leave traces, and these traces are serious. The attack has lasting consequences on the way employees view the world. Two thirds of employees, including those not involved in the attack, now believe that the world is a very dangerous place. As one IT manager indicated, “I have become much more suspicious of the outside world. It’s an evil place”.

Not surprisingly, the attack is still an emotionally charged subject. Half of the interviewed IT managers and CEOs indicate that it is difficult to talk about; “I feel the tears welling in my eyes”. Even months after the attack, about one in seven employees who were directly or indirectly involved in the attack show symptoms that are so severe that they are above the clinical threshold where professional help to deal with trauma is needed. One IT director stated, “This is the worst situation I have ever been in. I suffer from an enormous sense of guilt, which remains to this day”. Employees in companies who have been attacked in ransomware are also clear about their needs. One in five employees indicated that they would have liked more professional help to deal with the attacks afterwards, and one in three would have liked more knowledge and concrete tools to deal with the mental consequences of the attack.

Positive effects

Besides the staggering negative effects, there are also positive effects of ransomware attacks. In many cases, the IT department is finally able to schedule some overdue security maintenance, as the company now prioritises cybersecurity more. Some security improvements that had been on the backlog for a long time can be quickly implemented as part of the IT recovery. Moreover, even though some colleagues did not understand the stress the IT department was under, other colleagues were supportive, helping by bringing snacks during the long days of the first weeks of the crisis, and asking how they were doing. Indeed, 44% of the interviewees mentioned that collaboration was vastly improved, and one in five employees involved in ransomware attacks indicates that they feel “closer than ever” to their colleagues. As one IT director stated, “getting attacked was one of the best teambuilding activities we ever had”.

Key lessons

The findings of this research stress the importance of active involvement in recovery of both the visible and the invisible impact of ransomware attacks. Our research points to several key lessons for each phase.

  • In phase 1, make sure to have regular check-ins. It is impossible to sprint a marathon, and a ransomware attack is a marathon. Make sure that people take regular breaks, and work in shifts. People feel responsible, which means that some people need to be told to take time off. See what coping mechanisms people employ, as unhealthy coping is common.
  • In phase 2, manage the workload of the incident team wisely. Distinguish between incident work and regular tasks. Whenever possible, find extra people for regular tasks. Create a rhythm with rest and recovery time for everyone.
  • In phase 3: Plan evaluations. It is extremely likely that many of those involved in ransomware attacks will start to develop mental health symptoms. Because closeness amongst colleagues increases, creating an open environment in which such feelings can be discussed on a regular basis can be a powerful tool. People want to talk about what happened and what it meant, facilitating this can be a huge help.

Based on the results of the research, Northwave will develop a program to help companies prepare for the mental impact of ransomware attacks, and to help employees recover from cyber incidents more quickly, to minimise the negative impact on companies as much as possible.

In the week of 7th of november Northwave publishes a whitepaper with the complete results of the study. Request the whitepaper here.