ransomware case study uk

• Search Menu
• Sign in through your institution
• Editor's Choice
• Author Guidelines
• Submission Site
• Open Access
• About Journal of Cybersecurity
• Editorial Board
• Advertising and Corporate Services
• Journals Career Network
• Self-Archiving Policy
• Journals on Oxford Academic
• Books on Oxford Academic

Article Contents

Introduction, review of prior work, hypotheses development, research method and analysis of findings, interpretation and discussion, conclusions, acknowledgements, appendix 1: profile of participant organizations and corresponding attacks characteristics, appendix 2: sample interview questions (phase 1), appendix 3: impact assessment exercise exemplar, appendix 4: sample interview questions (phase 2), appendix 5: criteria used to assess the security posture of organizations, appendix 6: security posture exemplars, appendix 7: profile of organizations.

• < Previous

An empirical study of ransomware attacks on organizations: an assessment of severity and salient factors affecting vulnerability

• Article contents
• Figures & tables
• Supplementary Data

Lena Yuryna Connolly, David S Wall, Michael Lang, Bruce Oddson, An empirical study of ransomware attacks on organizations: an assessment of severity and salient factors affecting vulnerability, Journal of Cybersecurity , Volume 6, Issue 1, 2020, tyaa023, https://doi.org/10.1093/cybsec/tyaa023

• Permissions Icon Permissions

This study looks at the experiences of organizations that have fallen victim to ransomware attacks. Using quantitative and qualitative data of 55 ransomware cases drawn from 50 organizations in the UK and North America, we assessed the severity of the crypto-ransomware attacks experienced and looked at various factors to test if they had an influence on the degree of severity. An organization’s size was found to have no effect on the degree of severity of the attack, but the sector was found to be relevant, with private sector organizations feeling the pain much more severely than those in the public sector. Moreover, an organization’s security posture influences the degree of severity of a ransomware attack. We did not find that the attack target (i.e. human or machine) or the crypto-ransomware propagation class had any significant bearing on the severity of the outcome, but attacks that were purposefully directed at specific victims wreaked more damage than opportunistic ones.

In recent years, Europol’s annual Internet Organised Crime Threat Assessment report has consistently identified ransomware as a top priority; their latest bulletin states that ‘ransomware remains one of the, if not the, most dominant threats, especially for public and private organisations within as well as outside Europe’ [ 1 ]. Furthermore, as starkly evidenced by an international survey of 5000 IT managers, the incidence of ransomware attacks is growing exponentially [ 2 ]. Similar trends have been observed by government and law enforcement bodies [ 3 , 4 ]. Ransomware attacks can potentially generate substantial financial rewards for offenders, but the ransom – which in most cases is not paid – is just a fraction of the overall cost of the attack in terms of reputational damage and loss of business [ 3 , 5 ].

Since ransomware first arrived on the scene in a major way about the year 2013, the volume of academic literature produced on this topic has mushroomed. Important advances such as sophisticated detection methods and innovative intrusion prevention systems have been put forward. Organizations are advised to implement effective security education, introduce policies and technical controls, install antivirus software, promote strong e-mail hygiene, upgrade old systems, execute regular patching, apply the ‘least privileges’ approach, segregate the network perimeter and implement effective backup practices [ 6 , 7 ]. Although the aforementioned types of work are of tremendous importance to a preventative strategy, they are not by themselves sufficient. This is because most of the research on ransomware to date has focused primarily on its technical aspects, with comparatively little attention being given to understanding the socio-technical side of the attack or the characteristics of organizations [ 8 ]. So, while there is a strong emphasis on developing ransomware countermeasures, there is a lack of studies that examine the real experiences of organizations that have actually fallen victim to ransomware attacks.

It may be tempting to assume certain things about what makes an organization more or less vulnerable to an attack, but we should not be so presumptuous. Although research on cybercrime victimization has significantly expanded over the past two decades, the majority of studies focus on individual-level offences such as online bullying, harassment and stalking. Holt and Bossler [ 9 ] make the point that for some types of cybercrime, such as malware and ransomware, our understanding of what causes individuals and organizations to fall victim is not well developed. Our work addresses this limitation by focusing on ransomware crime and collecting data from the actual victims of ransomware.

Generally, the risk of cybercrime victimization has been addressed by studying characteristics of the offender [ 10 ], the victim [ 11 ] and the crime itself [ 12 ]. Our article focuses on the latter two and is motivated by several calls in the literature to better understand typical victims of ransomware attacks, with a view towards developing solutions that prevent or mitigate this sinister problem [ 9 , 13 , 14 ].

To date, only a small number of studies have directly looked at the experiences of organizations that have fallen victim to ransomware. Of these few (see Table 1 ), the majority consider things at a rather cursory level. Our study, which is based on a substantial sample of 55 ransomware attacks and draws upon qualitative and quantitative data, helps to address this gap in the literature by presenting detailed findings on the antecedents and consequences of actual ransomware attacks within 50 organizations. Our objectives were to

Previous empirical studies of ransomware attacks on organizations

Assess the degree of severity of ransomware attacks within organizations;

Explore how characteristics of the organization and characteristics of the attack affect the severity of the outcome.

Within the literature on cybercrime in general, there have been various efforts to understand the factors that make individuals more prone to becoming victims. Drawing upon Lifestyle Theory and Routine Activity Theory, Agustina [ 23 ] proposes several behavioural and environmental factors that should, in theory at least, elevate the risk of being victimized. In practice, however, as found by Ngo and Paternoster [ 24 ], these theories do not hold up to empirical scrutiny. Our work differs from these previous studies in two ways: first, we are looking not at cybercrime in general, but specifically at ransomware attacks; secondly, our focus is not on individual victims, but rather on organizations.

Although several reports [ 1–4 ] suggest that the number of ransomware attacks against businesses continues to rise steadily, it is hard to form any clear sense of the true extent of ransomware attacks. The difficulty of accurately measuring and comparing cybercrime rates has been remarked upon by Furnell et al . [ 25 ]. Statistics about the incidence of ransomware attacks vary wildly. In an international study based on 574 participants across 77 countries, BCI [ 26 ] reported that 31% of respondents had been afflicted by ransomware. In contrast, a large-scale survey of Internet users in Germany revealed that only 3.6% of individuals had suffered a ransomware attack [ 27 ]. Simoiu et al . [ 5 ] estimated that about 2–3% of their sample of 1180 American adults were hit by ransomware between 2016 and 2017. Similarly, Ioanid et al . [ 20 ] reported that 2% of their sample of 103 Romanian small-to-medium enterprises (SMEs) were affected by the WannaCry attack that year. Against those low incidence rates, Hull et al . [ 18 ] found that as many as 61% of UK respondents had experienced at least one attack, and Shinde et al . [ 19 ] reported that 20% of respondents to their survey in the Netherlands were victims of ransomware, although it must be acknowledged that both those studies were based on quite small samples. All of these conflicting survey findings create a rather muddled picture. This, of course, can be put down to differences in sampling methods, response rates, temporal factors and units of analysis, but our essential point is this: it is generally agreed that ransomware presents a grave threat and has adversely affected many organizations, yet we know very little about the experiences of organizations that were attacked or the root causes that left them open to a successful violation.

There are very few empirical studies of the impact of ransomware within organizations or the factors that make organizations vulnerable. Al-Rimy et al . [ 28 ] present a literature survey of ransomware threat success factors, but the scope of their work extends only to infection vectors and enabling technologies (i.e. cryptography techniques, payment methods, ransomware development kits). They do not consider any organizational or socio-technical factors.

Our extensive search of the literature revealed just a handful of studies that looked directly at the experiences of organizations that were victims of ransomware (see Table 1 ). To summarize the key findings of these studies: ransomware attacks had major financial and emotional impact on victims, and the common factors that led to the attacks seemed to be a lack of security education or diligence, with organization type and size also emerging as possible factors impacting the likelihood of an attack.

Byrne and Thorpe [ 21 ] observe that ‘there is a gap in the literature with regards to examining the issue [of ransomware] from a company's perspective and that of its user base.’ Our study aims to make a contribution towards addressing this gap. In the next sections, we present a number of factors that we believe might affect the vulnerability of an organization to a ransomware attack, as well as characteristics of the attack weapon and method that could affect the severity of impact.

Organization characteristics: size and sector

As with so much of the reported facts and figures pertaining to ransomware, there is disagreement as to whether an organization’s size makes it more or less susceptible to attack. An international survey conducted by BCI [ 26 ] found that ransomware attacks are a substantially more common problem for large enterprises than they are for SMEs. However, contradictory findings are reported by Beazley [ 27 ] who state that SMEs were disproportionately hit by ransomware attacks in 2018, with 71% of all infections occurring within such organizations.

Many SMEs based in the UK believe that they are not likely to be targeted by ransomware attacks; while they place high value on the importance of IT to their business, they are generally not worried about the threat of data loss [ 29 , 30 ]. SMEs, by their entrepreneurial nature, are more likely to engage in risk-taking behaviour [ 31 ]. However, SMEs may underestimate the value to hackers of their information systems and may not realize that they could be targeted as a hop to gain entry into their partners’ networks. As Smith [ 32 ] puts it, ‘even if you think your company has nothing worth stealing, losing access to all your data is no longer an unlikely event.’ Kurpjuhn [ 33 ] makes the point that SMEs must accept that they are exposed to similar levels of risk as large enterprises but have lower budgets and lesser resources to address those risks.

An argument could be made that larger organizations, simply because they employ more people, are at greater risk of infection due to human error; it only takes one reckless act by a single individual to compromise an entire network. Although not quite the same thing, Bergmann et al . [ 34 ] found no correlation between the size of a household and the rate of cybercrime victimization experienced by members of that household. How that finding would scale up to larger units in a non-domestic setting is a matter of conjecture, but it seems reasonable to assume that the potential for human error increases relative to the size of the unit.

Hypothesis 1a: An organization’s size influences the impact severity of a ransomware attack.

Hypothesis 1b : An organization’s sector influences the impact severity of a ransomware attack.

Security posture

Because ransomware combines technical and social characteristics to create its impact, we explore the organizational victim responses to attacks through the lens of ‘security posture’. Security posture is defined as ‘the security status of an enterprise’s networks, information, and systems based on information assurance resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes’ [ 36 ]. Prior research into ransomware attacks on organizations shows that a lack of basic security practices, or failure to comply with them, was a common failing [ 15 , 18 ]. Organizations that do not have adequate and effective backup strategies are much more likely to end up having to pay the ransom to retrieve their data [ 15 , 28 ]. Connolly and Wall [ 8 ] developed a taxonomy of ransomware countermeasures, emphasizing a multi-layered approach in protecting organizations against ransomware.

While technical defence mechanisms are very important, so too is individual behaviour and good ‘online lifestyle’. Inadequate care by employees when choosing to open e-mail attachments or hyperlinks, downloading ‘free’ versions of software or cracked games, browsing adult content or illegal sports live streams, and installing apps from untrusted sources are all examples of poor online hygiene that can increase the risk of a ransomware infection. Riglietti [ 28 ] observed that ‘looking at what users say, avoiding infection appears to be a matter of spreading the right security culture within an organisation rather than a technical issue.’ A key part of this is education and awareness [ 37 , 38 ]. In their studies of ransomware victims, Shinde et al . [ 19 ] and Zhang-Kennedy et al . [ 27 ] both observed a tendency by employees to assume that cybersecurity was essentially the responsibility of the IT Department. While it is to be expected that the IT Department should take the lead on security and actively promote a strong posture, there is an onus on individuals to utilize good personal security practices and not engage in irresponsible behaviour.

Hypothesis 1c: An organization’s security posture influences the impact severity of a ransomware attack.

Crypto-ransomware propagation class

Since crypto-ransomware was incapable of propagating on networks prior to 2013, we decided to create a simple taxonomy according to the degree of infectiousness (see Table 2 ). Different propagation classes of crypto-ransomware may have a lesser or greater effect on the outcome of a crypto-ransomware attack as a result of the volume of infection spread.

Classification by crypto-ransomware propagation

What we term ‘Generation I’ crypto-ransomware was not particularly effective in extorting money due to several technological shortcomings, such as the use of easy-to-break encryption, inefficient management of decryption keys and limited propagation capabilities. It is highly likely that Generation I variants are obsolete.

We refer to variants such as CryptoWall, CryptoLocker and CryptoDefence as ‘Generation II’. These forms of ransomware initially penetrate networks via desktops or laptops and subsequently take advantage of the local user security context to spread via network paths, encrypting network shares that the user has ‘write’ access to. They can also encrypt devices physically connected to the infected machine.

What we refer to as ‘Generation III.a’ malware are those such as Samas and BitPaymer that tend to breach networks via vulnerabilities found in servers [e.g. a weak password in Remote Desktop Protocol (RDP)]. Once inside the server, attackers manually and/or automatically search for various weaknesses within the network (e.g. poor authentication controls, a flat network structure, the lack of network visibility and detection mechanisms). Such vulnerabilities permit attackers to stay undetected and hijack multiple devices and the entire network in some cases. Crypto-worms like WannaCry (‘Generation III.b’ in our classification) have a similar devastating effect, the chief difference being that they take advantage exclusively of software vulnerabilities in order to propagate.

Hypothesis 2a: The crypto-ransomware propagation class influences the impact severity of a ransomware attack.

Attack type and target

Hypothesis 2b : The attack type, i.e. opportunistic or targeted, influences the impact severity of a ransomware attack.

Hypothesis 2c : The attack target, i.e. human or machine, influences the impact severity of a ransomware attack

This study used a mixed methods approach following an exploratory sequential design [ 43 ]. Phase 1 was qualitative. In order to assess the degree of severity of ransomware attacks (our first objective), we required a measurement instrument. A literature search revealed that there are no readily available tools for this particular purpose. Since crypto-ransomware incidents entail some unique consequences (e.g. encrypted data, disabled systems), we could not use substitutes from other cybercrime studies; the assessment instrument had to be specific to crypto-ransomware attacks. Hence, the aim of Phase 1 was to inductively develop an Impact Assessment Instrument (grounded in empirical data) that can be used to effectively evaluate the severity of crypto-ransomware attacks on organizations in our sample. In Phase 2, we gathered additional quantitative data so as to be able to statistically test our hypotheses.

The Ethics Committee at the University of Leeds approved this research. Consent forms were signed by all study participants. All necessary precautions were followed to ensure the anonymity of study participants and the confidentiality of collected data. The majority of participants were from the UK but there were also a few from North America. Where the names of organizations are subsequently referred to in this article, aliases are used to protect the anonymity of respondents (see   Appendix 1 ). Additionally, interviewees from UK Police Cybercrime Units are given the aliases of CyberRM, CyberLM, CyberTL, CyberBR, CyberBL, CyberTR and CyberCU. Incidents took place between 2014 and 2018.

Sampling strategy and data collection

A purposeful sampling approach was employed to collect data in Phase 1. We conducted 10 semi-structured interviews with professionals from organizations that became victims of ransomware attacks. Interviewees were IT/Security Managers and Executive Managers with an average of 17 years of professional experience. There was one respondent per organization. Since some organizations were attacked more than once, accounts of 15 ransomware incidents were elicited from 10 organizations.   Appendix 1 (please refer to first 15 incidents) contains information about the characteristics of attacks and organizations that were interviewed in Phase 1.

In order to enhance the reliability and richness of data, we sought access to individuals who had direct experience of responding to crypto-ransomware incidents. As for crypto-ransomware attacks, the key selection criteria was to include a range of consequences for the victims, varying from low severity (e.g. minimum disruption to business, minimum loss of information, swift recovery) to high impact (e.g. business disruption that lasted for several months, significant loss of critical information, slow recovery).

An interview guide was designed with the aim to learn about participants’ perceptions of the attacks’ impact and the factors that aggravated or moderated the consequences of these incidents. This exercise guided the development of the Impact Assessment Instrument. Since we planned to use these initial 15 cases in Phase 2 of data analyses, we also ensured to collect profile information about organizations (e.g. size, sector and industry), causes of crypto-ransomware attacks, information about security postures and characteristics of attacks (e.g. attack type, crypto-ransomware propagation class and attack vector). Sample interview questions are provided in   Appendix 2 . Six interviews were conducted face-to-face, three via Skype with overseas respondents and one via e-mail correspondence.

The decision to stop data collection in qualitative research is made when additional insights are not emerging with new observations. This point is typically achieved after a dozen or so observations [ 44 ]. We felt that after examining about 10 ransomware incidents, the incremental learning stopped. But to ensure that the point of ‘theoretical saturation’ is sufficiently reached, we collected data on 15 cases in total.

Impact Assessment Instrument development (qualitative data analysis)

An inductive content analysis method was used to analyse data and develop the Impact Assessment Instrument. Within the interview transcripts, the impact of crypto-ransomware incidents emerged as a major topic. Interviewees eagerly described their experiences of being attacked, particularly focusing on the consequences of crypto-ransomware attacks. For example, respondents from GovSecJN, EducInstFB, LawEnfM, GovSecA and HealthSerJU spoke in great detail about the despair and distress they experienced. An IT/Security Manager from GovSecJN, a large public sector organization, explained how business continuity disruption affected them:

There was an impact on service delivery – we could not do what we were supposed to do. It was significant for us. Besides, all our resources were directed towards the incident instead of doing our job.

An IT/Security Manager from LawEnfJU reported a similar experience:

Ransomware encrypted all of our data files, which, in effect, took the agency offline for about 10 days. This was extremely critical as we could not do our job. We had the server up-and-running in 10 days and then it took another 10 days to manually re-enter all data. So, the attack critically affected the operations of the department for about 20 days … . The overall impact of this attack was severe, definitely.

An Executive Manager from EducInstFB, a large public organization, shared with us that a Generation III.a crypto-ransomware encrypted hundreds of machines (desktops, laptops and servers). As a result, several critical business functions were disabled and important data were inaccessible. The victim disclosed that various security holes – including ineffective backups, poor patching regimes, the lack of network visibility and feeble access control management practices – led to infection and subsequent dramatic consequences.

GovSecA, a large public organization, suffered an unprecedented attack by Generation III.a crypto-ransomware, where close on 100 servers got encrypted, affecting the operations of the organization for months. Most importantly, the victim lost a lot of critical data because they only had partial backups. At the time of the interview, GovSecA was already in post-attack recovery for 8 months. The interviewee shared that the recovery was still not completed at this point. An IT/Security Manager from GovSecA described their experience as follows:

We all came back to work on Tuesday morning after a bank holiday weekend and the sun was streaming in through the windows. The cleaners have been in, the office looked great. Everyone felt refreshed after the long weekend. And it took a while for us to realise what happened; that all computing had been turned to stone [encrypted]. Virtually nothing was left untouched. If half of the building had fallen off, you would understand that something has happened. But everything looked great. But it was not – the organisation could not operate.

An Executive Police Officer from LawEnfM, a public SME, described how the organization suffered two ransomware attacks within 2 weeks, affecting critical data:

We are a full-service law enforcement agency and we have a wide variety of data, some of which is very sensitive. For example, data relevant to criminal incidents like manslaughter cases, child pornography, child sex cases. Several months worth of this data was encrypted, which was pretty significant to us … . While we were recovering after the first attack, we were very unfortunate to get infected by ransomware again.

Comments such as in these few selected excerpts featured regularly in the interviews. We observed that when victims described the impact of ransomware attacks, they focused on factors such as business continuity disruption, recovery time, the number of devices affected, how critical encrypted information was to business and information loss.

On the contrary, interviewees from LawEnfJ and GovSecJ talked about factors that effectively saved the organization from far worse outcomes and emphasized that organizations must be prepared for these attacks or suffer severe consequences. For example, an IT/Security Manager from LawEnfJ, a public SME, shared the following:

We practice good basic security principles. We have backups in multiple locations … . It comes down to basics like staying up to date with industry. Just recently we went through this massive patching for Intel processors and other processes that could be leveraged into a whole host of attacks … . We were well-prepared for the attack … . We restored everything over a weekend. We were infected on Friday and back up-and-running on Monday.

Similarly, an IT/Security Manager from GovSecJ, a large public organization, explained how they were able to recover with little inconvenience:

An Incident Management Plan is crucial during cyber-attacks. Instead of running around with our hands up in the area, screaming for help, our response was logical and structured … . We lost some data due to incremental backups but nothing significant that would have stopped an organisation from functioning … . The infection took place at approximately 9 in the morning. By the end of the day, data was restored, and everything was back to normal.

As a result of our data analysis in Phase 1, five categories of negative outcomes emerged from the data, namely ‘business continuity disruption timeline’, ‘recovery time’, ‘affected devices’, ‘encrypted information critical to business’ and ‘information loss’. Under each of these categories, the data enabled us to build impact descriptors ranging across three degrees of severity (low, medium and high). In Table 3 , we present the severity descriptors for the five impact categories and corresponding attacks.

Impact Assessment Instrument and corresponding victims

Given the broad range of organization types and sectors in our sample, we anticipated that it would be difficult to arrive at a consensus on what constitutes ‘Low’, ‘Medium’ and ‘High’ levels of severity. For example, an outcome that might be regarded as being of ‘Low’ severity by one respondent could possibly be regarded as ‘High’ by another, depending on the nature of their business and level of dependency on critical IT systems. However, there was a remarkable degree of consistency among the respondents. There is a general acceptance that any ransomware attack, however minor, is likely to result in an interruption of at least a few days rather than hours. Thus, recovery times and business continuity disruption of a number of days (up to a week) were rated as being on the ‘Low’ end of the spectrum because, although any disruption is traumatic, in relative terms that is the least amount of time that is expected to be lost. As one interviewee put it,

Considering the impact and seriousness of the ransomware, it is going to sound strange, but I think that to only lose twelve hours worth of data is an acceptable outcome. If we had not backed up, we would have lost 47,000 files, clearly that would have been a far more significant issue. (IT/Security Manager, GovSecJN)

The Impact Assessment Instrument presented in Table 3 is derived from empirical data and reflects the actual consequences of crypto-ransomware attacks as described by the victims. All five of the items shown in the table are components of the overall severity of a ransomware attack. Because the five items are measured on a three-point ordinal scale, as opposed to a multiple-point continuous scale, we used the ordinal alpha coefficient [ 45 ] to test for internal reliability. The value for ordinal α = 0.96 which indicates a high degree of agreement between the five items.

To compute a composite score for overall severity, we considered using the average or median of the five items but decided to use the maximum. The logic behind this reasoning is that if any of the items is evaluated as ‘High’, it means that the attack represented a serious shock to the organization with major consequences. Therefore, a ‘High’ severity value for any single item trumps all the others, even if they all have lesser values. This also gets around the aforementioned problem whereby the assessment instrument might misevaluate a particular item as ‘Low’ when in fact, because of the organization’s circumstances, it should be ‘High’; in such cases, the likelihood is that at least one other item would have a ‘High’ rating and hence the overall severity would correctly be evaluated as ‘High’.

Next, using the Impact Assessment Instrument shown in Table 3 , we analysed all of the initial 15 cases (interview transcripts) to determine the extent of the attack impact. We assigned the degree of severity for all five categories for each impact item. An exemplar of this assessment exercise is provided in   Appendix 3 .

We were conscious of the limitation that the initial version of the Impact Assessment Instrument was based on data collected from 10 public organizations, with no private businesses. To remedy this, as we collected data on a further 45 cases, including both public and private organizations, we asked interviewees to assess the severity of ransomware attacks using our scale (i.e. low, medium, high) and comment on the reasons for their answer. The purpose of this exercise was to validate our instrument and confirm that the categories that emerged initially were relevant across the whole sample. We also validated the instrument by consulting with experienced police officers. We found that the instrument gave a reliable measure of the severity of an incident as perceived by the victim.

In order to test our hypotheses, we required to collect more data on crypto-ransomware incidents. It has been widely acknowledged that collecting data on cyberattacks is extremely difficult. In Phase 1, it took us over 6 months to find organizations that were willing to share sensitive matters relevant to the attacks. Therefore, we made a decision to approach the data collection matter differently in Phase 2. Instead, we sought out police officers from UK Cybercrime Units who had extensive experience in dealing with crypto-ransomware attacks. Mainly, such experience included helping organizations to effectively respond to the attacks, understanding what caused them, providing emotional support to victims if necessary and offering post-attack advice. Our expectation was that each police officer would be able to provide relevant information on several ransomware incidents at the time, which would make the process of data collection more manageable.

We succeeded to connect with 10 police officers (four Detective Sergeants and six Detective Constables) and 1 Civilian Cybercrime Investigator, who provided information on 22 usable ransomware incidents via semi-structured interviews and one focus group. Two police officers were interviewed twice as they were able to add new information. The average professional experience of the study respondents was 19 years. We also managed to collect data on 22 more cases with a Detective Inspector, who, unfortunately, was not able to meet with us face-to-face but agreed to provide data via a structured questionnaire (sent over e-mail). Additionally, we interviewed an IT/Security Manager with over 20 years of professional experience, which added one final case to our database of ransomware incidents. Relevant information is available in   Appendix 1 (Cases 16–60). Due to the aforementioned access constraints, a snowballing technique was used to collect data for Phase 2.

The questionnaire and second phase interview guide (see   Appendix 4 ) were based on the Impact Assessment Instrument and hypotheses. We asked questions that would help us to assess the impact of an attack. We also collected profile information on organizations (e.g. size, sector and industry) and characteristics of attacks (e.g. attack type, crypto-ransomware propagation class and attack target). Additionally, we included questions that would help us classify the security posture of each organization. For this purpose, we used the taxonomy of crypto-ransomware countermeasures developed in our previous work [ 8 ]. The headings from this taxonomy served as a guide for questions. Therefore, in order to assess a security posture of organization victims, we asked interviewees about security education, policies and practices, technical measures and network security, the incident response strategy and the attitudes of management towards cybersecurity (see   Appendix 5 ).

Overall, 45 additional cases of ransomware attacks were examined in Phase 2, bringing the total to 60 cases. For five of the 60 cases, there was insufficient data to be able to determine the overall impact severity, so those cases were discarded as being unusable, leaving us with 55 usable cases. Although a snowballing technique was used to collect data in Phase 2, our overall sample included organizations of different sizes and from different sectors. Attacks were recorded against both humans and machines by different crypto-ransomware propagation classes. Different levels of security posture were noted among participants, ranging from weak to strong. Finally, the sample contained opportunistic attacks as well as targeted ones.

For a few of the cases, we did not have values for all of the five items in the Impact Assessment; in those cases, we evaluated the overall impact based on the maximum of the items for which we had values, supported by an inspection of qualitative data from those cases. We found that this method of computing the composite score for overall severity gave the most accurate results, as validated using participants’ personal assessment of the attack impact and our own judgement based on what we gleaned from interviews. Results of the assessment exercise are available in Table 4 .

Impact Assessment Instrument and observed frequencies among respondents ( n  = 55)

Note: Overall n  = 55 but item response rates ranged from 85% (47) to 96% (53).

Quantitative data analysis

Overall, our sample included 50 organizations of different sizes, sectors (i.e. public or private) and industries (55 usable cases of crypto-ransomware attacks). Totally, 35 (70%) of the organizations were SMEs, while 15 (30%) were large organizations. We used the European Commission guidance to define the organization’s size [ 46 ]. The industries were broad and varied, including IT, government, law enforcement, education, healthcare, financial services, construction, retail, logistics, utility providers and several other categories. Of the 50 organizations, 19 (38%) were in the public sector and 31 (62%) were in the private sector. Five (10%) were located in the North America and 45 (90%) in the UK (see   Appendix 7 ). Security postures were determined for 34 of the 50 organizations (see Table 5 ). Twenty organizations (59%) had a weak security posture, 13 (38%) had a medium-security posture and only one had a strong posture. We used the criteria outlined in Appendices 5 and 6 to assess the security postures of organizations.

Cross-tabulations for Hypotheses 1a, 1 b and 1c

P < 0.05; *** P < 0.001.

Except where otherwise stated, the hypotheses were assessed using two-sided Fisher’s Exact tests. The size of our sample provides acceptable power to detect moderate-to-large relationships between categorical variables using this technique. Where data was missing, cases were excluded; the number of relevant cases ( n ) is stated in the results of each test.

We found that the degree of severity of a ransomware attack did not vary by organizational size, P = 0.542. Indeed, the majority of attacks in both SMEs and large organizations were of high severity (57% and 53%, respectively).

The severity did, however, vary according to organizational sector. Private organizations were considerably more likely than public organizations to experience serious negative consequences as a result of ransomware attacks, P = 0.044. Of the private organizations, 68% were hit by attacks of the highest severity, whereas a much lower percentage (37%) of public organizations were as badly affected. This finding supports Hypothesis 1b.

Most tellingly, impacts also varied with organizational security posture, such that those organizations with weak security postures were far more likely to experience a severe impact than were those with medium or strong postures, n  = 34, P < 0.001. Of the organizations that had a weak posture, 80% had been hit by ransomware attacks of high severity. Thus, Hypothesis 1c is also supported.

Post hoc, we found that security posture did not differ according to organization size, with the majority of organizations – 57% of SMEs and 64% of large organizations – having a weak security posture. However, when looking at the relationship between organization sector and security posture, a significant difference ( P = 0.035) was observed. Public organizations had considerably stronger security postures than those in the private sector. This may partly explain why the impact of attacks on public sector organizations was not as severe.

As can be seen in   Appendix 1 , the 50 organizations spanned 23 different industries (i.e. financial services, healthcare, retail, etc.) so it was not meaningful to conduct correlation analysis on this variable as the numbers were spread too thin. However, one observation that stands out is that of the seven respondents from the IT industry, six of them (86%) experienced attacks of high severity. This is above average and somewhat surprising, although with such a small sub-sample it is not possible to draw reliable inferences.

Looking then at the crypto-ransomware propagation classes, 32 (58%) were of type Generation II, while 23 (42%) were of type Generation III (Generation III.a and Generation III.b classes were merged in data analysis due to similar propagation characteristics). Totally, 38 attacks (72%) were opportunistic and 15 (28%) were targeted. Twenty-five attacks (47%) were targeted at humans and 28 (53%) aimed at machines (see Table 6 ).

Cross-tabulations for Hypotheses 2a, 2 b and 2c

P < 0.1.

The degree of severity did not vary with the crypto-ransomware propagation class (i.e. Generation II vs. Generation III) n  = 55, P = 0.334, nor with the attack target (i.e. human vs. machine), n  = 53, P = 0.813.

The type of the attack (opportunistic vs. targeted) was also considered. Targeted attacks were more likely than opportunistic ones to lead to severe consequences, n  = 53, P = 0.063. 80% of targeted attacks gave rise to impacts of high severity, whereas a considerably lower proportion of opportunistic attacks (45%) had high negative consequences. This difference is statistically significant (Mann–Whitney U = 177, P = 0.02) so we are inclined to accept Hypothesis 2b.

Post hoc, companies with a weak posture were much more likely to be targeted via machine vulnerabilities as a point of entry, whereas companies with medium or strong security postures were more likely to be attacked via social engineering tricks ( n  = 34, P = 0.019). We also observed that 91% of targeted attacks were against organizations that had weak security posture. Table 7 demonstrates results of hypotheses tests.

Results of hypothesis tests

Organization size does not matter, ransomware is indiscriminate

Within the observed sample, organization size, by itself, did not affect the severity of attacks. As outlined in ‘Organisation characteristics: size and sector’ section, prior findings and opinions on the relationship between organization size and the incidence of ransomware attacks are rather inconsistent, with some saying that ransomware is mainly a problem for large enterprises and others saying that SMEs make up the bulk of the victims. Of the organizations that we observed, SMEs and large organizations were similarly impacted by ransomware attacks and in most cases the impact felt was of high severity. This result is consistent with interpretations expressed by police officers from UK Cybercrime Units:

Ransomware is indiscriminate. It does not choose its victims. It chooses computers and those computers can be owned by anybody. (Detective Sergeant, CyberBL)

Ransomware does not target organisations of a particular size. All organisations, small, medium and large, are equally affected. (Detective Sergeant, CyberRM)

We observed several large organizations that experienced severe consequences of crypto-ransomware attacks (e.g. EducInstFB, GovSecA, HealthSerJU, SportClubJ, etc.) as well as SMEs (e.g. LawEnfJU, LawEnfF, ITOrgA, ConstrSupA, etc.). Therefore, regardless of how large or small an organization is, there is no room for complacency. SMEs often baulk at spending their limited funds on IT security measures, weighing things up on the basis of the financial cost of countermeasures vs. the expected probability and expected impact of an attack [ 30 ]. While we cannot offer any insights into the probability of an attack, we can speak about impact. Our findings show that if an organization has weak defence mechanisms, then regardless of whether it is an indigenous start-up or a large multi-national corporation, it is likely to experience very severe consequences in the event of a ransomware attack, such as having critical systems knocked out, heavy data losses and major disruptions of several weeks or more.

Private sector organizations are more likely to experience severe effects

Private sector organizations were more likely to report severe impacts than were those in the public sector in the sample observed in this study. This finding can be explained by the very nature of public organizations as compared to private businesses. Public sector organizations are generally state-owned with an obligation to provide some universal service such as healthcare, education, policing, or civic administration. The private sector, on the contrary, is mainly composed of organizations whose ultimate purpose is not to serve the public but to generate profit. Cyberattacks on profit-driven organizations normally lead to substantial financial losses, reputational damage and loss of customers; the series of security breaches on TalkTalk is one such example [ 47 ]. If public organizations such as councils, state agencies and police departments experience a cyberattack, they may lose public confidence, but as sole suppliers they are not going to lose customers or revenue as they are publicly funded. As an IT/Security Manager from GovSecJN (a public organization fully funded by the UK government) explained:

Yes, there was a financial impact because resources were directed towards dealing with the cyber-attack. But it is difficult for us to quantify the financial impact … . The impact is different for us. It is the impact on service delivery to public. How we care for children. How we care for adults. Even road potholes – people could not report potholes because our systems were down.

Information from interviews with police officers working in the UK Cybercrime Units confirmed our impression that private sector organizations suffer more severe consequences; e.g. a specialist detective within the CyberTL unit told us based on his extensive experience that:

Cybercriminals know that the private sector depends on customer service. They know that these organisations will pay. Especially, we find that a lot of IT companies have been hit. I do not think this is because IT companies are more prone to targeting. It is just because when they are hit by ransomware, it is so much more devastating for them due to their dependency on customers.

This observation is in line with our finding that 86% of respondents from the IT industry experienced attacks of high severity. However, it should be noted that our sample is based on attack victims only and is not representative of the number of potential organizations in each industry. Additionally, public or semi-public institutions may experience an equivalent attack as being less critical simply because they are not in competition with other providers.

Against the threat of ransomware, a vigilant security posture is vital

Our hypothesis that there is a relationship between organizational security posture and attack severity was supported. Most specifically, a weak security posture leads to a preponderance of very severe attacks. This suggests that the attacks were detected late, handled badly, or inadequately isolated. Although this observation is relevant to any type of cybercrime, successful ransomware attacks entail unique and rather devastating consequences such as disabled systems, encrypted data and, subsequently, halted business operations. A security weakness that could be easily fixed might cause substantial damage to the victim and even bankruptcy. For example, LogOrgD was infected via a server vulnerability that was widely documented by academics, security vendors and government bodies. Subsequently, the organization lost access to all critical data, including backups. The victim was rapidly losing its customer base and the business was close to bankruptcy. The business owner was particularly distressed and at some point, even had suicidal thoughts – a lifetime of hard work was about to turn into ashes. Ultimately, the company managed to survive but the recovery was timely, costly and extremely challenging. Therefore, IT/Security professionals must be extremely vigilant when it comes to protecting their organizations against ransomware. There is no simple technological ‘silver bullet’ that will wipe out the crypto-ransomware threat. Rather, a multi-layered approach is needed which consists of socio-technical measures, zealous front-line managers and active support from senior management [ 8 ]. As an IT/Security Manager from LawEnfJ puts it:

You have to have the fundamentals in place. If you are talking about backups after the event, you are dead in the water. You must have your system set up in a way that actively thwarts these attacks. If you are playing catch-up, then I am sorry, but the game is over at that point. You must stay up-to-date. If you are not staying current in the industry, you are going to get in trouble really quick.

Several respondents commented that if vulnerabilities are not closed down following ransomware attacks, organizations will get attacked again. For example, GovSecJ was attacked 4 times within 6 months. Although the IT/Security Manager wrote a report recommending organizational changes, senior management did not act upon it. Subsequently, three more attacks followed.

Though LawEnfM made a decision to implement all appropriate changes following the first ransomware attack, ransomware struck second time during the recovery process, taking advantage of the same vulnerabilities. Since the organization suffered considerably as a result of two consequent attacks, the external IT provider made a decision to pay the ransom as they felt responsible. Following this devastating experience (two attacks within 2 weeks), LawEnfM made several important changes in its approach to cybersecurity. HealthSerJU had to experience two very severe attacks before senior management realized the importance of security controls and measures:

I think both attacks fundamentally came down to the fact that there was an under-appreciation of the importance of IT and, therefore, the focus on ensuring that those systems were properly protected was not there … . If we wanted to take a positive from the attacks, it would be that finally executive management gave IT a profile that it has never had before. (IT/Security Manager, HealthSerJU)

Within our sample, public organizations had considerably stronger security postures than those in the private sector. Totally, 78% of the private organizations that we looked at had weak security postures, as opposed to 38% in the public sector. This may be because public institutions have a stronger regulatory mandate to have IT security policies in place. In the UK, the Cyber Essentials scheme was introduced in 2014 and is required for all central government contracts [ 48 ]. In contrast, in the private sector, the majority of organizations do not mandate their suppliers to have cybersecurity standards in operation [ 4 ].

Of course, the promotion of security standards is one matter, adoption is another and actual compliance yet another again. In the past 12 months, 17 452 Cyber Essentials certificates were issued by the UK government [ 49 ] which, going by the estimated 2.6 million businesses in the country [ 50 ] represents just 0.7% of the population. Within higher education institutions – from which division 29% of our public sector sample was drawn – there has been considerable resistance to the uptake of the Cyber Essentials standard [ 51 ]. The ISO27001 standard has been more widely adopted in the UK, but less so in public administration and educational organizations than elsewhere [ 52 ]. The annual UK Cyber Breaches Surveys of recent years reveal that a growing number of businesses are adopting Cyber Essentials, ISO27001, or other similar policies, but it still remains at about half who have no such measures in place [ 4 ].

Ransomware attacks, even of the less sophisticated type, can wreak havoc

There was no pronounced effect of the crypto-ransomware propagation class upon attack impact in the sample examined in this study. This is an interesting finding because Generation III crypto-ransomware has the ability to propagate across large networks and completely paralyse organizational operations. As a Detective Sergeant from CyberTR pointed out:

When I first started, the virus was very specific to the machine. The machine that clicked on the email was the machine that got the virus and the ransomware and that was it. More recent variants of ransomware have the ability to spread. There is definitely a distinction between ransomware that will hit a computer and encrypt any physically connected devices such as USBs, storage devices, and it is a lot more simple, and the likes of WannaCry that will travel across networks and spread to all computers. We have seen this evolution, where suspects are using vulnerabilities to spread across networks. This type of ransomware is more prevalent than it ever was because it gives hackers an advantage.

Rationally, Generation III should bring more devastation. However, our data show otherwise. For example, SecOrgM was infected with the less sophisticated Generation II crypto-ransomware. The victim declared bankruptcy shortly after the attack because the organization did not have backups, could not operate without hijacked data and at the same time was not able to meet ransom demands. Similarly, GovSecJN was hit with the Generation II ransomware class but it had a detrimental effect on the victim. Although GovSecJN recovered relatively quickly, data critical to high priority functions was encrypted, affecting essential functions of the organization. Such organizations provide vital services to the local community and many people depend on these services.

On the contrary, EducInstFB was attacked with Generation III crypto-ransomware that infected hundreds of devices. EducInstFB and its staff lost access to an enormous volume of data, which had scientific value. Several critical systems were disabled that stopped the victim from performing their normal daily tasks. The management made a decision to pay the ransom. Although the recovery was lengthy and challenging, EducInstFB eventually repaired its systems and recovered the majority of data. Another victim of Generation III crypto-ransomware – HealthSerJU – was attacked twice and on both occasions over a thousand devices were infected. Although these attacks had a significant negative effect on the delivery of services, HealthSerJU had effective backups and, therefore, promptly restored its systems. EducOrgA was also infected with Generation III crypto-ransomware, affecting the whole network. However, due to the nature of its business, EducOrgA continued its work as a primary school and teaching activities were not interrupted (while administrative data were gradually restored).

Following these observations, we concluded that the crypto-ransomware propagation class alone may not have a direct impact on the consequences of these attacks. Rather, a combination of factors (e.g. the nature of business, availability of resources to recover data or pay the ransom, the type of systems affected, level of preparedness, etc.) are at play.

Beware the ‘weakest link’

Although Hypothesis 2c was rejected, indicating that the severity of a ransomware attack is not influenced by the attack target (i.e. human or machine), we observed that organizations with a weak posture were much more likely to be targeted via machine vulnerabilities as a point of entry, whereas those with medium or strong security postures were more likely to be attacked via social engineering tricks. This finding could be explained by the fact that many of our study participants trust that technical controls provide an adequate defence against cyberthreats, which is also a commonly accepted belief among industry professionals. Consequently, IT/Security professionals focus on implementing measures like e-mail hygiene, vulnerability and upgrade management and sophisticated monitoring and detection systems, but seemed to neglect the ‘human factor’ problem and do not have strong security education and training, the importance of which as a security countermeasure is well established [ 6 , 37 , 38 ]. Therefore, these organizations are attacked via ‘the weakest link’ – they may have an adequate defence from a technical perspective, but weak employee security practices. As the IT/Security Manager from GovSecJ put it:

Effective defence always starts with a user. You need to make sure that along with teaching people how to use your applications, IT systems, you incorporate in there a good amount of cyber security.

In our sample, 27 attacks were successful due to humans opening malicious attachments or clicking on links. Several respondents alluded to shortcomings regarding human error and made appropriate changes. For example, LawEnfM replaced online security training with face-to-face tuition after an employee failed to notice rather obvious signs of a malicious e-mail. A staff member from LawEnfJU shut down their own machine after receiving a ransom note and booted several other machines using their credentials. Although the employee hoped to solve the problem, they instead infected more machines and lost precious time to contain infection. Since then, LawEnfJU implemented a new policy that obliges employees to report any out-of-ordinary activity, no matter how insignificant it seems. The organization regularly sends its employees ‘call and verify’ warnings to remind them of this new rule. However, even with effective security education in place, humans are continually prone to make mistakes and do things they know they probably shouldn’t. For example, an employee from GovSecJN who had recently completed security training still proceeded to open an e-mail attachment, even though he felt it was quite suspicious and potentially risky.

Don’t become an easy target, be careful what you reveal about your organization

Targeted attacks were more likely than opportunistic ones to lead to severe consequences in the observed sample. This result is expected as targeted attacks require a lot of preparation, but the ‘prize’ is much higher:

There is a recent trend of a particular variant of ransomware called BitPaymer, which is seen as a big problem. It seems to me to be very targeted because cybercriminals are making extremely large demands on the businesses, which I have never seen before – £30,000 –so they are clearly very targeted. Cybercriminals know the targets they are going after. (Detective Sergeant, CyberTL)

Such attacks suggest that there is some kind of network reconnaissance behind, so cybercriminals know what company they are targeting and how much to ask for. Cybercriminals will say, ‘Wait there, your turnover is £400m so you can pay maybe £2m’. There are victims out there that have paid up to £1,000,000 or even more to get the decryption key. (Detective Constable, CyberBR)

Clearly, such extravagant amounts would have a more severe effect on an organization than, e.g. the typical £300–500 ransom. In our own sample, one small IT company (VirtOrgD) was asked to pay 75 bitcoins (approximate value £352 000 at the time of the attack), a ransom amount the victim could not afford to pay. After intense negotiations, hackers agreed to reduce the ransom amount to 65 bitcoins, but it was still too high for VirtOrgD. The victim had no choice but to recover from partial backups. In the first stages of recovery the management was not sure if the business was going to survive this attack as the VirtOrgD was rapidly losing its customer base. Through tremendous efforts of staff and with the help of external specialists, VirtOrgD managed to restore its business, although, inevitably, some substantial losses occurred. Similarly, another company (ITOrgJL) was asked to pay 100 bitcoins (approximate value of £470 000 at the time of the attack). ITOrgJL was able to negotiate the ransom down to 15 bitcoins and effectively recovered with a decryption key provided by hackers.

Both organizations VirtOrgD and ITOrgJL had weak security postures, which allowed hackers not only to penetrate their networks but also stay undetected for several days searching for loopholes to spread within the network and encrypt multiple devices, including servers that contained crucial data and systems. This confirms our observation that the majority of targeted attacks were executed against organizations that had weak security posture. The lethality of targeted attacks lies within hackers’ ability to execute network reconnaissance in order to find the most critical company’s assets (e.g. backup server, customer data, etc.) and security weaknesses that will allow to hijack these assets. It is up to organizations to take appropriate measures to avoid such dramatic consequences.

Our research findings demonstrate that several factors, including ‘organization sector’, ‘security posture’ and ‘attack type’, influence the degree of severity of ransomware attacks. More specifically, within our sample, private organizations were more likely to experience severe consequences compared to public ones. Interestingly, public organizations investigated in this study had considerably stronger security postures than those in the private sector. Private organizations typically operate to generate profit and any interruptions to services can cause grave damage to them. Public organizations, on the contrary, are funded by the government to serve the public. Subsequently, financial implications are not always relevant to them. We assert that private organizations need to recognize this vulnerability and ‘up their game’ in the security realm.

Furthermore, organizations that had weak security postures suffered harsher outcomes of ransomware attacks as opposed to companies with stronger postures. This finding indicates that the need to strengthen security postures in a bid to defend organizational assets against ransomware attacks is greater than ever. Hackers are relentlessly taking advantage of well-documented issues (e.g. RDP brute-force, poor security training, insufficient vulnerability management). It is important to note that organizations must focus on technical and non-technical controls as both are vital; one without the other is futile. As our results demonstrate, targeted attacks are mainly preying on technical shortcomings but even if all technical loopholes are closed down, hackers can still hit a potential victim by exploiting human weaknesses.

Moreover, targeted attacks brought more devastation to affected organizations in our sample compared to those who were hit opportunistically. Offenders normally invest more effort into targeted attacks and hence, expect higher yields. For example, a thorough investigation of the target may take place, so the hackers can understand how profitable the business is, what information is critical to its continuity and how much the victim can potentially afford to pay. Whether or not the victim pays, they are still going to suffer substantially. In a scenario where they pay, the ransom is going to be very high and the organization is going to experience considerable financial losses. In a situation where the victim does not pay, they are going to suffer not only financially (in many cases, recovery is more expensive than the ransom payment), but also experience significant disruptions to business operations. Therefore, it is worth making cybersecurity investments rather than face consequences of the targeted ransomware attacks. As our findings suggest, organizations with stronger security postures are less vulnerable to targeted attacks.

Our results also indicate that ‘organization size’, ‘crypto-ransomware propagation class’ and ‘attack target’ have no significant impact on the severity level of ransomware attacks. Within our sample, organizations of all sizes were afflicted by ransomware attacks, with consequences ranging from less severe (e.g. relatively short business continuity disruption timeline and insignificant information loss) to highly severe, where organizations faced a challenging recovery and, in many cases, came very close to business bankruptcy. In fact, one organization in our sample (SecOrgM) did not survive the ransomware attack. This finding underlines the indiscriminate nature of ransomware and serves as caution against common but dangerous attitudes such as ‘hackers could not possibly gain anything from attacking us – we are too small’, ‘we do not hold any state secrets or any other sensitive information that would be of interest to hackers’, ‘hackers are normally after banks as this is where the money is’, etc.

Since 2013, ransomware has evolved considerably and become much more technically advanced and dangerous. Generation III is substantially more of a menace than Generation II because of its greater degree of contagiousness and ability to self-propagate across infected networks. However, we found that the propagation class of crypto-ransomware by itself had no effect on the severity of crypto-ransomware attacks in the observed sample. Regarding the attack target (i.e. machine vs. human), crypto-ransomware equally impacts victims despite the network access method.

As ransomware attacks continue to hurt businesses around the globe, our results convey several important messages. First, we urge organizations of all sizes, small, medium and large, to strengthen their security posture. Secondly, we specifically stress that the vulnerabilities of private companies to ransomware attacks must be realized and addressed. Offenders are aware of their dependency on data and systems and take advantage of it. Thirdly, we conclude that the strength of ransomware is not in its technical capabilities and rapid evolution; rather, it lies within relentlessness of hackers who are persistently searching for a range of weaknesses within organizations. Security holes are widely exploited by perpetrators, but hackers also understand the sentimental value organizations may have to their owners who possibly spent a lifetime building their business (e.g. LogOrgD case). Criminals exploit the sense of responsibility that IT and Cyber Security professionals may experience if a company is significantly suffering from an attack (e.g. LawEnfM), or the responsibility management may feel because their staff is facing very challenging working conditions during attacks and potential harsh consequences post-attacks (e.g. EducInstFB). All of these factors inevitably make ransomware attacks ever so painful, while hackers are persistently doing their homework on potential victims; and this is why targeted attacks hit even harder.

This work makes a number of valuable contributions to the existing body of academic literature on ransomware. It increases knowledge about factors that can make crypto-ransomware attacks absolutely unbearable for affected organizations. We urge readers to learn from the experiences of victims presented in this work and take appropriate preventative actions to avoid, transfer or mitigate the risks of a crypto-ransomware attack. The article also introduces (see ‘Crypto-ransomware propagation class’ section) a simple but useful set of terms that can be used by various parties (e.g. academics, industry professionals, government bodies, etc.) to refer to different classes of this threat according to the degree of infectiousness, i.e. ‘Generation I’, ‘Generation II’, etc. Finally, we developed an Impact Assessment Instrument, which can be applied in further academic works that specifically focus on the crypto-ransomware impact.

This study has a number of limitations. As always, studying cybercrime is a challenge because researchers are faced with incomplete data, skewed surveys and questionable assumptions. The majority of our respondents were based in one country (the UK). Our sample size of 55, though respectable, is still quite small. Therefore, statistically speaking, the findings cannot be generalized outside the given sample and are only applicable within the observed 55 ransomware attacks. A logical follow-on would be to test our conclusions against a larger, more international data set – but a practical problem is how to readily obtain such data. Typically, ransomware victims do not disclose the full reality of their experiences in official complaints or incident reports [ 3 ]. Insurance companies such as Advisen have databases of incidents, but these only include organizations that were insured against cyberattacks and made claims. Unfortunately, these sorts of sampling and access issues are typical in cybersecurity research [ 25 ] and, as we earlier saw in Table 1 , it greatly complicates comparability between studies. We executed our study as rigorously as we could, combining quantitative and qualitative data, and although we believe it is robust and broadly generalizable, that is a point of conjecture.

Furthermore, in terms of limitations, in Phase 1, we interviewed one participant per organization. This is a very common limitation in qualitative data collection, where the principal interviewee typically plays the role of a ‘gatekeeper’, especially when the subject matter pertains to highly sensitive and confidential matters within the organization. We used a snowballing sampling strategy in Phase 2 of data collection which, though not ideal, was the only pragmatic way we could collect data on ransomware attacks.

As regard future research, in the next step we are planning to learn what makes ransomware so effective in a wider cybercrime eco-system. While in this study we assessed factors that make these attacks impactful, ransomware is a very complex threat and organized criminals employ various tactics to make these attacks successful. Therefore, we intend to learn about numerous vulnerabilities that cybercriminals prey on (whether technical, social or psychological), specifically focusing on victims’ decision-making processes regarding ransom payments. The ultimate purpose of this study will be to identify a series of measures that could potentially reduce ransom payments.

We would like to extend our sincere gratitude to all study participants for their invaluable contribution to this research. We greatly appreciate interviewees’ time and genuine effort. We realize some questions may have brought back emotions experienced by victims during attacks; we would like to thank you for your bravery and willingness to tell your story. It is very important that other organizations learn from your experiences. Special thanks to Robert McArdle, the Director of Cybercrime Research Team at Trend Micro, who provided expert advice on technical measures against crypto-ransomware attacks. We would like to acknowledge the relentless commitment of police officers from UK Regional Cybercrime Units in providing data and advising on study results. Please note that the views expressed in this work are ours alone and do not necessarily reflect those of the participants, the commentators or the funding body.

This work was supported by the Engineering and Physical Sciences Research Council [EP/P011721/1].

Europol. Internet Organised Crime Threat Assessment , 2020 .   https://www.europol.europa.eu/sites/default/files/documents/internet_organised_crime_threat_assessment_iocta_2020.pdf

Sophos . The State of Ransomware 2020: Results of an independent survey across 26 countries , 2020 . https://www.sophos.com/en-us/medialibrary/Gated-Assets/white-papers/sophos-the-state-of-ransomware-2020-wp.pdf

FBI . 2019 Internet Crime Report , 2020 . https://pdf.ic3.gov/2019_IC3Report.pdf [Accessed January 2020]

UK Government . Cyber Security Breaches Survey 2020 , 2020 . https://www.gov.uk/government/publications/cyber-security-breaches-survey-2020/cyber-security-breaches-survey-2020

Simoiu C , Gates C , Bonneau J , et al.  “I was told to buy a software or lose my computer. I ignored it”: A study of ransomware. In: Proceedings of USENIX Symposium on Usable Privacy and Security (SOUPS) , Santa Clara, CA, 11–13 August 2019 .

Connolly LY , Lang M , Gathegi J , et al.    Organisational culture, procedural countermeasures, and employee security behaviour: a qualitative study . Inf Comp Secur   2017 ; 25 : 118 – 36 .

Google Scholar

Richardson R , North M.   Ransomware: evolution, mitigation and prevention . Int Manage Rev   2017 ; 13 : 10 – 21 .

Connolly L , Wall SD.   The rise of crypto-ransomware in a changing cybercrime landscape: taxonomising countermeasures . Comput Secur   2019 ; 87 : 1 – 18 .

Holt T , Bossler A.   An assessment of the current state of cybercrime scholarship . Deviant Behav   2014 ; 35 : 20 – 40 .

Rege A. Incorporating the human element in anticipatory and dynamic cyber defense. In: Proceedings of the 2016 IEEE International Conference on Cybercrime and Computer Forensic , Vancouver, BC, 12–14 June 2016 , 1 – 7 .

Connolly L , Borrion H. Your money or your business: Decision-making processes in ransomware attacks. In: Proceedings of 2020 International Conference in Information Systems . Association for Information Systems, 14–16 December 2020 .

Payne BK , Hawkins B , Xin C.   Using labelling theory as a guide to examine the patterns, characteristics, and sanctions given to cybercrimes . Am J Crim Justice   2019 ; 44 : 230 – 47 .

Maimon D , Louderback E.   Cyber-dependent crimes: an interdisciplinary review . Annu Rev Criminol   2019 ; 2 : 191 – 216 .

Atapour-Abarghouei A , Bonner S , McGough AS. Volenti non fit injuria: ransomware and its victims. In: 2019 IEEE International Conference on Big Data , IEEE, December 2019 , 4701 – 7 .

Choi KS , Scott TM , LeClair DP.   Ransomware against police: diagnosis of risk factors via application of cyber-routing activities theory . Int J Forensic Sci Pathol   2016 ; 4 : 253 – 8 .

Zhao JY , Kessler EG , Yu J , et al.    Impact of trauma hospital ransomware attack on surgical residency training . J Surg Res   2018 ; 232 : 389 – 97 .

Zhang-Kennedy L , Assal H , Rocheleau J , et al.  The aftermath of a crypto-ransomware attack at a large academic institution. In: Proceedings of the 27th USENIX Security Symposium . Baltimore, MD, 15–17 August 2018 , 1061 – 78 . ISBN 978-1-939133-04-5.

Hull G , John H , Arief B.   Ransomware deployment methods and analysis: views from a predictive model and human responses . Crime Science   2019 ; 8 : 2 – 22 .

Shinde R , Van der Veeken P , Van Schooten S , et al.  Ransomware: studying transfer and mitigation. In: Proceedings of the 2016 International Conference on Computing, Analytics and Security Trends (CAST) . Pune: IEEE, 19–21 December 2016 , 90 – 5 .

Ioanid A , Scarlat C , Militaru G.  The effect of cybercrime on Romanian SMEs in the context of wannacry ransomware attacks. In: Proceedings of the European Conference on Innovation and Entrepreneurship , Paris : Academic Conferences International Limited , 21–22 September 2017 , 307 – 13 .

Google Preview

Byrne D , Thorpe C.  Jigsaw: an investigation and countermeasure for ransomware attacks. In: Proceedings of the European Conference on Cyber Warfare and Security . Dublin : Academic Conferences International Limited , 29–30 June 2017 , 656 – 65 .

Riglietti G.   Cyber security talks: a content analysis of online discussions on ransomware . Cyber Secur   2017 ; 1 : 156 – 64 .

Agustina JR.   Understanding cyber victimization: digital architectures and the disinhibition effect . Int J Cyber Criminol   2015 ; 9 : 35 – 54 .

Ngo FT , Paternoster R.   Cybercrime victimization: an examination of Individual and situational level factors . Int J Cyber Criminol   2011 ; 5 : 773 – 93 .

Furnell S , Emm D , Papadaki M.   The challenge of measuring cyber-dependent crimes . Comput Fraud Secur   2015 ; 2015 : 5 – 12 .

Business Continuity Institute [BCI]. BCI Cyber Resilience Report . Business Continuity Institute, 2018 .

Beazley. Breach Briefing , 2019 . https://www.beazley.com/Documents/2019/beazley-breach-briefing-2019.pdf

Al-Rimy BAS , Maarof MA , Shaid SZM.   Ransomware threat success factors, taxonomy, and countermeasures: a survey and research directions . Comput Secur   2018 ; 74 : 144 – 66 .

Mansfield-Devine S.   Securing small and medium-size businesses . Network Secur   2016 ; 2016 : 14 – 20 .

Renaud K.   How smaller businesses struggle with security advice . Comput Fraud Secur   2016 ; 2016 : 10 – 18 .

Browne S , Lang M , Golden W. Linking threat avoidance and security adoption: a theoretical model for SMEs. BLED 2015 Proceedings , 2015 , 35. http://aisel.aisnet.org/bled2015/35

Smith R. Ransomware is indiscriminate – secure your systems now, Petri , June 7, 2017 . https://www.petri.com/ransomware-indiscriminate-secure-systems-now

Kurpjuhn T.   The SME security challenge . Comput Fraud Sec   2015 ; 2015 : 5 – 7 .

Bergmann MC , Dreißigacker D , Skarczinski B , et al.    Cyber-dependent crime victimization: the same risk for everyone?   Cyberpsychol Behav Soc Network   2018 ; 21 : 84 – 90 .

Parkinson S. Are public sector organisations more at risk from cyber-attacks on old computers?, The Conversation , 16 May 2017 . https://theconversation.com/are-public-sector-organisations-more-at-risk-from-cyber-attacks-on-old-computers-77802

NIST . Guide for Conducting Risk Assessments, Information Security, NIST Special Publication 800-30 . National Institute of Standards and Technology, Gaithersburg, MD, 2012 . https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

Connolly L , Lang M , Wall DS.   Information security behavior: a cross-cultural comparison of employees in Ireland and United States . Inf Syst Manage   2019 ; 36 : 306 – 22 .

Connolly L , Lang M , Tygar JD.  Employee security behaviour: the importance of education and policies in organisational settings. In: Paspallis N , Raspopulos M , Barry C , et al.  (eds.), Advances in Information Systems Development Methods, Tools and Management. Lecture Notes in Information Systems and Organisation . Springer : New York , 2018 : 79 – 96 .

Brewer R.   Ransomware attacks: detection, prevention and cure . Network Secur   2016 ; 2016 : 5 – 9 .

Connolly L , Wall SD. Hackers are making personalised ransomware to target the most profitable and vulnerable, The Conversation , 2019 . https://theconversation.com/hackers-are-making-personalised-ransomware-to-target-the-most-profitable-and-vulnerable-113583

Williams M. 10 disturbing facts about employees and cyber security, Pensar , 13 December 2018 . https://www.pensar.co.uk/blog/infographic-10-disturbing-facts-about-employees-and-cyber-security

Browne S , Lang M , Golden W. The insider threat - understanding the aberrant thinking of the rogue ‘Trusted Agent’. In: Proceedings of European Conference on Information Systems , Münster, Germany, 26–29 May 2015 .

Creswell JW , Plano Clark VL.   Designing and Conducting Mixed Methods Research , 2nd edn. Thousand Oaks, CA : Sage Publications , 2011 .

Eisenhardt KM.   Building theories from case study research . Acad Manage Rev   1989 ; 14 : 532 – 50 .

Zumbo BD , Gadermann AM , Zeisser C.   Ordinal versions of coefficients alpha and theta for Likert rating scales . J Mod Appl Stat Meth   2007 ; 6 : 21 – 9 .

Eurostat . Your key European statistics, Eurostat , 2020 . https://ec.europa.eu/eurostat/web/structural-business-statistics/structural-business-statistics/sme

Porcedda MG , Wall DS.  Cascade and chain effects in big data cybercrime: lessons from the TalkTalk hack. In: Proceedings of WACCO 2019: 1st Workshop on Attackers and Cyber-Crime Operations , IEEE EuroS&P 2019, Stockholm , 20 June 2019 .

48. UK Government . Procurement Policy Note 09/14: Cyber Essentials Scheme Certification , 2014 . https://www.gov.uk/government/publications/procurement-policy-note-0914-cyber-essentials-scheme-certification

UK National Cyber Security Centre: Certificate Search . https://www.ncsc.gov.uk/cyberessentials/search

Eurostat, 2020b . https://ec.europa.eu/eurostat/tgm/table.do? tab=table&init=1&language=en&pcode=tin00170&plugin=1

Chapman J , Chinnaswamy A , Garcia-Perez A. The severity of cyber attacks on education and research institutions: a function of their security posture. In: Proceedings of ICCWS 2018 13th International Conference on Cyber Warfare and Security . Academic Conferences and Publishing Limited, 2018 , 111 – 9 .

ISO. ISO Survey, 2019 . https://www.iso.org/the-iso-survey.html

Email alerts

Citing articles via, affiliations.

• Online ISSN 2057-2093
• Print ISSN 2057-2085
• Copyright © 2024 Oxford University Press
• About Oxford Academic
• Publish journals with us
• University press partners
• What we publish
• New features  
• Open access
• Institutional account management
• Rights and permissions
• Get help with access
• Accessibility
• Advertising
• Media enquiries
• Oxford University Press
• Oxford Languages
• University of Oxford

Oxford University Press is a department of the University of Oxford. It furthers the University's objective of excellence in research, scholarship, and education by publishing worldwide

• Copyright © 2024 Oxford University Press
• Cookie settings
• Cookie policy
• Privacy policy
• Legal notice

This Feature Is Available To Subscribers Only

Sign In or Create an Account

This PDF is available to Subscribers Only

For full access to this pdf, sign in to an existing account, or purchase an annual subscription.

Ransomware Case Studies

• First Online: 25 February 2021

Cite this chapter

• Matthew Ryan 3  

Part of the book series: Advances in Information Security ((ADIS,volume 85))

2255 Accesses

3 Citations

3 Altmetric

This chapter examines four major ransomware cases, with the first major ransomware attack in 2013 being used as a template for developing an influx of attacks since 2016. The individual case studies were chosen based on their global impact on organisations and high-profile media reports surrounding the attacks. The case study analysis process analysed the attack methodology and the outcome of each attack to determine similarities and evolutionary changes between each subsequent attack. The analysis also sought to detail the method and sophistication level of each attack, the encryption process and request for payment. These components provide the foundation for further understanding the rising threat posed by ransomware in later chapters.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save.

• Get 10 units per month
• Download Article/Chapter or eBook
• 1 Unit = 1 Article or 1 Chapter
• Cancel anytime
• Available as PDF
• Read on any device
• Instant download
• Own it forever
• Available as EPUB and PDF
• Compact, lightweight edition
• Dispatched in 3 to 5 business days
• Free shipping worldwide - see info
• Durable hardcover edition

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Note: Four case studies were deemed to be an appropriate number to accurately demonstrate the evolution of major ransomware attacks profiles over a six-year period.

Note: In 2018, an FBI investigation in WannaCry identified Marcus Hutchins as MalwareTech. Whilst initially Hutchins was hailed a hero for his role in stopping WannaCry, he was later arrested and has plead guilty for the development of Kronos malware. Kronos was a piece of malware used to steal banking credentials. (See Winder 2019 ).

Note: The term “crown jewels” is a cybersecurity term synonymous with high-value data and systems. The term broadly applies to an organisation’s high-value data which typically includes intellectual property, customer data and privileged user account information.

M. Alazab, Profiling and classifying the behavior of malicious codes. J. Syst. Softw. 100 , 91–102 (2015)

Article   Google Scholar  

R. Anderson, GameOver Zeus botnet disrupted: Collaborative effort among international partners, 7 Nov 2014

Google Scholar  

M. Anderson, ‘NotPetya’: Latest ransomware is a warning note from the future, IEEE Spectrum (2017). Available online: https://spectrum.ieee.org/tech-talk/computing/it/notpetya-latest-ransomware-is-a-warning-note-from-the-future . Accessed 22 Feb 2019

Australian Tax Office, Scam alerts. (2020). Available online: https://www.ato.gov.au/general/online-services/identity-security/scam-alerts/ . Accessed 17 Aug 2020

B. Bechtol, Enabling violence and instability, in North Korean Military Proliferation in the Middle East and Africa , vol. 44, (University Press of Kentucky, 2018)

C. Beek, Necurs Botnet leads the world in sending spam traffic, McAfee Labs . (11 Mar 2018). Available online: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/necurs-botnet-leads-the-world-in-sending-spam-traffic/ . Accessed 13 June 2018

Berry, A., J. Homan, R. Eitzman, WannaCry malware profile, FireEye Threat Research . (2017). Available online: https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html . Accessed 2 Jan 2019

T. Bossert, Press briefing on the attribution of the WannaCry malware attack to North Korea, 19 Dec 2017

T. Brewster, Google warns ransomware boom scored crooks $2 million a month, Forbes . (25 July 2019) 2017 [Online]. Available online: https://www.forbes.com/sites/thomasbrewster/2017/07/25/google-ransomware-multi-million-dollar-business-with-locky-and-cerber/#758974576caf . Accessed 17 Jan 2019

E. Bursztein, K. McRoberts, L. Invernizzi, Tracking desktop ransomware payments, Black Hat . Las Vegas, 2017 Google

S. Chow, Hacked: The Bangladesh Bank Heist, Aljazeera . (24 May 2018) 2018 [Online]. Available online: https://www.aljazeera.com/programmes/101east/2018/05/hacked-bangladesh-bank-heist-180523070038069.html . Accessed 13 Nov 2018

C. Cimpanu, M.E.Doc software was backdoored 3 times, servers left without updates Since 2013, Bleeping Computer . 6 July 2017 (2017)

M. Conti, A. Gangwal, S. Ru, On the economic significance of ransomware campaigns: A bitcoin transactions perspective. Comput. Secur. 79 , 162–189 (2018)

Department of Homeland Security, Alert (TA17-132A): Indicators associated with WannaCry ransomware. (12 May 2017)

P. Ducklin, Ransomware -“Locky” ransomware – what you need to know, Naked Threats . (2016). Available online: https://nakedsecurity.sophos.com/2016/02/17/locky-ransomware-what-you-need-to-know/ . Accessed 24 Feb 2019

K. Eichensehr, Three questions on the WannaCry attribution to North Korea, Just Security . (2017). Available online: https://www.justsecurity.org/49889/questions-wannacry-attribution-north-korea/ . Accessed 10 June 2018

N. Etaher, G. Weir, M. Alazab, From ZeuS to Zitmo: Trends in banking malware, in IEEE International Conference on Trust, Security and Privacy in Computing and Communications , (Trustcom IEEE, Piscataway, 2015)

Federal Bureau of Investigation, FBI Alert – Identification of ransomware variant called Locky, 11 July 2016

L. Garber, Government officials disrupt two major cyberattack systems. Computer 47 (7), 16–21 (2014)

A. Gazet, Comparative analysis of various ransomware virii. J. Comput. Virol. 6 (1), 77–90 (2010)

D. Gerstein, WannaCry virus: A lesson in global unpreparedness. Available online: https://www.rand.org/blog/2017/05/wannacry-virus-a-lesson-in-global-unpreparedness.html . Accessed 3 June 2018

A. Greenberg, The untold story of NotPetya, the most devastating cyber attack in history, WIRED . (2018a). Available online: https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/ . Accessed 23 Jan 2019

A. Greenberg, The WannaCry ransomware hackers made some real ametuer mistakes, WIRED . (2018b). Available online: https://www.wired.com/2017/05/wannacry-ransomware-hackers-made-real-amateur-mistakes/ . Accessed 5 June 2018

A. Ivanov, O. Mamedov, ExPetr/Petya/NotPetya is a wiper, not ransomware. (2017). Available online: https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/ . Accessed 14 Dec 2018

K. Jarvis, CryptoLocker ransomware, Threats & Defenses Threat Analysis . (2013). Available online: https://www.secureworks.com/research/cryptolocker-ransomware . Accessed 3 Jan 2019

L. Kessem, The Necurs Botnet: A Pandora’s box of malicious spam, IBM Security Intelligence . (24 Apr 2017). Available online: https://securityintelligence.com/the-necurs-botnet-a-pandoras-box-of-malicious-spam/ . Accessed 22 Feb 2019

M. Korolov, Ransomware took in $1 billion in 2016 – improved defenses may not be enough to stem the tide, CSO. 5 Jan 2017 2017 [Online]. Available online: https://www.csoonline.com/article/3154714/ransomware-took-in-1-billion-in-2016-improved-defenses-may-not-be-enough-to-stem-the-tide.html . Accessed 11 Feb 2019

P. Kruse, Locky spreading through Facebook. (20 Nov 2016). Available online: https://twitter.com/peterkruse/status/800414481545187328 . Accessed 2 Mar 2019

E. Lucas, Cyberphobia: Identity, Trust, Security and the Internet (Bloomsbury Publishing, London, 2015)

L. Matthew, Boeing is the latest WannaCry ransomware victim, Forbes . (2018). Available online: https://www.forbes.com/sites/leemathews/2018/03/30/boeing-is-the-latest-wannacry-ransomware-victim/#218e8ea96634 . Accessed 1 June 2018

D. Maynor, M. Olney, Y. Younan, The medic connection, Cisco TALOS . Available online: https://blog.talosintelligence.com/2017/07/the-medoc-connection.html . Accessed 22 Feb 2019

A. McLean, ​WannaCry reportedly hitting speed cameras in Victoria, ZDNet . (2017). Available online: https://www.zdnet.com/article/wannacry-reportedly-hitting-speed-cameras-in-victoria/ . Accessed 2 April 2018

A. McNeil, How did the WannaCry ransomworm spread?, Blog.Malwarebytes.com . (30 May 2017). Available online: https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/ . Accessed 10 June 2018

D. Meyer, WannaCry ransoms suddenly leave attackers, Bitcoin Wallets . (2017). Available online: http://fortune.com/2017/08/03/wannacry-ransom-bitcoin/ . Accessed 11 June 2018

M. Molloy, Operation Tovar: The latest attempt to eliminate key botnets, Threat Research . (2014). Available online: https://www.fireeye.com/blog/threat-research/2014/07/operation-tovar-the-latest-attempt-to-eliminate-key-botnets.html . Accessed 13 Dec 2018

National Audit Office, Investigation: WannaCry Cyber Attack and the NHS (National Audit Office, London, 2018)

National Health Service, Statement on reported NHS cyber-attack, 13 May 2017

L.H. Newman, The ransomware meltdown experts warned about is here, WIRED . (2017). Available online: https://www.wired.com/story/eternalblue-leaked-nsa-spy-tool-hacked-world/ . Accessed 6 June 2018

L.H. Newman, The leaked NSA spy tool that hacked the world, WIRED . (2018). Available online: https://www.wired.com/story/eternalblue-leaked-nsa-spy-tool-hacked-world/ . Accessed 6 June 2018

Palisse, A., H. Le Bouder, J.-L. Lanet, C. Le Guernic, A. Legay, Ransomware and the Legacy Crypto API, The 11th International Conference on Risks and Security of Internet and Systems . Roscoff, France, 5th–7th September 2016 (Springer, 2016)

D. Palmer, Locky ransomware: Why this menace keeps coming back, ZDNet. 7 Sept 2017 (2017) [Online]. Available online: https://www.zdnet.com/article/locky-ransomware-why-this-menace-keeps-coming-back/ . Accessed 27 Feb 2019

S. Ragan, Malicious images on Facebook lead to Locky ransomware, CSO . (2016). Available online: https://www.csoonline.com/article/3143173/malicious-images-on-facebook-lead-to-locky-ransomware.html . Accessed 14 Feb 2019

O. Ralph, R. Armstrong, Mondelez sues Zurich in test for cyber hack insurance, Financial Times. New York, 10 Jan 2019–11 Jan 2019

M. Rivero, Locky ransomware returns to the game with two new flavors. (25 Aug 2017). Available online: https://blog.malwarebytes.com/cybercrime/2017/08/locky-ransomware-returns-to-the-game-with-two-new-flavors/ . Accessed 25 Feb 2019

J. Saarinen, Hackers launch massive Locky ransomware campaign, itNews. 1 Sept 2017, (2017) [Online]. Available online: https://www.itnews.com.au/news/hackers-launch-massive-locky-ransomware-campaign-472295 . Accessed 21 Feb 2019

J. Shea, How is NATO meeting the challenge of cyberspace? PRISM 7 (2), 18–29 (2017)

J. Smith, Hospital pays hackers $17,000 in Bitcoins to return computer network, ZDNet. 18 Feb 2016 (2016) [Online]. Available online: https://www.zdnet.com/article/hospital-pays-hackers-17000-in-bitcoins-to-return-computer-network/ . Accessed 22 Feb 2019

K. Sood, S. Hurley, NotPetya technical analysis – a triple threat: File encryption, MFT encryption, credential theft. 29 June 2017. Available online: https://www.crowdstrike.com/blog/petrwrap-ransomware-technical-analysis-triple-threat-file-encryption-mft-encryption-credential-theft/ . Accessed 4 Mar 2019

Symantec, Ransom.WannaCry, (2017). Available online: https://www.symantec.com/security-center/writeup/2017-051310-3522-99 . Accessed 7 June 2018

A. Taylor, NotPetya Malware Attributed . (16 Feb 2018)

S. Thakkar, Ransomware – Exploring the electronic form of extortion. Int. J. Sci. Res. Dev. 2 (10), 123–126 (2014)

G. Troy, Locky ransomware attacks ramp up. 28 Apr 2017. Available online: https://blog.appriver.com/2017/08/locky-ransomware-attacks-increase . Accessed 23 Feb 2019

A. Winckles, Here’s how the ransomware attack was stopped – and why it could soon start again, The Conversation . (2017). Available online: https://theconversation.com/heres-how-the-ransomware-attack-was-stopped-and-why-it-could-soon-start-again-77745 . Accessed 21 Nov 2018

D. Winder, WannaCry Hero Marcus Hutchins pleads guilty to creating banking malware, Forbes. 20 Apr 2019 (2019) [Online]. Available online: https://www.forbes.com/sites/daveywinder/2019/04/20/wannacry-hero-marcus-hutchins-pleads-guilty-to-creating-banking-malware/#13f645a4513e . Accessed 23 June 2019

J. Wolff, You’ll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches (The MIT Press, Cambridge, 2018)

Book   Google Scholar  

Download references

Author information

Authors and affiliations.

Maroubra, NSW, Australia

Matthew Ryan

You can also search for this author in PubMed   Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

© 2021 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this chapter

Ryan, M. (2021). Ransomware Case Studies. In: Ransomware Revolution: The Rise of a Prodigious Cyber Threat. Advances in Information Security, vol 85. Springer, Cham. https://doi.org/10.1007/978-3-030-66583-8_5

Download citation

DOI : https://doi.org/10.1007/978-3-030-66583-8_5

Published : 25 February 2021

Publisher Name : Springer, Cham

Print ISBN : 978-3-030-66582-1

Online ISBN : 978-3-030-66583-8

eBook Packages : Computer Science Computer Science (R0)

Share this chapter

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

• Publish with us

Policies and ethics

• Find a journal
• Track your research

Thank you for visiting nature.com. You are using a browser version with limited support for CSS. To obtain the best experience, we recommend you use a more up to date browser (or turn off compatibility mode in Internet Explorer). In the meantime, to ensure continued support, we are displaying the site without styles and JavaScript.

• View all journals
• Explore content
• About the journal
• Publish with us
• Sign up for alerts
• Open access
• Published: 02 October 2019

A retrospective impact analysis of the WannaCry cyberattack on the NHS

• S. Ghafur 1 ,
• S. Kristensen   ORCID: orcid.org/0000-0002-6608-7132 1 ,
• K. Honeyford 2 ,
• G. Martin 1 ,
• A. Darzi 1 &
• P. Aylin 1 , 2  

npj Digital Medicine volume  2 , Article number:  98 ( 2019 ) Cite this article

45k Accesses

84 Citations

120 Altmetric

Metrics details

• Health policy

A systematic analysis of Hospital Episodes Statistics (HES) data was done to determine the effects of the 2017 WannaCry attack on the National Health Service (NHS) by identifying the missed appointments, deaths, and fiscal costs attributable to the ransomware attack. The main outcomes measured were : outpatient appointments cancelled, elective and emergency admissions to hospitals, accident and emergency (A&E) attendances, and deaths in A&E. Compared with the baseline, there was no significant difference in the total activity across all trusts during the week of the WannaCry attack. Trusts had 1% more emergency admissions and 1% fewer A&E attendances per day during the WannaCry week compared with baseline. Hospitals directly infected with the ransomware, however, had significantly fewer emergency and elective admissions: a decrease of about 6% in total admissions per infected hospital per day was observed, with 4% fewer emergency admissions and 9% fewer elective admissions. No difference in mortality was noted. The total economic value of the lower activity at the infected trusts during this time was £5.9 m including £4 m in lost inpatient admissions, £0.6 m from lost A&E activity, and £1.3 m from cancelled outpatient appointments. Among hospitals infected with WannaCry ransomware, there was a significant decrease in the number of attendances and admissions, which corresponded to £5.9 m in lost hospital activity. There was no increase in mortality reported, though this is a crude measure of patient harm. Further work is needed to appreciate the impact of a cyberattack or IT failure on care delivery and patient safety.

Similar content being viewed by others

Gun violence incidence during the COVID-19 pandemic is higher than before the pandemic in the United States

Unintended consequences of lockdowns, COVID-19 and the Shadow Pandemic in India

Population-scale identification of differential adverse events before and during a pandemic

Introduction.

The global ransomware attack, WannaCry, took hold across multiple continents and organisations on Friday 12 May, 2017. 1 Although not directly targeted, one of the biggest causalities of this attack was the National Health Service (NHS) in England. 1 Over 600 organisations were affected; this included 34 infected hospital trusts (NHS organisations that provide acute care, specialised medical services, mental healthcare, or ambulance services) and 46 affected hospital trusts. 1 Infected hospital trusts were locked out of their digital systems and medical devices, such as MRI scanners; affected trusts were those that were not infected but reported disruption either through preventative action or sharing systems with infected organisations. The UK Department of Health and Social Care (DHSC) was alerted about the emerging events at 1 p.m. that day and by 4 p.m. a major incident was declared as the scale of the problem became more apparent. 1 The attack was brought to a halt on the evening of the 12 of May by a cyber researcher who had activated a kill switch, which stops the spread of the malicious software, and prevented further devices from being infected. 1 Over the next week, the cyberattack resulted in significant disruption across the NHS for patients and healthcare staff, which included reverting to manual processes (e.g.: reporting blood results, paper notes); disruption to radiology services; cancelled outpatient appointments, elective admissions, and day case procedures; and for five infected acute trusts, emergency ambulances were diverted to other hospitals. 2

Cyber security attacks are a growing threat to healthcare and there have been a number of significant cyber security incidents in healthcare globally, the biggest being at Anthem Blue Cross Insurance System in the U.S., where over 78 million (m) health records were stolen in 2015. 3 Most recently, the Singapore Health System reported a major breach of over 1 m patient records, including the prime minister’s record. 4 Despite the number of reported cyberattacks on healthcare internationally, there has been no comprehensive assessment of the actual impact of any attack in terms of service disruption, financial impact, and harm to patients. Healthcare is one of the sectors most exposed to cyberattacks; this is partly because of the vulnerability of the systems, often running on legacy platforms. 5 Medical records consist of financial information, health details, and social security information and are more in demand on the dark web than are credit card data. 6 Despite the number of reported cyberattacks on healthcare internationally, there is paucity of information on the actual impact of any attack in terms of service disruption, financial impact, and harm to patients.

As healthcare systems across the world become increasingly dependent on digital systems to deliver care, it is crucial to understand the impact of any cyber security breach/attack on the functionality of the system and how we can improve digital resilience. This paper aims to provide a more in-depth review of the impact of the WannaCry ransomware attack on the NHS in England; however, the lessons drawn have a global resonance. The analysis has been made possible using Hospital Episodes Statistics (HES) to determine the number of cancelled outpatient appointments, the impact on emergency and elective admissions, the number of accident and emergency (A&E) attendances, deaths, and the financial impact on activity.

Impact of WannaCry on hospital activity

Table 1 shows the total counts of activity across all trusts in the weeks before, during, and after the WannaCry attack. For all types of activity except outpatient cancellations, compared to the week before the attack, activity was lower during the WannaCry week. Activity tends, however, to fluctuate across the weeks displayed, and there is nothing to suggest that activity during the WannaCry week was abnormally low compared with other weeks.

At a hospital trust level, compared with the baseline, there was no statistically significant difference in the total level of activity across all trusts during the week of the WannaCry attack (Table 2 ). Hospital trusts had on average 1% more emergency admissions (1.1 admissions, 95% confidence interval 0.2 to 1.9) per day during the WannaCry week compared with baseline weeks, though compared to an average of 107 emergency admissions per trust per day, this is not a clinically significant increase in activity, and activity was also higher than the baseline period in the weeks before and after WannaCry, so this is unlikely to be related to the attack. There was also <1% fewer A&E attendances per hospital per day during the WannaCry week compared to the baseline weeks (−3.2 attendances, −5.3 to −1.2), but again, this difference is not clinically significant, and with similar volatility observed in the weeks preceding and after the WannaCry week, this difference is unlikely to be related with the WannaCry attack.

However, comparing infected to non-infected trusts, there was a statistically and clinically significant difference in activity levels at infected trusts during WannaCry, which was not observed in the weeks before or after the attack (Fig. 1 and Appendix Table 1 ). There was a decrease of about 6% in total admissions per infected hospital per day during WannaCry (−12.8 admissions, 95% confidence interval −22.1 to −3.5), with 4% fewer emergency admissions (−4.8, −7.1 to −2.6) and 9% fewer elective admissions (−10.9, −19.1 to −2.7). The decrease in elective admissions was driven by a decrease in day case admissions of 10.8 fewer admissions per hospital per day during WannaCry (−17.7 to −3.9), while there was no statistically significant difference in the number of elective admissions who were inpatients.

Difference in mean daily activity between infected and non-infected hospitals before, during, and after the WannaCry week. Point estimates and 95% confidence intervals for difference in mean daily activity between infected and non-infected hospitals during the WannaCry week

A&E departments were also affected, and there were on average 6% fewer attendances per infected hospital per day during WannaCry (−19.4 A&E attendances, 95% confidence interval −24.6 to −14.2). The decrease in A&E attendances at infected trusts lasted into the week after WannaCry, which saw on average 5.6 (−10.9 to −0.4) fewer A&E attendances per day at infected trusts compared to the baseline period.

The attack also affected outpatient services. During the WannaCry week, infected trusts had on average 50% more cancellations than non-infected trusts per day (59.7 cancellations, 95% confidence interval 41.4 to 78.0). This resulted in 55 fewer outpatient attendances per day at infected trusts, but this was not precisely estimated (−140 to 30.2).

Across all trusts, compared to the baseline week, there was no significant difference in the number of deaths in A&E. There was also no significant difference in deaths in A&E between infected and non-infected trust (0 deaths (−0.1 to 0.1).

Financial impact

The total economic value of the lower activity at the infected trusts during the WannaCry week was £5.9 m (95% confidence interval £3.6 m to £8.2 m), including £4 m (£1.5 m to £6.6 m) in lost inpatient admissions, £0.6 m (£0.4 m to £0.8 m) from lost A&E activity, and £1.3 m (£0.9 m to £1.7 m) from cancelled outpatient appointments (Table 3 ). Assuming that all trusts had been infected by WannaCry and affected to the same extend as the actually infected trusts, the total value of lost activity could have amounted to £35 m (£21.2 m to £48.8 m) in activity alone.

Our analysis of the HES data demonstrated the impact of the WannaCry attack across the NHS in England. This resulted in a 6% decrease in admissions in the infected hospitals, which included 1100 fewer emergency department (ED) admissions and 2200 fewer elective admissions in total. The infected hospitals also saw a decrease in the number of ED attendances with 3800 fewer patients seen. There was a significant impact on the number of outpatient cancellations across the infected hospitals during the WannaCry week—this resulted in 13,500 appointments being cancelled. The financial impact of the attack was also calculated, and the value of the reduction in the activity in the infected trusts amounted to £5.9 m. If this pattern were seen across all NHS hospitals, the reduced activity alone would have cost £35 m.

This is the first comprehensive analysis of this cyberattack across secondary care, both in terms of activity and economic impact. The National Audit Office Report and the Lessons learned review of the WannaCry ransomware cyber attack are the most in-depth analyses to date; however, they fail to fully explore the true impact of the attack across the English NHS. 1 , 2 The reports describe the number of outpatient appointments that were cancelled: 19,000 in total but did not describe the impact on emergency or elective admissions or A&E attendances.

It was fortuitous that the kill switch was found on the same day as the attack happened; this somewhat limited the potential impact and threat to the health service. 1 The numbers of patients who had to travel further were resorbed into the system, there was no increase in admissions overall, and the system demonstrated resilience and the ability to cope with changing pressures. News channels and social media reported extensively on the attack, and this may have contributed to the pattern seen as patients were able to see which hospitals were most affected. 1 Yet, the resulting impact on patients and staff is not fully appreciated. Five hospitals, including Barts Health (Royal London Hospital), one of the main trauma centres in London, had to close their EDs; patients and emergency ambulances had to travel further to other hospitals to seek care; this had further impact on these hospitals in terms of increased numbers. 1

Our analysis suggests that, if all hospitals had been infected, there would be 21,000 fewer ED attendances in total. While the system managed to resorb the number of patients during WannaCry, if the impact had been greater, we have no understanding on the network effect of what would happen and what the contingency plans would be. Depending on the scale of the attack and the reliance of the organisation on information technology (IT) systems in the delivery of care, disruption may range from inconvenience for the clinical workforce, with little or no discernible impact on patient care, to a complete shutdown of clinical service provision. To understand this better, we are carrying out further research to predict the redistribution of emergency care demand in the context of hospital closures to ensure neighbouring centres are adequately prepared in case of such an event.

A significant 13,500 outpatient appointments in the infected hospitals had to be cancelled. NHS England identified that there were at least 139 cancellations for patients with potential cancer, who were referred to urgent clinics. 2 It is difficult to appreciate the full impact of these cancellations on patient care, as we do not know for how long all of these appointments were further delayed, and the cascade effect on patients at a time when patients were already waiting longer for treatment. 7

We found no significant effect demonstrated on mortality across all hospitals. This pattern was also the finding from a previous study using the same methodology on the impact on mortality during the junior doctors’ strikes that took place in England in 2016. Furnivall et al. reported on the impact of the strikes on patient morality and suggested that potential reasons for seeing this could be that their study did not have enough power to demonstrate an appreciable effect. 8 Yet, they and others reporting on similar events also proposed that, during a period of stress for the service, staffing priority is often given to acute, emergency, and critical care services, and senior medical and nursing staff are often drafted into these areas to ensure the flow of care. 9

The NAO stated that there were no reports of patient harm from NHS organisations. 1 This is difficult to quantify, and as discussed, mortality is a crude measure of patient harm. While the attack may not have led to a direct impact on mortality, we are unable to ascertain the true impact on complications, patient morbidity, or changes in care processes that resulted from the attack.

Because of the complexity of any healthcare system, it is understandably difficult to fully appreciate the impact of any cyberattack. Yet, any impact on a given system can and will undermine the safety of patients. Published examples of the effects resulting from IT failures, often seen in cyberattacks, include the loss of access to electronic health records and radiology and pathology results, drug dosing and drug administration errors, lack of contingency planning when traditional work patterns are affected, and, in the worst-case scenario, patient deaths due to incorrect data. 10 , 11 , 12

As we become ever more reliant on digital services to deliver healthcare on a global level, it is crucial to fully appreciate the implications of IT flaws and failings to mitigate any harm to patients. To further appreciate disruptions in care delivery and how we actually measure the impact on patient safety in the event of IT failure/cyberattacks, we are carrying out qualitative interviews with staff from the infected Trusts.

We carried out our analysis of the financial impact of WannaCry at aggregate level, based on the tariffs for outpatient appointments, day case and elective admissions, and ED attendances and admissions. This assessment is an estimate based on the information collected by the DHSC and resulted in a total of £5.9 m based on lost activity to NHS Trusts. We also calculated that, if all NHS Trusts in England had been infected on that day, the resulting costs, based on tariffs for different activities, would be £35 m. The opportunity cost is significant and this total does not account for the additional costs that would be required for IT support to restore and recover systems.

A recent report published by the DHSC has estimated that the cost to the NHS during the attack was approximately £19 m because of lost output and a further £0.5 m for additional IT support. 13 The report also factored in a further £73 m on further IT support required to recover data and restore systems. 13 Most infected Trusts were unable to estimate the financial impact of the attack on their organisation, though Barts Health NHS Trust reported that their estimate was approximately £4.8 m, which included loss of income and hiring of digital experts to support the recovery process post attack. 13 The DHSC’s estimate was based on an anticipation that WannaCry would disrupt 1% of all NHS services including primary care, whereas our estimate is based on actually observed changes in activity, but only considers secondary care.

A study by IBM and the Ponemon Institute reported that cyber breaches in the US cost up to $6.2 billion per year and that almost 90% of hospitals have reported a data breach. 13 Costs that have been accounted for are not just the obvious damage to digital networks and systems, loss in revenue, or data theft but include others such as costs of reporting, legal action against the organisation, the cost of reputational damage, and fines from national bodies for any data breaches. 14 Again, because of complexity of healthcare as a sector, it is often difficult to estimate a true and comprehensive cost of any cyberattack. 15

As a sector, healthcare is one of the most vulnerable to cyberattacks, yet it has chronically underinvested in cyber resilience. 5 Since WannaCry, there has been a considerable increase in capital investment to shore up cybersecurity for the NHS, though with the current scale and threat of the problem, alongside the investment, there needs to be an increase in IT budgets to ensure that current systems can be sustained securely and that healthcare systems are resilient in the face of attack. 5

The NAO report stated that none of the organisations affected by WannaCry had followed advice by NHS Digital (the national information and technology partner to the health and social care system) to apply a Microsoft update patch, which resulted in the vulnerability being exposed. 1 This highlights the legacy systems and infrastructure that are in use, and since the WannaCry attack, funding has been made available for NHS organisations to upgrade their software to Microsoft Windows 10 to improve resilience. 16 This also raises the issue of education, awareness, and sharing of information to ensure that a national learning system exists and good practice can be spread. 17 NHS Digital collects information on cyber threats and the impact from any breaches. These are disseminated across the NHS through the CareCERT bulletins. 1 The above example highlights, however, that more needs to be done in terms of shared learning, information sharing, education, and leadership both at the national and local levels. 14

To prevent or mitigate these types of events from recurring in the NHS or in any other healthcare organisation, there is a need to develop and test effective incident management procedures and improve business continuity planning. 18 , 19 All organisations must be able to safely and effectively function while under cyberattack. Meanwhile, all data and systems must be securely backed-up and disaster recovery processes tested to ensure that the backup is isolated and cannot be erased or tampered with. 18 Strong leadership and a security culture throughout the healthcare sector can help significantly to improve patient safety. 18

The weaknesses of the study are predominantly due to what was not investigated/captured. Because of the data set used, this study does not capture the resulting impact on primary care services, and the NAO report and subsequent follow-up reports by DHSC and NHS England have not detailed the full impact on primary care or social care.

It is difficult to capture the true impact of the cyberattack, as mortality is a crude measure of patient harm and there is no current way to quantify patient harm, lapses, and patient safety. If computer systems were down, staff would also be unable to report any patient safety incidents that would otherwise be reported using the NRLS. This is also true for the recording of any data/events during the WannaCry period. If systems to code and collect administrative data were down, the data held by DHSC and NHS England may not accurately reflect the full extent of events.

Using the national-level data, this study has demonstrated the impact of a cyberattack on a healthcare system. Healthcare has become one of the most vulnerable sectors to cyberattacks globally. Although not targeted at the NHS directly, the WannaCry attack had a significant negative impact on the delivery of care and cost to the health service in England. It was fortuitous that the attack was stopped within 24 h, though the impact on the service lasted longer, with significant numbers of outpatient appointments and elective and day case admissions being cancelled.

In the infected hospitals, there was also a significant decrease in the number of attendances and admissions, with five hospitals having to divert emergency care. There was no increase in mortality reported, though this is a crude measure of patient harm. As the health sector becomes ever more reliant on IT to deliver patient care, there needs to be adequate investment of resources and contingency plans in place to minimise harm and disruption to patients. These lessons resonate globally as we become ever more reliant on IT systems to help deliver healthcare. Further work needs to be done to appreciate the impact on care delivery and how we actually measure the impact on patient safety in the event of IT failure or cyberattack.

Study design

The principal investigator received approval from the Secretary of State and the Health Research Authority under Regulation 5 of the Health Service (Control of Patient Information) Regulations 2002 to hold confidential data and analyse them for research purposes (CAG ref. 15/CAG/0005). We have approval to use them for research and measuring quality of delivery of healthcare from the London - South East Ethics Committee (REC ref. 15/LO/0824).

HES includes details of all admissions, outpatient appointments, and attendances at EDs in all NHS hospitals in England and is collected by the Department of Health. 20 In line with previous work, 7 admitted patients were separated into elective and emergency categories using the “admimeth” method of admission field in HES. Outpatient appointments recorded as “seen” or “arrived late, but seen” in the “attended” field were counted as “attended”, and those that were “cancelled or postponed by the healthcare provider” were counted as cancelled.

Period of study

The WannaCry attack occurred on the afternoon of Friday, 12 May. 1 Data were extracted for all infected and non-infected trusts for the period 1 April to 30 June 2017 and aggregated to the hospital and day level.

We included all NHS trusts with >500 admissions or outpatient attendances across the study period in the analysis, including acute hospitals, community centres, and mental health trusts.

Trusts infected by the WannaCry virus were identified by the Department of Health. Thirty-four trusts were infected with the WannaCry virus, 36 trusts were affected, and 131 trusts were neither infected nor affected. 1

Outcomes were outpatient appointments cancelled, elective and emergency admissions to hospital, A&E attendances, and deaths in A&E.

We calculated activity totals for each of the outcomes in the weeks before, during, and after the WannaCry attack. We defined the week of the WannaCry attack as the 7 days after and including the first day of the attack (Friday, 12 May) and defined the 2 weeks before and the 2 weeks after the attack similarly. As the attack started on a Friday, the weeks before and after are also defined as 7 days starting from a Friday, rather than conventional weeks starting on a Sunday/Monday.

In order to determine the overall impact of the WannaCry attack on national activity, we estimated a model comparing average activity per trust per day during the WannaCry week and the 4 weeks surrounding the week of the attack to activity during the baseline period, which was any other week between 1 April and 30 June 2017. To understand the impact of WannaCry on total national activity, we compared predicted activity from our model to predictions of total national activity if activity during the WannaCry week had been similar to the baseline weeks. The estimated coefficients thus reflect the average difference in daily activity across all hospitals in weeks before, during, and after WannaCry compared to the baseline. We included dummy variables for day of week, bank holiday, and hospital fixed effects.

To examine the impact on activity specifically at the infected trusts, we compared the change in each outcome at the infected hospitals to the change in those outcomes at the non-infected hospitals in a difference-in-differences approach using ordinary least squares. In all models, we included control variables for day of the week and bank holidays and used hospital fixed effects to control for unobserved time invariant differences between hospitals. We also tested the difference in activity between hospitals that were affected and those neither affected nor infected.

When estimating the total impact on infected hospitals, we predicted the expected activity if the WannaCry week had been similar to the baseline weeks at the infected hospitals and compared the estimate of total activity to the actual activity at the infected trusts. We also calculated the expected impact if all hospitals had been infected and calculated the difference between actual and expected activity under this scenario.

We calculated the financial impact of WannaCry at actually and potentially infected hospitals by multiplying the total activity impact estimates with average tariffs for the specific type of activity. For inpatient and outpatient activities, we used activity weighted average tariffs, and for A&E activity, where activity data were not available, we used the average tariff. For A&E visits, it was £158, for emergency admissions £1970, day case admissions £655, elective admissions £2,222, and outpatient appointments £97.50.

Reporting summary

Further information on research design is available in the Nature Research Reporting Summary linked to this article.

Data availability

Relevant data are available by application to NHS Digital.

Code availability

The relevant code is available from the corresponding author upon request.

National Audit Office. Investigation: WannaCry cyber-attack and the NHS. https://www.nao.org.uk/wp-content/uploads/2017/10/Investigation-WannaCry-cyber-attack-and-the-NHS.pdf (2017).

Smart, W. Lessons learned review of the WannaCry ransomware cyber attack. https://www.england.nhs.uk/wp-content/uploads/2018/02/lessons-learned-review-WannaCry-ransomware-cyber-attack-cio-review.pdf (2018).

McGee, M. A new in-depth analysis of Anthem breach. https://www.bankinfosecurity.com/new-in-depth-analysis-anthem-breach-a-9627 (2017).

Singapore personal data hack hits 1.5m, health authority says. https://www.bbc.co.uk/news/world-asia-44900507 (2018).

Gomez, J. & Konschak, C. Cyber-security in healthcare-understanding the new world threat. https://www.divurgent.com/wp-content/uploads/2015/03/Cyber-Security-Healthcarepdf.pdf (2015).

Abelson, R. & Goldstein, M. Millions of Anthem customers targeted in cyberattack. https://www.nytimes.com/2015/02/05/business/hackers-breached-data-of-millions-insurer-says.html (2015).

Iacobucci, G. NHS waiting times: number of patients waiting 18 weeks for treatment rises sharply. BMJ 361 , k211 (2018).

Google Scholar  

Furnivall, D., Bottle, A. & Aylin, P. Retrospective analysis of the national impact of industrial action by English junior doctors in 2016. BMJ Open 8 , e019319 (2018).

Metcalfe, D., Chowdhury, R. & Salim, A. What are the consequences when doctors strike? BMJ https://doi.org/10.1136/bmj.h6231 (2015).

McDonald, C. Computerization can create safety hazards: a bar-coding near miss. Ann. Intern. Med. 144 , 510 (2016).

Article   Google Scholar  

Horsky, J., Kuperman, G. & Patel, V. Comprehensive analysis of a medication dosing error related to CPOE. J. Am. Med. Inform. Assoc. 12 , 377–382 (2005).

Magrabi, F., Ong, M.-S., Runciman, W. & Coiera, E. Using FDA reports to inform a classification for health information technology safety problems. J. Am. Med. Inform. Assoc. 19 , 45–53 (2012).

Department of Health and Social Care. Securing cyber resilience in health and care. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747464/securing-cyber-resilience-in-health-and-care-september-2018-update.pdf (2018).

Ponemon Institute LLC. Cost of a data breach study: global overview. https://public.dhe.ibm.com/common/ssi/ecm/55/en/55017055usen/2018-global-codb-report_06271811_55017055USEN.pdf (2018).

Jalali, M. S. & Kaiser, J. P. Cybersecurity in hospitals: a systematic, organizational perspective. J. Med. Internet Res. 20 , e10059 (2018).

Martin, G. et al. WannaCry—a year on. BMJ 361 , k2381 (2018).

NRLS Reporting. https://report.nrls.nhs.uk/nrlsreporting/ .

Ghafur, S. et al. Improving Cyber Security in the NHS (Imperial College London, London, https://www.imperial.ac.uk/media/imperial-college/institute-of-global-health-innovation/Cyber-Security-Ghafur.pdf (2019).

Sittig, D. F. & Singh, H. A socio-technical approach to preventing, mitigating, and recovering from ransomware attacks. Appl. Clin. Inf. 7 , 624–632 (2016).

NHS Digital. Hospital Episode Statistics (HES). https://digital.nhs.uk/data-and-information/data-tools-and-services/data-services/hospital-episode-statistics (2019).

Download references

Acknowledgements

This work is supported by the National Institute for Health Research (NIHR) Imperial Patient Safety Translation Research Centre (PSTRC). Infrastructure support was provided by the National Institute for Health Research (NIHR) Imperial Biomedical Research Centre (BRC). The views expressed are those of the author(s) and not necessarily those of the NHS, the NIHR, or the Department of Health.

Author information

Authors and affiliations.

NIHR Patient Safety Translational Research Centre, Imperial College London, London, UK

S. Ghafur, S. Kristensen, G. Martin, A. Darzi & P. Aylin

Dr Foster Unit, Department of Primary Care and Public Health, Imperial College London, London, UK

K. Honeyford & P. Aylin

You can also search for this author in PubMed   Google Scholar

Contributions

The manuscript was written by S.G. with contributions from all authors. S.G., S.K., and P.A. conceptualised this research. S.K., K.H., and P.A. carried out the analysis. P.A., A.D., and G.M. contributed to the conceptualisation and commented on the multiple versions of the manuscript.

Corresponding author

Correspondence to S. Ghafur .

Ethics declarations

Competing interests.

The authors declare no competing interests.

Additional information

Publisher’s note: Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Supplementary information

Supplementary table, rights and permissions.

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/ .

Reprints and permissions

About this article

Cite this article.

Ghafur, S., Kristensen, S., Honeyford, K. et al. A retrospective impact analysis of the WannaCry cyberattack on the NHS. npj Digit. Med. 2 , 98 (2019). https://doi.org/10.1038/s41746-019-0161-6

Download citation

Received : 16 April 2019

Accepted : 05 August 2019

Published : 02 October 2019

DOI : https://doi.org/10.1038/s41746-019-0161-6

Share this article

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

This article is cited by

Analyzing the urban–rural divide: the role of location, time, and breach characteristics in u.s. hospital security incidents, 2012–2021.

• Gilbert Munoz-Cornejo
• Julie Sakowski
• Ashley Parks

Discover Health Systems (2024)

A resilient workforce: patient safety and the workforce response to a cyber-attack on the ICT systems of the national health service in Ireland

• Gemma Moore
• Zuneera Khurshid

BMC Health Services Research (2023)

Impact of primary to secondary care data sharing on care quality in NHS England hospitals

• Hutan Ashrafian

npj Digital Medicine (2023)

A holistic and proactive approach to forecasting cyber threats

• Zaid Almahmoud
• Paul D. Yoo
• Ernesto Damiani

Scientific Reports (2023)

Hybrid Propagation and Control of Network Viruses on Scale-Free Networks

• Pingfan Xiang
• Lu-Xing Yang

Bulletin of the Iranian Mathematical Society (2023)

Quick links

• Explore articles by subject
• Guide to authors
• Editorial policies

Sign up for the Nature Briefing newsletter — what matters in science, free to your inbox daily.

Choose region and language

• Brasil Português
• Mexico Español
• United States + Canada English

Asia-Pacific

• Chinese Simplified 简体中文
• Chinese Traditional 繁體中文
• Singapore English
• India हिन्दी

The NHS cyber attack

What type of cyber-attack was used?

How ransomware attacks health care providers and other industries.

For many, ransomware became known, when WannaCry tore across the globe, infecting a quarter million machines in more than 150 countries in 2017. The largest ransomware attack ever, it affected a diverse collection of entities, including the NHS, Spain-based Telefonica, America’s FedEx, German railway company Deutsche Bahn, and LATAM Airlines.

But what is ransomware?

Ransomware is a type of malicious software that infects computer servers, desktops, laptops, tablets and smartphones, often spreading across networks to other devices. Once it compromises a system, it quietly encrypts every data file it finds, then displays a ransom note to the user demanding an online payment of hundreds or thousands of pounds (to be paid in cryptocurrency like Bitcoin) in return for the decryption keys needed to restore the user’s locked files.  The demand often includes a series of deadlines for payment.  Each missed deadline leads to a higher ransom demand and often, destroyed files. If the victim doesn’t pay up, the attacker discards the decryption keys, making the data permanently inaccessible.

Find out more about ransomware and how it works here

One of the most well-known examples of a ransomware attack which hit companies worldwide in the spring of 2017 was the WannaCry outbreak, afflicting over 200,000 computers in over 150 countries. Costing the UK £92 million and running up global costs of up to a whopping £6 billion.

The ransomware in this case, known as ‘WannaCry’, is often delivered via emails which trick the recipient into opening attachments and releasing malware onto their system in a technique known as phishing.  Once your computer has been affected, it locks up the files and encrypts them in a way that you cannot access them anymore. It then demands payment in bitcoin in order to regain access.

How did the attack happen and what was affected?

On Friday 12th May 2017, the NHS , was brought to a standstill for several days due to the WannaCry outbreak, affecting hospitals and GP surgeries across England and Scotland.  Although the NHS was not specifically targeted, the global cyber-attack highlighted security vulnerabilities and resulted in the cancellation of thousands of appointments and operations , together with the frantic relocation of emergency patients from stricken emergency centres. Staff were also forced to revert to pen and paper and use their own mobiles after the attack affected key systems, including telephones.

The WannaCry ransomware exposed a specific Microsoft Windows vulnerability , not an attack on unsupported software. Most of the NHS devices infected with the ransomware, were found to have been running the supported, but unpatched, Microsoft Windows 7 operating system, hence the extremities of the cyber-attack. The ransomware also spread via the internet , including through the N3 network (the broadband network connecting all NHS sites in England), but fortunately, there were no instances of the ransomware spreading via NHSmail (the NHS email system).

NHS England reported at least 80 out of the 236 trusts were affected in addition to 603 primary care and other NHS organisations, including 595 GP practices.  The Department, NHS England and the National Crime Agency reported that no NHS organisation paid the ransom, but the Department does not know how much disruption to services cost the NHS although estimates total £92m

Who was behind the attack?

The attack used Eternalblue, the name given to the software vulnerability in Microsoft’s Windows operating system, and works by exploiting the Microsoft Server Message Block 1.0. The Server Message Block (SMB) is a network file sharing protocol and ‘allows applications on a computer to read and write to files and to request services’ that are on the same network.

Ironically, it was allegedly developed as a cyber-attack exploit by the US National Security Agency.  Although they were reported to have known of the tool’s vulnerabilities, the NSA didn’t bring it to Microsoft’s attention until the hacker group called Shadow Brokers leaked EternalBlue to an obscure website.

Further analysis of the attack by companies such as Symantec revealed links to the Lazarus group who in turn have been linked to North Korea although the attack does not bear the hallmarks of a nation-state campaign.

What caused the attack?

On Tuesday , March 14, 2017, Microsoft issued a security bulletin , which detailed the flaw and announced that patches had been released for all Windows versions that were currently supported at that time. The Department of Health was warned about the risks of cyber-attacks on the NHS a year before WannaCry and although it had work under way it did not formally respond with a written report until July 2017.

At the time of the attacks, the NHS was criticized for using outdated IT systems, including Windows XP, a 17-year-old operating system that could be vulnerable to cyber-attacks. In an unusual move, Microsoft released a WannaCry patch for unsupported systems such as Windows XP which Microsoft stopped supporting in 2014.

The NHS had not rehearsed for a national cyber-attack it was not immediately clear who should lead the response . There were problems with communications because emails were either infected or shut down to prevent the ransomware spreading. It’s clear that the disaster recovery plan at the time had not accounted for a cyber-attack of this scale nor were there communication contingencies if the main network was inaccessible. There was no clear relationship between trusts infected by WannaCry and the quality of their leadership , as rated by the Care Quality Commission.

What stopped the attack?

The cyber-attack was stopped by an accidental kill switch discovered by Marcus Hutchins , a computer security researcher, by registering a domain that the ransomware was programmed to check.  In the week after, the kill switch became the target of powerful botnets hoping to knock the domain offline and spark another outbreak.

What lessons can we learn from the NHS cyber-attack?

According to the National Crime Agency (NCA) , ransomware remains the most common cyber extortion method in the UK, whilst the technical skill required to commit cyber-attacks continues to decrease.

A report based on an FOI request by SolarWinds revealed the overall percentage of UK public sector respondents who experienced a cyber-attack in 2018 compared to 2017 went down (38% experienced no cyber-attacks in 2018, while 30% experienced none in 2017), there were also more organisations that experienced over 1,000 cyber-attacks - 18% in 2018 compared to 14% in 2017.

Security experts warned the health sector is seen by cyber criminals as a particularly lucrative target with health records worth up to ten times the amount as other data such as banking details.  9 months after the attack, it was revealed by NHS Digita l that none of the 200 NHS trusts passed a cyber security vulnerability inspection. Most of the failures were related to patching.

Insufficient funding was highlighted as the main reason why the NHS was still using supporting systems and did not reach cyber security standards. In December 2015, the NAO concluded that the continued deterioration in financial performance was not sustainable and that financial problems in the NHS were endemic.

The WannaCry attack triggered a boost in investment from the government for cyber security in the NHS.  This is a classic example of how a lack of understanding about the risks associated with cyber security vulnerabilities did not warrant a sufficient level of funding to meet the growing needs of large public institutions such as the NHS.

There is further evidence that the understanding of cyber security by senior management in the UK public sector must improve. In a recent survey by Sophos , a worrying 55% of public sector IT leaders believe their organisation’s digital data is less valuable than that of the private sector. 36% of IT leaders say that recruiting and retaining cybersecurity professionals is the single greatest challenge, while frontline IT professionals don’t appear to feel under-resourced, with just 14% of them concerned about the lack of such skills. Clearly there is a communication bridge to be gapped.

Technology is expected to “transform” the NHS . Innovations like the increased use of Artificial Intelligence, cloud computing and connected devices can support more effective care. However, as healthcare relies more on technology, the risk of cyber disruption will also significantly increase, unless appropriate actions are taken.

Final thoughts and further reading

To avoid becoming victims of the next widespread ransomware attack healthcare providers will have to deploy the basic measures, and consider deploying leading-edge technologies for ransomware defence like Acronis Ransomware Protection , a free extension to Acronis Backup and Acronis Backup Advanced that uses machine learning to identify ransomware attacks in progress, instantly terminate them, and automatically restore any damaged files.

For details on how Active Protection works, see: https://www.acronis.com/en-us/resource-center/resource/276/ .

About Acronis

A Swiss company founded in Singapore in 2003, Acronis has 15 offices worldwide and employees in 50+ countries. Acronis Cyber Protect Cloud is available in 26 languages in 150 countries and is used by over 20,000 service providers to protect over 750,000 businesses.

As the novel coronavirus/COVID-19 continues to spread, impacting individuals, organizations, and communities across the globe, we want to share how Acronis is responding to the pandemic.

Working from home has become a critical part of containing the virus, but for small to mid-size businesses tackling remote work for the first time, there are security considerations to keep in mind.

With the coronavirus on the verge of being declared a global pandemic and thousands dead in its wake, there are sick attempts by criminals to scam unsuspected victims to profit from the illness.

Travel may be restricted and conferences canceled, but this crisis will eventually pass. To give us something to look forward to, let’s look at the session tracks for the 2020 Acronis Global Cyber Summit.

© 2024 Acronis International GmbH. Rheinweg 9, 8200 Schaffhausen, Switzerland. © All rights reserved.

Your information is used in accordance with our privacy statement . You receive this email because you are subscribed for a blog newsletter.

• Customer Service
• Send Feedback
• Manage Subscriptions
• Company Blog

More from Acronis

Cookies on the NHS England website

We’ve put some small files called cookies on your device to make our site work.

We’d also like to use analytics cookies. These send information about how our site is used to a service called Google Analytics. We use this information to improve our site.

Let us know if this is OK. We’ll use a cookie to save your choice. You can  read more about our cookies before you choose.

Change my preferences I'm OK with analytics cookies

NHS England business continuity management toolkit case study: WannaCry attack

Organisation: County Durham and Darlington NHS Foundation Trust (CDDFT) Incident: WannaCry Attack – 12 May 2017

What happened

The WannaCry ransomware attack was a worldwide cyber-attack which took place in May 2017. The cyber-attack targeted PCs running Windows. The attackers encrypted data and demanded a ransom, if this was not paid the group threatened to release data/information. Microsoft were made aware of a potential attack 12 months prior to the attack and released a security patch to be installed on all electronic devices that ran Windows.

Organisations that did not install the patch when advised to do so by Microsoft then became the target. 200,000 PCs were infected across 156 countries as a result of the WannaCry ransomware attack.

County Durham and Darlington NHS Foundation Trust (CDDFT) did not suffer from a direct attack, however:

The ambulance service protected their network by closing access to their network, with the main impact being:

• Ambulance handover process and screens disabled
• Patient Transport Service booking portal not available.

Tertiary centres protected their network by closing access to their network, main impact being:

• We could not transfer CT/MR scans
• We could not access Chemo Care meaning we could not transfer Chemo orders to our provider.

Primary care IT provider protected their network by closing access to their network, main impact being

• Automated transfer of blood results failed.
• Certain GPs couldn’t access their case load.

Action taken

Ambulance service.

• Handover process: Pre alerts continued to be communicated by landline and ambulances arrived without warning however pins communicated via airwaves
• Patient Transport Service: Business Continuity Plan invoked, and bookings made via telephone.

Tertiary centres

• Transferred images onto DVD and sent by taxi
• Chemo orders reverted to paper and faxed.

Primary care

• Transfer of blood result reverted to paper however slowed the whole process down
• Some GPs were able to access their caseload by accessing System One via our Urgent Treatment Centres.

Lessons identified

A number of lessons were identified and Business Continuity Plans (BCPs) updated:

• No system wide fix agreed. CDDFT BCP updated to reflect pins would be communicated by paramedics airwaves
• Patient Transport Service: BCP updated to include direct dial numbers to make booking either via landline or mobile.
• Secondary DVD purchased and CDDFT BCP updated to reflect the transfer of images via DVD
• Chemo Care now has a BCP detailing actions to be taken in the event of Cyber Attack.
• Pathology BCP updated to incorporate actions to be taken in the event of a Cyber Attack
• Primary Care BCPs updated to incorporate the process of accessing their case load via a Trust Urgent Treatment Centre.

To minimise the impact on the health economy, it is imperative that NHS organisations understand their interdependencies and then work to dovetail their Business Continuity Plans for shared services.

• 01484 666160

Real World Case Studies Of Ransomware

Nvidia, Flights disrupted, Olympus, Weir Group are all examples of ransomware attacks.

After Nvidia  fell victim to ransomware in late February 2022 , the tech giant decided to take matters into their owns hands. Installing ransomware on the attackers own machines to combat their attack.

Lapus$ was the culprit for these attacks known as a ransomware group. Stealing Nvidia’s source code including the hash rate limiter that reduces the usefulness of Nvidia’s chips for cryptocurrency mining.

While the revenge attack succeeded in infecting Lapus$’ computers—an act which, perhaps ironically, led the group to label Nvidia “criminals”—-Nvidia failed to retrieve its data as the group had backed it up.

In order to keep Nvidia’s data private they had to settle. Lapus$ demanded the company publish its GPU drivers as open source—in addition to paying a cryptocurrency ransom, of course.

Flights Disrupted

Airport operator Swissport was  hit by a ransomware attack  on Feb 3, 2022, resulting in grounded planes and flight delays at Zurich international airport.

22 flights were delayed at Swissport which is known for air cargo and ground services. Swissport did contain the threat quickly and critical systems were unaffected.

As this attack came after a week of attacks on European oil services researches suspect the attack may have been a coordinated effort to destabilase the infrastructure of Europe.

The attackers encrypted Olympus’ network, disrupting the company’s EMEA operations. But just as the med-tech firm was recovering, it was attacked  again  on October 10, 2021—just one month after the first incident.

Olympus a Japanese medical tech firm was hit hard in September 2021 by ransomware. Encrypting Olympus’ network, and disrupting EMEA operations. As they were recovering from the first attack it occurred again in October just a month after.

Ransomware actors have been known to strike the same victims multiple times—either because they have found a vulnerability they can exploit or because they know that the target is likely to pay up.

Weird Group

Weir Group a Scottish multinational engineering company used it Q3 update to announce it had been attacked with ransomware. Expecting profits to shrink by 40 million GBP as a result.

Weir Group stated that it occurring in early September 2021 and forced a shutdown of company IT systems, enterprise resource planning operations and engineering applications.

Directly costing 5 million GBP but the indirect cost was estimated at around ten times the amount by Weir group.

A similar article on how to combat ransomware is available here .

Share This Post:

Alex Cunningham

Latest posts, sep 13, 2024 – vulnerability alerts, sep 13, 2024 – cyber news, sep 12, 2024 – vulnerability alerts, sep 12, 2024 – cyber news, sep 11, 2024 – vulnerability alerts, sep 11, 2024 – cyber news, sep 10, 2024 – vulnerability alerts, sep 10, 2024 – cyber news, sep 9, 2024 – vulnerability alerts, sep 9, 2024 – cyber news, what our clients say:, privacy overview, subscribe to our newsletter.

Sign up to receive updates, promotions, and sneak peaks of upcoming products. Plus 20% off your next order.

• Threats and vulnerabilities

Ransomware is malware that locks and encrypts a victim's data, files, devices or systems, rendering them inaccessible and unusable until the attacker receives a ransom payment. A ransomware attack can shut down a business for days, even weeks and -- even when the company pays the ransom -- there's no guarantee it will ever get its assets back, or that it won't be attacked again. This guide covers the history and basics of ransomware, identifies the most common targets and offers expert instructions on how to prevent an attack. Or, if the worst happens, how to recognize an attack's taken place and remove the ransomware as swiftly as possible.

Ransomware case study: recovery can be painful, in ransomware attacks, backups can save the day and the data. even so, recovery can still be expensive and painful, depending on the approach. learn more in this case study..

• Alissa Irei, Senior Site Editor

Seasoned IT consultant David Macias will never forget the day he visited a new client's website and watched in horror as it started automatically downloading ransomware before his eyes. He quickly disconnected his computer from the rest of the network, but not before the malware had encrypted 3 TB of data in a matter of seconds.

"I just couldn't believe it," said Macias, president and owner of ITRMS, a managed service provider in Riverside, Calif. "I'm an IT person, and I am [incredibly careful] about my security. I thought, 'How can this be happening to me?' I wasn't online gambling or shopping or going to any of the places you typically find this kind of stuff. I was just going to a website to help out a client, and bingo -- I got hit."

Macias received a message from the hackers demanding $800 in exchange for his data. "I told them they could go fly a kite," he said. He wiped his hard drive, performed a clean install and restored everything from backup. "I didn't lose anything other than about five days of work."

Ransomware case study: Attack #2

A few years later, another of Macias' clients -- the owner of a direct-mail printing service -- called to report he couldn't access his server. Macias logged into the network through a remote desktop and saw someone had broken through the firewall. "I told the client, 'Run as fast as you can and unplug all the computers in the network,'" he said. This short-circuited the attack, but the attacker still managed to encrypt the server, five out of 15 workstations and the local backup.

This article is part of

What is ransomware? How it works and how to remove it

• Which also includes:
• The 10 biggest ransomware attacks in history
• How to recover from a ransomware attack
• How to prevent ransomware in 6 steps

"What made this ransomware attack so bad was that it attacked the private partition that lets you restore the operating system," Macias added. Although the ransom demanded was again only $800, he advised against paying , since attackers often leave backdoors in a network and can return to steal data or demand more money.

What made this ransomware attack so bad was that it attacked the private partition that lets you restore the operating system. David Macias President, ITRMS

Fortunately, Macias had a full image-based backup of the client's network saved to a cloud service. Even so, recovery was expensive, tedious and time-consuming. He had to reformat the hard drive manually, rebuild the server from scratch and reinstall every single network device. The process took about a week and a half and cost $15,000. "The client was just incredibly grateful that all their data was intact," Macias said.

Although pleased the client's data loss was negligible, Macias wanted to find a more efficient, less painful disaster recovery strategy . Shortly after the second ransomware incident, he learned about a company called NeuShield that promised one-click backup restoration. He bought the technology for his own network and also sold it to the client that had been attacked. According to NeuShield, its Data Sentinel technology works by showing an attacker a mirror image of a computer's data, thus protecting the original files and maintaining access to them, even if encryption takes place.

Ransomware case study: Attack #3

The printing services company experienced another ransomware incident a couple of years later, when its owner was working from home and using a remote desktop without a VPN . A malicious hacker gained entry through TCP port 3389 and deployed ransomware, encrypting critical data.

In this instance, however, Macias said NeuShield enabled him to restore the system with a simple click and reboot. "When they got hit the first time, it took forever to restore. The second time, they were back up and running in a manner of minutes," he said.

While he praised NeuShield's technology, Macias noted it doesn't negate the need for antivirus protection to guard against common malware threats or for cloud backup in case of fires, earthquakes or other disasters. "Unfortunately, there's no one-stop solution," he said. "I wish there was one product that included everything, but there isn't."

Macias said he knows from personal experience, however, that investing upfront can prevent massive losses down the road. "I've had clients tell me, 'I'll worry about it when it happens.' But that's like driving without insurance. Once you get into an accident, it's too late."

How to create a ransomware incident response plan

Best practices for reporting ransomware attack

How to remove ransomware, step by step

17 ransomware removal tools to protect enterprise networks

4 tips to find cyber insurance coverage in 2023

Related Resources

• The Power of Native Cloud Detection and Response Services –AWS & SentinelOne
• The Buyer’s Guide to Software Supply Chain Security –ReversingLabs
• The Guide to Cyber Incident Response Planning –NCC Group
• Demystifying the myths of public cloud computing –TechTarget ComputerWeekly.com

Dig Deeper on Threats and vulnerabilities

MSP shares details of Kaseya VSA ransomware attack, recovery

Podcast: Ransomware, data protection and compliance

Ransomware, storage and backup: Impacts, limits and capabilities

How to prepare for ransomware

CI/CD processes help deploy code changes to networks. Integrating a CI/CD pipeline into automation makes networks more reliable, ...

Predictive analytics can project network traffic flows, predict future trends and reduce latency. However, tools continue to ...

Test scripts are the heart of any job in pyATS. Best practices for test scripts include proper structure, API integration and the...

While agentic AI might excite CIOs as the next iteration of AI within business workflows, it will pose challenges for businesses,...

A strong AI strategy will help CIOs pick AI use cases and shed projects that aren't feasible at the moment.

As AI evolves, Forrester Research analysts believe agentic AI and automating complex business processes will be the next step ...

While wiping and reinstalling via a clean install is the simplest way to fix a broken Windows 11 desktop, an ISO file repair can ...

Organizations looking to boost productivity for key Windows users should learn what Copilot+ PCs can offer and what workflows the...

There are numerous generative AI tools that focus on enhancing user productivity, so organizations should survey the market to ...

At Oracle CloudWorld, companies ranging from banks to candy makers shared the challenges and benefits of using Oracle cloud ...

Oracle delivered more AI features at its conference, including over 50 AI agents and a new generative AI RAG Agent in OCI, as ...

AWS joined Microsoft Azure and Google Cloud in offering the Oracle Database, an indication that enterprises want to use Oracle ...

Many early adopters of AI find implementation realities do not live up to the technology's promise - organisations can avoid such...

The shared care record is live across the region’s NHS providers, allowing them to share patient information from GPs, hospitals,...

A Competition and Markets Authority investigation finds the proposed merger of the two mobile operators would be bad for ...

IOE - Faculty of Education and Society

• Departments and centres
• Innovation and Enterprise
• Teacher Education College

IOE academic receives British Society for Population Studies Early Career Award

13 September 2024

Dr Alina Pelikh (Centre for Longitudinal Studies) has received the British Society for Population Studies (BSPS) Early Career Award for her contributions to the field of family demography and transitions to adulthood.

The BSPS Early Career Award recognises the achievements of academics at the beginning of their careers. It acknowledges their potential to make significant contributions to population studies. 

The BSPS highlighted Dr Pelikh’s strong empirical and theoretical contributions, particularly her research on how life course trajectories of young people in England and Wales have changed over the last 25 years. 

They also commended the potential of her future research on the impact of early life health and wellbeing on individuals’ future family transitions – particularly in relation to policymaking on reproductive health and socioeconomic inequality. The BSPS also noted her engagement with policymakers and the public and her contributions to citizenship in the demographic community. 

Dr Pelikh is a quantitative social demographer who works at the intersections of demography, social policy and public health. Her research interests include a range of topics including the life course, families and fertility, the transition to adulthood, mental health, social inequalities, and residential mobility. 

Her most recent work explores the social and health effects of Medically Assisted Reproduction on children and adults. She is also a recipient of the Understanding Society Fellowship, which enabled her to investigate the role of early adolescent experiences in explaining differences in school-to-work trajectories between siblings. 

She also co-hosts the Academia et al. podcast series, produced by early career academics about life in academia. 

Dr Pelikh said, “I’m very honoured and happy to receive the award from the BSPS, which has played a significant role in my academic life since the early days when I was a PhD student”. 

The BSPS is a non-profit society based at the London School of Economics.

• Dr Alina Pelikh’s research profile
• The British Society for Population Studies
• Listen to Academia et al.
• Centre for Longitudinal Studies
• Social Research Institute

Permission from Alina Pelikh.

Related News

Related events, related case studies, related research projects, press and media enquiries.

UCL Media Relations +44 (0)7747 565 056