Different types of ransomware have been on the rise since the pandemic started, and it has become clear that the harm and disruption they cause to essential services is broader than is immediately apparent. In times of public health crises, they render societies even more vulnerable. As we documented in our report entitled Playing with Lives: Cyberattacks on Healthcare Are Attacks on People, hospitals treating COVID-19 patients were targeted with impunity in many countries around the world. Such attacks have also hit critical infrastructure, schools and public institutions. Taken together, these trends show a far reaching, cross-sectoral impact that remains difficult to assess. Through initiatives like Cyber 4 Healthcare and the Ransomware Task Force, the CyberPeace Institute has been, and continues to be, deeply engaged on this issue, advancing a victim-centric approach as part of the solution.
Societal impacts of ransomware attacks
Over the years, the study of ransomware has largely been associated with economic or security impacts, with less focus on the societal impact. After all, the prime motive of such an attack is financial gain. Double extortion has become the norm, involving both threats and data leaks in a complex cybercrime ecosystem, in which ransomware is often sold as a service. In 2020, cybercriminals succeeded in collecting ransom amounts totalling almost US$ 350 million in cryptocurrency, a 311 percent increase over 2019.
Software vulnerabilities, such as the recently discovered ProxyLogon, can be further exploited and monetized by ransomware gangs. And nobody is safe: even technology companies and law enforcement units can fall victim to an attack. Due to a recent cyberattack on a supplier, Apple is currently experiencing a ransom demand for the return of product blueprints by the REvil hacker group, also known for attacks against healthcare and manufacturing. The Metropolitan Police Department of the District of Columbia was recently hacked by the Babuk Locker gang in a double extortion attack, which threatened to expose police informants if the ransom was not paid.
Cooperation of all stakeholders, including civil society
To address the multifaceted impact of ransomware, we need an inclusive approach which includes contributions from all affected stakeholders. On 8 April 2021, the Five Eyes Countries (Australia, Canada, New Zealand, the United Kingdom and the United States) issued a joint statement recognizing ransomware as ‘a national security threat’, which can ‘[…] pose a significant threat to Governments, critical infrastructure and essential services on which all our citizens depend’. While condemning the threat actors targeting the public health response with ransomware, they call for a collective response in cooperation with industry, businesses and individuals.
The CyberPeace Institute welcomes this development to enhance public awareness and to promote a wider view of the ransomware issue. We stress that an inclusive approach is necessary, in particular for the role that civil society plays in protecting vulnerable groups. Across various geographies, civil society works to directly assist victims, to supplement and complement the work of state bodies in both digital and physical contexts.
Over the years, attempts to counter ransomware have been filtered through the lens of either financial losses or national security. While these are real (and conveniently quantifiable) issues, the harm caused by these attacks can span space and time, and the impact can be highly intangible. We highlight that a complete picture of the societal impact of ransomware attacks goes beyond financial losses or immediate exposure. We believe that the only way to meet this challenge is through substantial engagement with civil society and grassroots organisations that are close to victims.
As ransomware grows in scope and scale, this engagement becomes even more essential if we are to fully assess and counter their impact. The impact on victims of ransomware attacks are broad, ranging from material to psychological, often not addressed in the official reports. We believe that a human-centric approach is much needed to widen the perspective from national security alone to a more comprehensive approach of ransomware-induced harms, because the entire gamut of human wellbeing is at stake.
Transparency of the data sources
Focusing on the national security perspective alone has also resulted in a dearth of information about the attacks, and this has been a major limitation in studying the long-term impact of ransomware. Even basic information about who was targeted, how much ransom was demanded, and whether the payment was completed or not is inconsistently collected and rarely shared publicly. More importantly, the medium and long-term effects and the harms caused by ransomware attacks are almost never captured by the data made available publicly. Other challenges compound the problem of data scarcity: the underreporting of ransomware cases, the transnational dimension of attacks, the Western bias in data collection, and the lack of harmonized metrics capturing impact. We call upon all stakeholders in the fight against ransomware to put this issue on their agendas, and start the process of sharing data on attacks with researchers and civil society.
We want to emphasize that the alignment of policies and activities of some countries will not be enough to enhance general societal resilience against ransomware. A multistakeholder approach with regular assessment of the societal impact of ransomware attacks is thus essential. One step in this direction is the Ransomware Task Force (RTF), which is a coalition of experts in industry, government, law enforcement, civil society, and international organizations, providing a comprehensive framework to combat ransomware, starting from existing solutions and current gaps in their applications.
To address the challenges we are facing today, solid impact-related research and direct cooperation with civil society organisations are urgently needed in order to unveil the true extent of the harms caused by ransomware attacks and to facilitate victims’ access to adequate remedies.