Research and analysis

The experiences and impacts of ransomware attacks on individuals and organisations

Published 14 January 2025

Acknowledgements

The Home Office Analysis and Insight Unit commissioned Ipsos to deliver a qualitative research report on the experiences and impact of ransomware attacks on victims. Ipsos prepared this summary report based on the data they collected.

We would like to thank the following individuals for their support in delivering this:

From the Home Office: Rebecca Millett, Carolyn Budd and Rachel Knight.

From Ipsos: Hannah Shrimpton, Waseem Meghjee and Florence Slark.

Executive summary

Ransomware is a type of cyber crime - more specifically, it is a type of malware deployed by cyber criminals to block access to a user’s computer systems, or to encrypt data and files to prevent access, and/or facilitate theft of data held on systems or devices. Offenders demand that victims pay a ransom (often in cryptocurrency) to regain access to the computer or data or to prevent data being leaked online. Ransomware is viewed by the National Crime Agency as the greatest serious and organised cyber crime threat, the largest cyber security threat, and also poses a risk to the UK’s national security  It is viewed as one of the most harmful cyber threats due to the associated financial losses, theft of potentially sensitive data and intellectual property, as well as significant service disruption. It can impact individuals, businesses and also public sector organisations (see NSA 2024 - Cyber Crime - National Crime Agency).

The Home Office commissioned Ipsos UK to carry out research looking at the experiences and impact of ransomware attacks on individuals and organisations in the UK. This report summarises the findings from 39 in-depth qualitative interviews with organisations (including businesses, charities and public sector organisations) and individuals who were victims of ransomware. Interviews took place online between February and April 2023. Most victims experienced an attack between 2019 and 2022.

Key findings

Most individuals and organisations had little awareness of the risks and impacts of ransomware prior to their attack. They also described being unprepared for the scale, sophistication and impacts of the attack they experienced. Further efforts to increase awareness of ransomware attacks against organisations and individuals could be considered. These could emphasise the indiscriminate nature of attacks and the potential financial, psychological, organisational and reputational impacts.

Ransomware attackers mostly exploited either weaknesses in cyber security apparatus (such as open portals and unpatched servers) or used phishing scams to gain access to files. The extent of victims’ cyber security prior to attack varied– some had invested in additional systems, had senior buy-in and training, and others had weaker systems. However, prior to the attack, victims were rarely clear on what the key steps would be to mitigate against ransomware attacks. Very few organisations described having a business continuity plan for cyber attacks or ransomware attacks. Wider dissemination and tailoring of the National Cyber Security Centre (NCSC) set of recommendations to mitigate against malware and ransomware attacks could help organisations and individuals understand the risks of ransomware and implement preventative measures.

Most victims who took part in this research did not pay a ransom. Those who did not engage with attackers described taking a principled stance and said they did not want to reward criminals. Any messaging to discourage victims from paying ransoms could consider focusing on the moral dimension and potential implications of funding criminal enterprises. It could also consider underlining the risks involved regarding re-victimisation and not receiving data back after paying the ransom.

Organisational decisions about whether to pay a ransom or not often hinged on the extent of file encryption and likelihood of recoverability. The extent of the damage compared with the cost and risks of paying the ransom became a business decision, while some public sector organisations were restricted by school or Department for Education (DfE)-led policies not to pay ransoms. All 3 organisations spoken to who paid the ransom had lost business critical data and described feeling like they had “no choice”. There may be very little that could dissuade businesses or organisations to pay ransoms if crucial files have been lost and are seemingly irretrievable by any other means (for example, even with available support from law enforcement).

Direct and indirect financial costs could be severe for victims of ransomware. Some organisations paid significant sums of money to commission external technical, legal or PR support or advice. Depending on the number and type of files encrypted and recovery timescales, the indirect costs of closure or disruption of services, as well as rebuilding hardware and software, could be high. No individuals and very few organisations had cyber security insurance in place. Organisations who did have insurance in place had experienced reduced direct costs. Insurance also provided access to external support options which mitigated the impact of the attack. Further advice and guidance on the value of ransomware insurance could help organisations make informed choices about insurance options.

Non-financial impacts were varied and wide-ranging. Few organisations spoken to reported reputational impacts as most could keep awareness of the attacks limited to internal personnel. However, those who experienced reputational damage found this to be long term and severe. The internal impacts on organisational culture could also be severe, with staff reporting reduced confidence in senior management. The experience of a ransomware attack also had a significant impact on both individuals’ and staff members’ mental health and emotional wellbeing. Increased and sustained stress and anxiety were common, particularly when it was unclear what the extent of the damage would be. IT staff described feeling responsible for the attack, working long hours and losing sleep. Children who lost files or schoolwork in school ransomware attacks also experienced stress. The emotional toll of losing personal files was a common experience amongst individual victims and in a few cases, this led to avoidant behaviour such as not using online services. Consideration could be given to the kind of support made available to victims, including the provision of emotional and wellbeing support. Further development and dissemination of guidance on how to communicate key information to relevant parties during an attack could limit internal organisational impacts.

Awareness of Action Fraud was varied among victims and could be a barrier to reporting. Some individuals and organisations did not see any benefit of reporting their experiences, particularly if they had successfully retrieved their files. Messaging on how to report ransomware attacks could increase awareness of Action Fraud. Messaging could include the importance of reporting ransomware attacks and how this can enable improved law enforcement and government responses, policies and measures.

Victims largely reported negative experiences of Action Fraud. Similar to findings from previous research with victims, this was often rooted in an expectation gap, with some victims assuming that Action Fraud could provide live technical expertise, support retrieving their data and/or start a criminal investigation into their case (Experiences of victims of fraud and cyber crime, Home Office (2025)). Those who had positive or neutral experiences of Action Fraud often had lower expectations of what their report to Action Fraud may involve. Further exploration into how messaging could be used to decrease the gap between victim expectations and support available could be considered. Additional consideration could be given to improving response and support in line with what victims of attacks need.

Glossary

Action Fraud	Action Fraud is the UK national reporting centre for fraud and cyber crime where you should report fraud if you have been scammed, defrauded or experience cyber crime in England, Wales and Northern Ireland.
Cloud	A distributed collection of servers that host software and infrastructure, and it is accessed over the internet.
Dark web	The part of the World Wide Web that is only accessible by means of special software, allowing users and website operators to remain anonymous or untraceable.
Decryption key	A piece of code used in cryptography (the art of writing or solving codes) to reverse encryption.
Encryption	The process of converting information or data into a code, especially to prevent unauthorised access.
Endpoint security	An approach to the protection of computer networks that are remotely bridged to client devices.
Europol	The European Union Agency for Law Enforcement Cooperation is the law enforcement agency of the European Union.
Exfiltration	The intentional, unauthorised, covert transfer of data from a computer or other device.
Firewall	A network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules.
Infiltration	Gaining unauthorised access to a targeted system, network, or device.
Information Commissioner’s Office (ICO)	A non-departmental body that upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
Malware	Software that is specifically designed to disrupt, damage, or gain unauthorised access to a computer system.
National Cyber Security Centre (NCSC)	An organisation that acts as a bridge between industry and government, providing a unified source of advice, guidance and support on cyber security, including the management of cyber security incidents.
National Economic Crime Victim Care Unit (NECVCU)	A targeted service providing victims of fraud and cyber crime a national standard of care and support by working with forces at a local level to deliver a better service to victims.
National Fraud Intelligence Bureau (NFIB)	A police unit in the United Kingdom responsible for gathering and analysing intelligence relating to fraud and financially motivated cyber crime.
Network-Attached Drive (NAS)	A file-dedicated storage device that makes data continuously available for employees to collaborate effectively over a network.
Patching	Using software updates to fix a gap in security, meaning that the vulnerability should be closed before a cyber criminal can exploit it.
Phishing	When attackers send scam messages (that is, emails or text messages) that contain links to malicious websites. Theses websites may contain malware which can sabotage systems and organisations.
Pop-up	A small window that is displayed on top of the existing windows on screen.
Portal	A high-traffic website with a wide range of content, services and vendor links.
Ransomware	A type of cyber crime – a type of malware deployed by cyber criminals to block a user’s computer or to encrypt data and files to prevent access. Offenders demand that victims pay a ransom (often in cryptocurrency) to regain access to the computer or data or to prevent data being leaked online.
Remote Desktop	The ability to connect with and use a faraway desktop computer from a separate computer.
Regional Organised Crime Unit (ROCU)	A network that works closely with the National Crime Agency, police forces and other partners, using a range of specialist tactics and capabilities to identify, disrupt and tackle the increasingly complex threat posed by organised crime.
Server host	An IT service, typically offered by a cloud service provider that provides remote access to off-premises virtual or physical servers and associated resources for a monthly subscription or usage-based price.
Simulation training	A training method that involves realistic, immersive replications of real-life work processes, scenarios, tasks, and tools.
Two-factor authentication	A security process in which users provide 2 different authentication factors to verify themselves.
Vector	A way for attackers to illegally enter a network or system.
Virtual Private Network (VPN)	A mechanism for creating a secure connection between a computing device and a computer network, or between 2 networks, using an insecure communication medium such as the public Internet.
Virus	A computer program that can copy itself and infect a computer without permission or knowledge of the user.

1. Introduction

1.1 Background

Ransomware is viewed by the National Crime Agency as the greatest serious and organised cyber crime threat, the largest cyber security threat, and also poses a risk to the UK’s national security  It is viewed as one of the most harmful cyber threats due to the associated financial losses, theft of potentially sensitive data and intellectual property, as well as significant service disruption. It can impact individuals, businesses and also public sector organisations (NSA 2024 - Cyber Crime - National Crime Agency). The nature of the ransomware ecosystem and offender business model has been documented by the National Cyber Security Centre (NCSC), alongside their publication of advice regarding how to protect against ransomware (see Ransomware, extortion and the cyber crime ecosystem (NCA, NCSC)) Ransomware attacks are common globally and represent one of the most significant international cyber threats, so are a top priority for the UK Government.

The current evidence base around the exact scale of ransomware is limited, but the Cyber Security Breaches Survey (CSBS) (2024) explores the cost and impact of cyber breaches and attacks on businesses, charities, and educational institutions. It found that half of businesses reported experiencing at least one cyber attack, of which 6% identified their organisation’s devices being targeted with ransomware. Organisations are also required to report data security breaches within 72 hours of discovery to The Information Commissioner’s Office (ICO), this includes ransomware incidents experienced by organisations. Reports of ransomware incidents have increased year on year since 2019, with single quarter incidents peaking in April to June of 2023 with 511 incidents.

1.2 Research objectives

Despite the high level of risk associated with ransomware, there is a lack of empirical research into this type of cyber crime and the impact it can have on victims. Under-reporting remains an issue with cyber crime in general, with approximately one in 15 (7%) of estimated computer misuse incidents against individuals reported to the police or Action Fraud in the year ending March 2024 (See ‘Crime in England and Wales: Annual Trend and Demographic Tables’; Office for National Statistics 2024). In addition the Cyber Security Breaches Survey 2024 estimates that around a third (34%) of businesses reported their most disruptive breach outside their organisation. As a type of computer misuse, and a relatively new and rapidly developing crime type, it is suspected that ransomware is also underreported, further hindering our knowledge. There is a growing need to contribute to the large evidence gap around the nature of ransomware, how ransomware impacts its victims and what support victims need.

The Home Office Analysis and Insight Unit (HOAI) therefore commissioned Ipsos UK to conduct qualitative research with victims of ransomware. The research intended to explore the experiences of different types of victims, individuals, businesses and public sector organisations. This was to develop a greater understanding of the range of ransomware victims, and the nature and impact of ransomware offences. The aim was to inform and improve the law enforcement and policy responses to ransomware and improve the support available to victims.

More specifically, this research sought to address the following research questions:

1. To improve understanding of the nature of offences and impacts experienced by victims of ransomware.
2. To explore reasons why ransomware victims report incidents and their experiences of the reporting process.
3. To explore ransomware victims’ knowledge and perceptions of Action Fraud and law enforcement.

1.3 Methodology

The research sought to address these objectives through hearing directly from victims of ransomware. In total, Ipsos conducted 39 one-to-one in-depth interviews with businesses, charities, public sector organisations and individual victims of ransomware (see table 1 and table 2 for sample breakdown).

Most victims (34) had experienced the attack between January 2019 and December 2022^{[footnote 1]}. More than half (26) reported the ransomware attack to Action Fraud or had their incident forwarded onto Action Fraud by a third party.

Table 1: Sampling framework – organisations (n=27)

Type of organisation	Size [footnote 2]	Year of attack
Businesses (18) Public sector organisations (6) Charities (3)	Micro (7) Small (5) Medium (11) Large (4)	2019 (2) 2020 (8) 2021 (8) 2022 (9)

Table 2: Sampling framework – individuals (n=12)

Gender	Age	Year of attack
Female (4) Male (8)	25 to 64 (10) 65 to 74 (2)	2015 (1) 2017 (1) 2018 (3) 2020 (3) 2021 (3) 2022 (1)

Participants were recruited through a multi-strand approach^{[footnote 3]}:

• gatekeeper recruitment - working with Action Fraud, Cyber Resilience Centres (CRCs) and the Protect Network to identity victims of ransomware who had been supported by these services or organisations
• CSBS respondents - recontacting businesses and charities who had taken part in CSBS and indicated they were victims of a ransomware attack
• recontacting participants from Ipsos UK’s internal panel (KnowledgePanel) who had indicated they had been a victim of ransomware as part of ongoing polling

Interviews took place between February and April 2023. Interviews lasted between 30 and 90 minutes and were conducted either via phone or video call by members of the Ipsos research team. For business or public sector organisations, the research team aimed to conduct one or 2 interviews per organisation. Interviews were carried out with a member of the IT team who had responded to the attack and a member of the senior leadership team or HR.

Ipsos developed discussion guides for individual and organisational victims, as well as adapted versions for the different roles in the organisations.

The research adopted a thematic approach to analysis. The team developed a code frame in line with the overarching objectives and research questions, through which all data from the in-depth interviews were managed, reviewed and analysed. Through this approach, the team identified key themes, which are presented throughout the report.

1.4 Ethical considerations when engaging with victims of crime

The researchers embedded strict ethical procedures throughout the research project to ensure the welfare of participants and researchers. These included but were not limited to:

Gaining informed consent. Prior to interviews, participants received an information sheet, privacy notice and consent form clearly outlining the purposes of the research, what the research involved, details on confidentiality and anonymity, the possibility for publication, and the contact details for the research team to help answer any questions. At the point of the interview, the researcher used the introductory section to reiterate the key points about the research and gave them the option to opt out and ask further questions about the research.

Enabling participation and avoiding harm to participants. This included:

• explaining at the start of each interview what will be covered including sensitive subjects such as the impacts of the attack, and checking participants are comfortable discussing these topics
• reiterating to participants the voluntary nature of the interview and that taking part in the research does not affect their eligibility for support and relationship with the organisation that may have made them aware of the research
• offering a flexible approach to interviews, for example, by allowing for face to face, online or telephone interviews, and offering participants the opportunity to take breaks from the discussion if needed
• building flexibility into the discussion guide to ensure there was time at the start for the researcher to ask warm-up questions and build a rapport with the participant, and a ‘light’ discussion at the end of the interview to ensure the conversation did not finish on a potentially sensitive subject; interviews were also flexible enough to allow participants the space to take a break during the discussion if required
• ensuring Ipsos’s disclosure policy was clear in all relevant research materials and informing participants of the necessary steps in the unlikely event they were to disclose details of serious harm
• providing participants with an information leaflet containing links and contact details for services and support if the interview has prompted feelings of distress or concern

As is standard practice, the research was supported by Ipsos UK’s internal Ethics Group.

1.5 Interpretation and representation of data

Qualitative approaches are used to explore the nuances and diversity of views, and the factors which shape or underlie them. By its nature, qualitative research is not designed to be statistically representative of the wider population. As such, these research findings are not statistically representative of the experiences of all victims of ransomware. Although this report includes some indications of how typical views or experiences were across the sample or within subgroups, this should be considered within the context of those interviewed.

1.6 Report structure

The types of ransomware attacks and how they unfolded for victims could be complex, dependent on a variety of factors and often unique. This report summarises some of the key themes that emerged from the interviews but cannot portray the full detail of each individual and organisational experience.

Annex 1 includes a select number of anonymised case studies that detail experiences of ransomware attacks and the impact they can have on organisations and individuals. These case studies are referred to throughout the report to illustrate the richness and complexity of each experience.

Findings are structured by the timelines of ransomware incidents:

• prior to ransomware attacks: describes how aware victims were of ransomware; attitudes to cyber security; and infrastructure in place prior to the attacks
• nature of and responses to ransomware attacks: describes some key themes about how attacks can occur (the vector of attack); initial steps taken by victims and how they felt during the attack; scales of attack and factors that could impact this; and details of ransomware demands
• impacts of ransomware attacks: describes key themes identified by victims including direct and indirect financial impacts; psychological and emotional impacts; and reputational impacts
• perceptions of Action Fraud and law enforcement: describes some of the experiences of those who reported the attack to ransomware and law enforcement

2. Prior to ransomware attacks

Key findings

Low awareness of the risks and impacts of cyber crime and ransomware attacks was common amongst businesses, charities, public sector organisations and individuals. The sophistication and scale of their attack surprised most victims. Smaller businesses and individuals believed they were “too small” to be a victim of a ransomware attack.

Further work to increase awareness of ransomware, as well as its seriousness and indiscriminate nature, could help organisations and individuals to be prepared.

No clear patterns emerged regarding whether certain cyber security protocols, certain attitudes or technologies could enable ransomware attacks for individuals or different organisations. For individuals and sole traders, cyber security apparatus was often limited to those pre-installed on their devices at purchase. Businesses and schools had often invested in cyber security apparatus, but organisational preparedness and senior buy-in varied. Prior to the attack, victims were rarely clear on what the key steps would be to mitigate against ransomware attacks. This may also apply to other types of cyber crime as their vulnerability could be exploited in different ways by cyber criminals.

Wider dissemination and tailoring of the National Cyber Security Centre (NCSC) set of recommendations to help mitigate against malware and ransomware attacks could help organisations and individuals digest information and implement key measures (See ‘A guide to ransomware’).

No individuals and very few organisations had cyber security insurance in place that would cover a ransomware attack. Very few organisations had a business continuity plan for either cyber attacks or ransomware attacks.

Further guidance or advice on the importance and provision of insurance options, as well as the need for appropriate ransomware business continuity plans should be considered. These could be tailored for different sizes and types of businesses and public sector organisations.

2.1 Victim’s prior awareness of ransomware

Low awareness of the risks and impacts of ransomware attacks prior to their own experience was common across businesses, charities, public sector organisations and individuals. IT staff within organisations and a few tech-savvy individuals had professional knowledge about the risks of ransomware, but the extent of this knowledge varied. Some organisations had heard of other companies or schools becoming a target for ransomware, heightening their own concerns surrounding the possibility of a cyber attack in the future.

For most victims in the study, the ransomware attack described was their first experience of cyber crime. Three organisations had prior experiences of smaller scale cyber attack(s) including device hacking and other ransomware attacks. In one case, an organisation experienced a ransom attack 15 years prior. An employee had opened a spam email resulting in a few files becoming corrupted. This had led them to improve their cyber security apparatus and backup options prior to their most recent ransomware attack, which had limited the files permanently lost. Similarly, some individuals and organisations had experienced phishing attempts, but there were no patterns of repeat victimisation across the sample.

Even if organisations or individuals were aware of the potential risk of ransomware attacks, some said they had still not been prepared for the scale and of sophistication of the ransomware attack they experienced.

“What we weren’t ready for was what is essentially vandalism and the organised way that that attack took place and how they found out how to do what they did. That took my breath away because I just didn’t expect, well, I don’t know, we’re not aware of it. I thought I was quite a savvy guy but the most I expected was spam and stuff that was just trying to eke out details from you. Not like this.”

Small-sized business

2.2 Attitudes to cyber security

Victim attitudes to cyber security prior to the attack varied. However, “naivety” was a common way of describing both individuals’ own or their organisation’s attitudes to cyber security and the risks of a ransomware attack. Many reported having an attitude of “it will not happen to me” or “if it hasn’t happened before, it won’t happen now”. Particularly among those in smaller organisations or individuals, there was a perception that ransomware attacks would only be targeted on larger organisations.

“Naïve. Would be the key, sort of the attitude of, ‘Oh, we’re a small manufacturing company, nobody’s interested in us.’ Yes, you know, it was the sort of the view that if it’s not broken, don’t do anything with it, don’t touch it. Which obviously, in technology is not the way forward.”

Medium-sized business

In some organisations, cyber security was described as more of a priority, with senior leadership and management buy-in, well-resourced or larger IT teams and/or outsourced IT security. However, in some organisations, a lack of awareness of the risks and potential impacts of cyber attacks had become embedded in the organisation’s culture. Some IT professionals expressed frustration at the lack of being pre-prepared in their organisations. They described facing significant barriers when trying to influence senior leadership to invest in cyber security.

“The school generally aren’t as aware or concerned as they should be about these things, mainly because they don’t understand the ins and outs. This means they can sometimes not realise the extent of the issue and how serious it is.”

School

Very few organisations described having a business continuity plan for cyber attacks or ransomware attacks. Most schools described having a cyber security plan, but this primarily related to children’s safety online rather than the security of the school against cyber attacks. Some businesses had a business continuity plan, but very few staff were aware of it, or how to enact it. Some organisations linked this to a lack of interest in, or prioritisation of, cyber security by leadership.

“No disaster recovery plan or business continuity plan. There was an attempt at a disaster recovery plan, but none of the senior management knew about it and none of the colleagues knew about it or how to execute it.”

Large-sized business

2.3 Cyber security apparatus and insurance prior to attack

The range and sophistication of cyber security apparatus within organisations and set-up by individuals was diverse. Most organisations and individuals had some form of cyber security installed. However, for individuals or sole traders, this could sometimes be limited to the pre-installed firewalls and security set-ups on devices at purchase. Most medium or larger businesses and schools had invested in additional cyber security and backup options (although the level of sophistication of these could vary). Regardless of how secure they were, most said they had believed their cyber security apparatus was sufficient prior to the attack, even if, on reflection, they thought it was not. Many reported they had been “unaware” about the level of cyber security to defend against an attack.

Individuals described placing trust in the brand names of their devices. Some were unaware of what firewalls or antivirus software they had installed on their equipment. However, some individuals were highly tech-savvy, either working or having worked in IT or cyber security themselves. These individuals had complex and advanced cyber security networks in place, as well as multiple devices, servers and hard drives. This complex set-up could increase the potential for increased damage. For example, one individual had a Network Attached Storage (NAS) drive which allowed them to share files across their devices and hard drives^{[footnote 4]}. This did not have any passwords or permissions as they thought their complex Wi-Fi password was strong enough. The NAS drive enabled the malware to quickly spread across all their devices, hard drives and servers.

Most medium or larger businesses and schools had invested in additional cyber security and back up options. The different types of protection or backups varied, but the cyber security apparatus that had mitigated the scale or data loss of the attack for many organisations interviewed included:

• offsite servers and/or backups, that is, additional physical servers running external to the main physical servers
• cloud-based servers, that is, a virtual (not physical) server running in a cloud computing environment
• endpoint protection, that is, cyber security focused on defending devices (for example, laptops, mobile phones) from malicious activity
• paid-for antivirus software
• secure remote desktop options that is, using software to eliminate the risk of remote users connecting to an organisations network

Some organisations identified limitations to being pre-prepared. Common weaknesses included: if servers or firewalls were unpatched or were too old to be patched; non-secure remote networks; and a lack of penetration testing, that is, authorised stimulated cyber attack on a computer system to evaluate the security of the system.

In some cases, the ransomware virus had penetrated due to a failure, fragmentation or malfunction of software or firewalls installed. One individual spoke about having a cyber security programme installed, which they later found to be out of date and unlicensed.

“There was a lot of software that was running that was either unlicensed, out of date, or we just didn’t know that it was running on the server machines.”

Medium-sized business

Some organisations who had outsourced their cyber security had found that their IT supplier had left weaknesses in their system, which left them more vulnerable to the ransomware attack. Organisations placed trust in the IT suppliers without knowing the details of the cyber security they had installed. For example, one business found that their antivirus software was not as sophisticated as they had thought; another discovered that files were not being backed up with sufficient frequency.

“I had this IT company that had, officially, I was sure that they had a backup, they back up everything. So, they backed up, a lot of data was backed up, and, but when it actually happened, I found out that a few vital information files were not backed up.”

Small-sized business

Wider organisational factors or structures could also lead to weakness in the cyber security of an organisation prior to the attack. One charity had recently restructured and downsized its internal IT team. Although the charity had subsequently commissioned an external IT support company to “fill in the gaps” following the downsize, their role had been poorly defined and coordinated with internal IT teams.

Some organisations, particularly schools, raised a lack of funds as a barrier to employing sufficient cyber security. For example, one school reported the cost of upgrading their cyber security software had been prohibitive for them. Interviews with senior management and IT teams discussed feelings of frustration towards their outdated firewalls or antivirus software.

“We’re not a bank so, you know, we don’t have the ability or the requirement to have that level of security.

School

No individuals and very few organisations had cyber security insurance in place that would cover the financial consequences of a ransomware attack. Businesses, charities and schools who had cyber security clauses in their general liability insurance, or had specific ransomware insurance, found the role of insurers as crucial in their response to the attack (see next section).

Some without cyber security insurance in place said they had not considered it or been aware it was an option. Other organisations had previously explored insurance options but had decided it was not necessary or worth the expense. In a few instances, the lack of cyber security apparatus in the organisation had meant they were unable to meet the minimum requirements set out by insurers.

“It was getting to the stage where to get cyber insurance, you had to have certain measures in place and some of those measures we didn’t have. The people our brokers were looking at, none of the policies were we able to take up because we hadn’t done certain things in relation to cyber security.”

Medium-sized business

3. Nature of and responses to ransomware attacks

Key findings:

Weaknesses in cyber security systems, such as portals, unpatched servers, unpatched firewalls and insecure remote desktops were common vectors of attacks.

How victims realised the ransomware attack had occurred varied. Indicators of ransomware attacks included the slowing down of servers and systems and increased suspicious activity in the network servers. However, some victims only realised an attack had occurred after seeing a ransom note or when they were unable to access files. Early detection of suspicious activities in some cases enabled organisations to mitigate the scale of the attack. Any guidance or messaging to organisations on preparedness could consider support on how to identify early warning signs of suspicious activity.

The scale of encryption and exfiltration was influenced by the cyber security and network set up, access to sufficient back-ups and the timing of the attack.

Most victims who took part in this research did not pay the ransom. Many of those who did not engage with the attackers took a principled stance against paying a ransom and said they did not want to reward criminals. Any messaging to discourage victims from paying ransoms could consider focusing on the moral dimension and potential implications of funding criminal enterprises. It could also consider underlining the risks involved regarding re-victimisation and not receiving data back after paying ransoms.

The extent of the file encryption and likelihood of being recoverable was a crucial part of all organisational decision-making regarding the ransom. The extent of the damage compared with the cost and risks of paying the ransom became a business decision, with some public sector organisations restricted by school or DfE-led policy not to pay. All 3 organisations who paid the ransom had lost business critical data and said they had felt like they had “no choice”, as there was no other way to retrieve their data. There may be very little that could dissuade businesses or organisations from paying ransoms if business critical files have been lost and seem to be irretrievable by other means (for example, even with available support from law enforcement).

3.1 Nature of ransomware attacks

Vector of attack

Not all organisations and individuals had a full understanding of the vector (the means by which attackers gained unauthorised access to servers) of the attack they experienced^{[footnote 5]}. However, some organisations or individuals with IT experience had gained an understanding of how the attack occurred through their own analysis or through hired cyber security expertise.

Of those who had an insight into the cause of the attack, a weakness in the cyber security apparatus (that is, open portals, unpatched servers, unpatched firewalls and insecure remote desktops) was a common vector. Business IT experts said these attackers often found these weaknesses while they scanned global host servers. These weaknesses could sometimes involve an element of human error in managing the system. For example, one business was impacted when a portal in the firewall was mistakenly left open during testing.

“The 2 most significant people [in the company] we wanted to let into [remote access] were unable to connect over VPN the way everybody else was [because they used a different operating system]. So, I looked at how to do that as an alternative way, and as part of the testing, I left a port on the firewall open after we’d done some testing. And the next morning, when I came to the [office and] everything was gone. Everything was down.”

Small-sized business

A school reported that their ransomware attack involved attackers accessing a compromised account, using the remote access structure to gain administration rights and encrypt all files^{[footnote 6]}.

“We had a lot of security in place in terms of antivirus, which was patched, and Windows updates were patched … Everything was done on that respect… We had a public facing remote desktop site that you could work from home with. The attacker used [compromised username and password] to gain access into the remote server. Then from there they managed to remote into this person’s computer as that user. Now they’re logged into the network as an end user… then they used an exploit within Microsoft itself to expose the admin credentials.”

School

Phishing scams were also a frequently mentioned vector of attack in this sample, most often by individuals. Individuals described receiving emails, texts or messages on social media with website links that looked legitimate. After clicking the links, a virus downloaded onto their device (often immediately). For example, one participant described their experience of receiving a Facebook message with a link that they clicked on which infected their Facebook app and then their phone.

In other instances, individuals described receiving phishing phone calls, when attackers imitated professional services. Attackers pretended to be a range of services, often telecommunication companies, financial services or tech companies, such as BT Group, PayPal or Microsoft.

“I got a phone call, they said they were from Microsoft… It sounded like it was a good idea to let them have a look at the computer and see what was going on and what I could improve. I didn’t even think about them being able to put a block on.”

Individual

Some individuals had experienced the ransomware attack after visiting compromised websites or clicking phishing pop-ups. For example, one participant explained how a family member clicked on a link in a malicious advert which led to malware downloading onto their electronic device.

“I was out the country at the time on a holiday and had asked my mother to dog-sit… things pop up and instead of trying to find the ‘X’ to close it they just kept saying ‘Yes’ to everything. Which of course redirected and redirected and then eventually put some cross-site scripting software file…Which is a common way of getting malicious adverts onto legitimate sites.”

Individual

Indicators of the ransomware attack

Experiences of the ransomware attack and how it unfolded for victims were diverse, but there were commonalities in the way organisations and individuals first noticed they were experiencing a ransomware attack.

Organisations and individuals often first noticed that something was wrong when servers, systems or electronic devices slowed down. For example, some organisations were first alerted to the attack after staff members complained about the speed of access to emails and files. If the attack was extensive and involved the encryption of most files, the impact on server speed could be stark. For example, an organisation providing IT servers was contacted by a client who referenced system issues.

“I received a call from [one of my clients] saying Outlook emails seemed to be slow and inaccessible. At that point I investigated and then found various things happening… They would not have had any indication other than their remote desktop services becoming slow, because of the way the attack was taking place.”

Small-sized business

Some individuals also reported first noting an attack when their infected device started crashing or slowing down.

“I generally look at Facebook on my phone, and I noticed my phone started getting really slow and some of my apps started crashing”.

Individual

In larger organisations with in-house IT teams or network management services, some IT professionals identified the ransomware attack in progress. A change in activity on their network server or firewall could alert staff to a ‘live’ ransomware attack. This early detection enabled them to mitigate the virus and limit its damage in some cases.

However, some organisations and individuals were alerted to an attack only after data had been encrypted. Victims described not being able to open files, systems requesting passwords where previously no password was required, and rejected passwords. Victims described seeing flashing messages across screens, receiving emails from attackers notifying them of the attack or seeing ransom notes appearing on desktops as ‘Read Me’ files.

“[The attackers] basically just blocked me completely… They shut me down and put a password on and I couldn’t get into my computer. I couldn’t open a programme. I switched the computer off, switched it on and I couldn’t get the computer to turn on. It would come up and it would ask for a password, and I didn’t have it.”

Individual

In some instances, these alerts were the first indication to organisations and individuals that something was wrong either that an attack was taking place or there was a virus infecting their devices. Figure 1 below provides an example of the type of alert that an individual found on their desktop. In this case, the victim first saw a flickering web browser and pop-ups to adult websites. While investigating further, the individual spotted a file saved on their desktop which had the title ‘Read Me’. However, sometimes individuals and organisations were still unsure until the ransomware had progressed further.

Figure 1: Example of ‘Read Me’ file which appeared on the desktop of an individual

::: Greetings :::

Little FAQ:

.1.

Q: Whats Happen?

A: Your files have been encrypted and now have the “BKGHJ” extension. The file structure was not damaged, we did everything possible so that this could not happen.

.2.

Q: How to recover files?

A: If you wish to decrypt your files you will need to pay in bitcoins.

.3.

Q: What about guarantees?

A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities – nobody will cooperate with us. Its not in our interests.

To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions (jpg,xls,doc, etc…not databases!) and low sizes (max 1 mb), we will decrypt them and send back to you. This our guarantee.

.4.

Q: How to contact with you?

A: You can write us to our mailbox: [email redacted]@outlook.com or [email redacted]@yahoo.com

.5.

Q: How will the decryption process proceed after payment?

A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files.

.6.

Q: If I don’t want to pay bad people like you?

A: If you will not cooperate with our service – for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice – time is much more valuable than money.

:::BEWARE:::

DON’T try to change encrypted files yourself!

If you will try to use any third party software for restoring your data or antivirus solutions – please make a backup for all encrypted files!

Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

3.2 Scale of ransomware attacks

The scale of the ransomware attacks experienced by victims varied by the extent of encryption and exfiltration, the extent of action needed to manage the incident, and what or how many external parties needed to be involved. These factors influenced the timescales of the incident from the point of attack to recovery from the incident.

Factors impacting the extent of data encryption

Ransomware attacks experienced by individuals generally led to universal encryption of files. However, some organisations only faced limited file encryption - the cyber security apparatus, set-up of networks and backups, the timing of the attack and speed of identification could all influence the scale of the damage.

The timing of the attack could be crucial. If organisations had IT professionals scanning the system, suspicious activity was more likely to be identified early, enabling IT teams to contain the virus before significant damage occurred. However, some participants found attackers had activated the encryption process overnight or at the weekend, when IT staff were less likely to spot additional server activity. Schools described attacks starting during school holidays or just prior to the start of term, which had enabled the malware to reach as many files as possible.

Organisational information management and storage could also limit or enable file encryption. Some organisations, particularly larger businesses or schools often held different sets of data and files on different systems. For example, one business held operational files on their server, contact information on email applications, and customer and commercial data on cloud-based application systems. This could limit the extent to which attackers could access all files or the wider impacts of the attack, particularly if operational systems or data crucial to the running of the organisation were located off-site.

For example, in 2 schools, the ransomware attacks had led to the encryption of most files on their system. However, safeguarding data was unaffected because the information management systems for this data sat separately in a cloud-based server.

In some cases, attackers gained entry to organisational servers and remained dormant for some time before the malware. In more sophisticated attacks, attackers gathered information about the organisation from the servers in order to maximise profit or damage. For example, victims said there was evidence the attackers had reviewed calendars for term dates to plan the date of attack or had accessed financial information to identify how much the organisations could afford to pay and pitch the ransom at the right amount.

“A piece of malware had, about a month before the attack, been installed because a pupil’s username and password had been compromised, probably through a phishing attack. I think it was something like a fake gaming website, and then they’ve gotten into the system through our staff and student login, and then they put the malware, which was Day Zero Malware. It was there and they scoped out the system for about a month and then they launched the attack.”

School

Retrievability of files

The retrievability of encrypted files could vary depending on how often victims backed up their data and the security of these backups. Interviews with individuals found few had sufficient backups to enable them to fully restore their data.

“I didn’t have any data backup. That[’s] the problem. If I would have done, then no problem, I would have uninstalled everything. [But] it was complete, all data, everything. All the files, pictures, photos, documents, you could see. Everything was encrypted.”

Individual

Organisations with regular, consistent and/or automatic backups, backups offline on separate services or cloud-based with restricted access, could experience minimal file losses. For example, one business lost only 2 hours’ worth of emails. In other instances, organisations could have extensive permanent file loss if their backups had also been encrypted or if their last backup was not recent. For example, one business had not renewed their subscription to the server that held their backup data. They therefore lost years of data which had not been backed up (see case study 3).

Immediate actions of individuals and organisations

The actions taken by individuals and organisations during and after the attack could also influence file encryption and the ongoing impacts of the ransomware attack. Not all organisations and individuals followed the same steps, as the scale and nature of the attack varied. However, there were some broad commonalities.

Individuals

Figure 2 shows the broad journey taken by individuals who experienced a ransomware attack. Individuals would first try to understand what was happening to their electronic devices. For most, this was their first interaction with ransomware or a cyber-attack, so searched for information on what ransomware was and what options were available to them. Individuals then described trying to resolve the issue. Those with limited IT knowledge and capability tried to turn their devices on and off and delete suspicious files. Individuals with IT backgrounds would take more sophisticated action. For example, checking the backups of the encrypted files, restoring their computers to factory settings and then trying to reverse engineer the encryption. Figure 2 shows a simplified version of a victim journey; not all victims will take each step and may not take each step in the same order.

Figure 2: Typical incident journey of individuals experiencing a ransomware attack

Some individuals sought the advice of professionals or third parties if they could not understand what was happening or resolve the issue. For example, individuals described taking their devices to IT repair shops or contacting application providers such as telecommunications companies. In a few instances, individuals would then report the incidents to law enforcement, often after searching online for where to report.

Organisations

Organisations took a broad range of immediate actions as shown in the simplified victim journey in figure 3. If an issue had first been noticed by other staff, IT teams (either internal or external) would be informed as a first step. Again, not all victims will take each step and may not take each step in the same order.

Figure 3: Typical incident journey of organisations experiencing a ransomware attack

IT teams or service providers would then typically shut down servers, networks and devices as soon as possible to limit the impact of the attack and provide the organisation time to fully analyse the impact and determine the next steps. In some instances, organisations could continue functioning offline or manually without access to servers and systems. In other instances, organisations were forced to shut down entirely until the issue was resolved. IT teams or service providers would also typically escalate the incident to senior management or leadership relatively quickly if they were not already actively involved.

Actions taken from this point could vary significantly, based on various factors including the scale of the attack, the resources and expertise available to manage the situation, and internal systems and processes. Some organisations contacted external expertise to help navigate the attack, including cyber security specialists, insurance providers, legal expertise and governing bodies such as DfE or local authorities. As part of their response, or on advice from other parties, some reported the incident to Action Fraud.

In the medium term, organisations needed to manage wider sensitivities. For example, inform clients of a data breach, manage communication with the wider staff body, and inform individuals whose personal data was exfiltrated (see case studies 1 and 2).

3.3. Timescales of attack

The scale of the attack, ease of accessing backups and range of steps needed to address the situation could determine the overall timescales of a ransomware attack.

The shortest experiences lasted between 2 and 5 days. One business was able to delete the virus, process the backup data and rebuild the server within 2 days. Shorter experiences were more common for smaller organisations or individuals, who had fewer files to recover and electronic devices to clear and update.

“I did have a backup of pretty much everything from about 2 to 3 hours before that. So, within 2 or 3 days I was able to rebuild quite close to just before the attack took place.”

Small-sized business

In other instances, responding to the attack and recovering lasted for an extended period, sometimes several weeks or even months. If the scale of attack was significant, organisations described needing to take multiple and lengthy actions, including recommended cyber security assessments, investigating what data had been taken and exfiltrated, clearing existing servers and devices of the virus, managing legalities of data breaches and updating the cyber security infrastructure to ensure such instances do not happen again. Data restoration could take significant periods of time, particularly if organisations had to reinstate data manually.

“I guess the server was up and running within a couple of days, but obviously to get the data back took a lot longer because we had to get people to go through what we’d reinstated and try and find out what was missing.”

Medium-sized business

Reputational impact was rare amongst victims spoken to, but 2 organisations were still struggling with the damage caused at the time of interview, with the impact lasting from a several months to years.

3.4. Ransom demands

The format, content and amount demanded in ransom notes varied for victims. Ransom demands were sent to victims via emails, text files on desktops (commonly labelled ‘Read Me’), flashing messages across devices, messages embedded in files, or messages that appeared when trying to open encrypted files. For organisations, the mode of delivery had an impact on how many staff members became aware of the attack. Some organisations found the demand on an administration account desktop, which limited IT staff’s initial awareness of the attack. However, in others, a ransom note appeared in every folder, which meant wider staff also knew of the attack.

The content of the ransom demand could also look very different. Some victims described professional-looking ransom notes with ID numbers and links to portals for payment, as seen in figure 4. Whereas others described notes with grammatical errors and limited information as seen in figure 1. However, all ransom notes demanded a payment, usually a specific amount and as cryptocurrency, although there were also examples of ransoms made in US dollars or Euros. The ransom amount ranged widely (£85 to £250,000). Larger organisations and/or those experiencing a greater extent of file encryption sometimes faced higher ransom demands. Some ransom notes did not initially set out a specific amount but included a link or email addresses to contact for further information.

Figure 4: Example of ransom note provided to a business

All your files have been encrypted!

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the email [email redacted]

Write this ID in the title of your message [ID redacted]

In case of no answer in 24 hours write us to this e mail: [email redacted]

You have to pay for the decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.

Free decryption as guarantee

Before paying you can send up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information (Databases, backups, large excel sheets, etc.)

How to obtain Bitcoins

The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click ‘Buy Bitcoins’, and select the seller by payment method and price.

[https://localbitcoins.com/buy_bitcoins]

Also you can find other places to buy Bitcoins and beginners guide here:

[http://www.coindesk.com/information/how-can+buy-bitcoins/]

Attention!

• Do not rename encrypted files.

• Do not try to decrypt your data using third party software, it may cause permanent data loss.

• Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

All ransom notes included contact details and email addresses for victims to contact, either for support or to access instructions on how to make the payment. Email addresses were often registered with uncommon or non-commercial domains, but there were examples of email addresses from commercial providers such as Yahoo and Outlook.

It was also common for ransom notes to contain a warning to victims not to try to decrypt the files using other means such as decryption services or to rename files^{[footnote 7]}.

“[The note also] said ‘Most important.’ This is in red. All of that was in white on a black background then in red it says, ‘MOST IMPORTANT! Do not contact other services that promise to decrypt your files. This is fraud on their part.’ The audacity.”

Medium-sized business

In a few cases, the attackers identified themselves. Some ransom notes also included the option for victims to send files to the attackers to prove they had the decryption key.

A small proportion of victims said the note included threats of what would happen if the ransom did not get paid (for example, to exfiltrate or publish the data). Some threats included a timeframe for paying the ransom. The timeframes ranged between 24 hours to 7 days.

3.5. Responses to ransom demand

No engagement with attackers

Mostly victims did not contact or engage with the attackers. These victims often described doing this as a point of principle, describing themselves as “not that kind of person”. This emerged particularly strongly amongst individuals and small- and micro-sized businesses where the decision-makers were also the founders. Participants said they did not want to reward criminals and preferred to navigate the recovery process within legitimate bounds, even if it cost them more.

“I’d never allow somebody to do that to me. I’d rather sit here and employ somebody to do 8 hours work a day, going through everybody’s email and downloading everything again from everybody’s email than actually pay those ******* because I wouldn’t do it.”

Micro-sized business

There was also a strong sense of distrust, with many victims saying they doubted paying the ransom or engaging with the attackers would lead to their files being decrypted. Some IT professionals said they had avoided acknowledging the attack to avoid alerting the attackers that the ransomware had successfully infiltrated. There was also a fear that engaging with the attackers would lead to repeated attacks. This was also the advice given to victims by third parties (for example, Action Fraud, insurers, lawyers). This persuaded some victims to not engage with the attackers.

“After having the discussions with both the police and the insurance company, I’m not sure we would’ve paid it even if it had only been 2,000 once they advised us as to what they thought the consequences were.”

Medium-sized business

Engaging with attackers

Some organisations engaged in dialogue with the attackers over email. This was sometimes to gain further details of the demand, particularly if the ransom amount was not included in the note. However, some organisations communicated with the attackers to ask for their files back to buy time while they tried to access their files from backups, to get more information about the attackers or to try and gather information for law enforcement. A few organisations also negotiated the price of the ransom note, although this was generally done without any intention of paying the ransom. Reasons for doing so included: buying time while trying to see if they were able to access the files via backup, trying to obtain further information about the attackers and trying to see if they could appeal to the attackers.

Paying ransom

Of those who took part in the research, only 3 organisations paid the ransom, with no individuals paying ransom demands. Each organisation who paid the ransom took part in a negotiation process with the attackers and were able to bring down the final ransom amount significantly. One organisation paid around £1,000, another paid around £8,000, and another paid an unknown amount - all in Bitcoin.

For each of these 3 organisations, crucial files and data had been encrypted and no unencrypted backups existed. The decision to pay the ransom was primarily a financial decision and involved weighing up the likelihood of the business or charity surviving without the encrypted data. For example, one of the businesses had no unencrypted backups and had lost over 15 years’ worth of data. Without access to the files, it was likely the business would fold. They therefore felt they had no choice but to pay the ransom. They engaged with the attackers and negotiated the price from 2 to 3 Bitcoins (priced at £6,000 to £8,000 at the time) down to one Bitcoin.

“I went to my director, who was the owner of the business, and I said ‘We’ll have to pay, because we’ve got no backup files, we’ve got nothing, we’ve got a business to run, we’re busy with jobs. We have to do it.’ … I think it was £8,000 in the end. They actually sent us a list of banks near to our office who deal in Bitcoin.”

Small-sized business

One business said a key driving force for paying the ransom was to protect customer data and prevent it being exfiltrated onto the dark web. The business held sensitive personal data on their clients. After engaging in a negotiation process that lasted a month, the business decided to take all steps needed to protect their customer’s data. The business implied they had paid the ransom, but this was not explicitly confirmed.

“It was actually a very professional negotiation process. They provided proof that they had our data, they provided a sample of that data and they said that they would delete the data and give us an encryption key should we pay a ransom. That negotiation went on for probably about a month and we were advised how to draw it out and things like that, so we could manage any messaging with our customers. In terms of did we pay a ransom, we took all steps necessary to protect our customer’s data.”

Medium-sized business

Those who decided not to pay the ransom cited various decision-making factors, including ability to access backups, the kind of data at risk and affordability of the ransom demand. Some organisations said if they could not operate for long periods of time or particularly sensitive data had been encrypted, they would have considered paying the ransom. Some individuals said they would have considered paying the ransom if the amount had been affordable.

4. Impact of ransomware attack

Key findings:

Financial (both direct and indirect costs) could be significant – particularly for organisations. Many businesses and public sector organisations commissioned additional technical expertise, legal and PR advice. Costs of replacing or updating IT hardware and software could be extensive depending on the size of the organisation and extent of the attack. Multiple organisations were forced to close their operations or services for some period of time, from a few hours to several weeks. Advice and guidance on the value of ransomware insurance could mitigate against damaging costs.

Many psychological impacts were felt by staff and students within organisations and individuals directly affected by the ransomware attack. People were most commonly impacted by stress and guilt. In a few cases, this could be debilitating to everyday life and had led to individuals engaging in avoidant behaviour, for example, not using online banking. Loss of personal files could be devastating and deeply personal to those who were unable to unencrypt files. Consideration could be given to the kind of emotional and wellbeing support made available to victims - including staff and students within organisations and schools.

Both individuals and businesses commonly reported behaviour change following the ransomware attack. Some businesses improved their IT infrastructure, which included moving to more cloud-based operating systems and implementing 2-factor authentication. Individuals reported being more cautious online, including becoming more aware of spam and phishing emails, and of giving away personal information online.

4.1 Direct financial costs

Other than the direct cost of paying the ransom (see previous section), victims also incurred direct costs if they needed to commission additional technical expertise. Direct costs incurred by individuals tended to be limited and involved paying repair shops to check electronic devices. However, organisations commissioned a range of technical services to carry out analyses of the attack, restore backups and systems, and try to decrypt data.

The costs incurred by victims varied significantly depending on the type and number of services brought in. Costs were generally lower if the ransomware attack was of a smaller scale. One business paid £60 to £80 for their external IT supplier to work additional hours. Another small business paid £1,500 for their third-party IT service provider to work beyond their service agreement scope to support with cleaning devices and rebuilding the servers and systems.

“We were just so outraged that we just wanted to get it sorted straightaway, if that makes sense. And everybody just jumped in, and it was so lovely, you know, just the way everybody was. I think [the IT specialist] was my biggest expense, just for his time more than anything else. I think it probably cost us about £1,500.”

Micro-sized business

On the other end of the scale, one business reported financial costs of external expertise as approximately £60,000. This included the cost of a cyber security forensic company to determine what had happened, as well as external support to recover and rebuild their systems.

“[Cyber security expertise] costs were quite significant as well but we’re probably talking about £40,000 for one and then it was probably about £20,000 in total for the other. So that’s another 60 grand in total, on top of 60 grand a day salary cost. Because obviously, 200 staff, we’ve still got to pay them.”

Medium-sized business

Some organisations also referenced costs of bringing in additional legal advice or communications and public relations support, such as The Risk Protection Arrangement ^{[footnote 8]}. In some cases, organisations could recover some or all the costs of this through insurance.

“In terms of finances… we don’t have the final bill really for it all. But I think our gut feeling is that probably we’re looking at £500,000 or £600,000. In terms of remediation costs… [cyber security experts], they don’t come cheap… some of it, probably about half of it is going to be covered by the Risk Protection Arrangement, we’re going to have £250,000 [covered] by our insurance. But the rest of it, frankly, we’ll just be out of pocket.”

School

4.2 Indirect financial costs

Closure or reduction in operation

Multiple organisations described having to close their operations or services for a period of time. This could sometimes be a matter of hours, but in some cases, organisations were forced to halt day-to-day running or services to customers for several months. Businesses also referenced losing out on business opportunities as an indirect cost.

“It impeded us in the sense that for approximately 3 to 4 days, the time taken to investigate the attack shut down the servers and then recover the servers it was yes, that meant that obviously the large amount of time where we would have been working was impeded.” –

Charity

Some businesses could operate, but at a slower pace or at reduced capacity, which led to reduced profit margins. For example, some businesses could not access financial systems or information management systems but still had access to emails to operate at some level.

The closure of some organisations resulted in other unexpected financial costs. For example, one school shared how the attack stopped their IT systems for several days. This incurred a large financial loss as their canteen systems were cashless. This meant they did not have access to children’s balances and had to pay for all children’s lunches over that time.

In rare cases, businesses described losing new or existing clients while unable to operate due to the attack. One business interviewed spoke about the difficulties with losing their key client and how this dramatically impacted the finances of their business.

“I’ve started to rebuild, using personal funds and living off personal funds for the last 2 or 3 years… I’ve got 0 savings left… It’s had a total impact on me… I’ve gone from probably nearly a £250,000 business down to about a £20,000 business.”

Small-sized business

Rebuilding businesses after the attack

Many victims described incurring costs to replace or update their IT hardware and software following the attack. Both individuals and organisations reported buying new IT equipment or software, including elements of devices such as memory disks or entire devices. Larger organisations sometimes needed to replace multiple staff hardware.

“Had to buy new disks for all the new PCs and new software licences for upgrading. The estimate is about £3,500 in total.”

Small-sized business

For organisations, additional staff time was required to restore data backups or rebuild databases and systems and help restore client relations. Victims found it difficult placing a monetary value on these impacts as they were so wide ranging and difficult to monetise.

“I wouldn’t even know where to begin if we’re going to talk about monetary… I’d probably say a couple of grand worth. I’d say between maybe 5 and 10 grand just purely rebuilding the database, I can’t answer the phones, I can’t take any customers calls, I can’t book any taxis. Therefore, my drivers were losing out on money.”

Small-sized business

The extent of these costs was often determined by whether businesses, charities and schools had recent accessible data backups unaffected by the ransom attack. If organisations had data backups, the restoration process was often easier, needing fewer staff hours, resulting in lower financial costs.

“The actual impact of the incident itself was probably quite small relatively. Because at the end of the day, we didn’t lose any work. We had probably a week of inconvenience while we didn’t have a server at all, but it didn’t actually stop anybody doing their job because they can all get into things like email and such by going through our Lowton server rather than the local server that they use.”

Medium-sized business

Reputational impact

Senior management in organisations described being concerned about reputational impact due to the attack. However, although 2 organisations described experiencing ongoing reputational impacts, most organisations had no or very limited reputational damage resulting from the attack. Often businesses could operate in some form or in a way that limited client exposure to the attack. Businesses were often reluctant to tell clients and stakeholders they were a victim of a ransomware attack, instead saying they were having “tech issues”. Similarly, in some schools, communication with parents and students was managed carefully, using terms such as “computer-based problems” to avoid panic and to keep the incident away from the national press. Only one school reported having to make the ransomware attack public due to customer data being exfiltrated.

“Luckily, because it wasn’t made public, there was no need to make it public in my view. So, I think reputational damage was minimal. I think the fact that our breaking company could still service our customers, so to speak, all be it a bit more slowly than they would’ve done normally, was a little bit annoying for most of the customer base, but they struggled though.”

Large-sized business

Some businesses had to report the attack to the Information Commissioner’s Office (ICO) if they experienced a personal data breach (See ‘Personal data breaches: a guide’). For example, one business had data leaked onto the dark web. The data exposed included passports and police records. The business contacted the affected clients but did not make the ransom attack public to wider contacts. The business reported that this did not influence winning new business.

Internal organisational impacts

The attack could lead to internal cultural damage. For example, one school that experienced an extensive and sophisticated attack said the attack had significantly impacted staff confidence in senior management.

“There’s certainly been damage to the culture of the school. It kind of has eroded quite a lot of the trust. As I said earlier, the legal team were largely saying to us, ‘The best thing you can do is say nothing.’ Staff became acutely aware [that there was an issue] and then started to feel like we were hiding things from them. Their stress levels were increasing.”

School

4.3 Psychological impacts

Stress (during and after attack)

Stress was the most common psychological impact felt by staff within organisations and individuals directly affected by a ransomware attack. This could peak during the attack but remain for long periods afterwards. IT teams and members of senior management within organisations described feeling intense pressure during ransomware attacks and it was common for staff to feel personally responsible. IT teams expressed feelings of guilt and/or embarrassment that the attack happened or that they could not regain access to files. There were instances where stress levels took a physical toll on IT staff and senior management, with victims referencing significant loss of sleep, loss of appetite and, in one case, weight loss.

“You’re, like, fighting something, it’s a very big fight, and it’s not easy to just have your world fall apart in front of you, or you can fight it off, it’s emotional.”

Small-sized business

Some schools also reported emotional impacts on students - particularly if the ransomware attack led to a loss of student work or disrupted learning.

“So, we had girls coming up to the office saying that they couldn’t access the coursework, and basically saying, ‘It’s lost’. So, there were a lot of tears at the office when we were having to explain this to the girls that we had lost their work. So yes, it was quite emotional for quite a lot of people… It had a devastating impact on the students that it affected, and we’re talking around [over 200] students here, it wasn’t just 1 or 2.”

School

Individual victims could also feel immediate and ongoing stress resulting from the attack. This was often linked to fear of the unknown – a lack of awareness of what was happening and what the potential outcome might be. Victims described feeling continuously anxious about the possibility of personal data being shared or exfiltrated. For one victim we spoke to, the continued anxiety following the ransomware attack had impacted their sleep.

Stress and anxiety could be long term and usually fixated on the use of the internet or technology in general. For some individuals, this anxiety could result in avoidant behaviour. For example, one individual shared how they no longer used online banking or became fearful of online media. This reflects findings from previous research which showed that cyber crime victims were more likely to experience stress, anxiety and a reduced sense of safety online (Experiences of victims of fraud and cyber crime, Home Office (2025)).

“When it first happened, I felt kind of scared to be on the computer. I can only say that it makes me more suspicious, not only about online stuff but I’m suspicious about things I get in the post.”

Individual

Loss of personal photos and videos

Individuals who had permanently lost personal files, particularly photos and videos, could experience significant distress. For example, one individual noted the impact on their mental health after losing all their personal photos, which included photos of their wedding and their daughter as a child.

“There’s no real evidence of [victim’s daughter’s] childhood. So, yes, I mean, definitely impacted my mental health. I remember for a good couple of weeks I was very tearful a lot about it, you know, I didn’t even have the pictures of the moments after they were born.”

Individual

Not all individuals described feeling recovered from the emotional impact of their experience. Some individuals still held onto the encrypted files in the hopes of being able to access the files in the future. For example, one individual who had an IT background regularly checked websites to try to find the decryption code even 3 years after the attack.

“I check [online] now every month. I go [to a website where people post decryption codes they know of] and spend my time, I try my luck. We still don’t have anything, but maybe in the future… We cannot put a price on [what we lost] because as I told you, there are 10 to 15 years’ of pictures, photos, emails… if I can recover the data, then I think everything will be okay then.”

Individual

4.4 Behaviour changes after the attack

All organisations interviewed described improving their cyber security systems and infrastructure in some way after the ransomware attack. Improvements to IT infrastructure included: updating to more cloud-based operating systems; implementing 2-factor authentication; increasing security of remote desktops; changing how backups were sorted; and changing how administration accounts were held. Some organisations had already planned for these changes, but the ransomware attack brought forward the timings.

“Well, after that cyber attack, we enforced multi-factor authentication of which senior leadership wasn’t keen on doing because it involved people getting their own personal phones out and everything and I’d just basically forced them to do it and wouldn’t take no for an answer.”

School

Some organisations put in place broader cyber security policies or improved the monitoring processes. For example, one business highlighted that although their policy was for backups to run regularly and consistently, this had not happened. After the attack, they had set up automatic backups.

Some organisations rolled out training for staff, including NCSC training. This was particularly the case when the vector of the attack involved human error, for example, when login details were compromised, or phishing methods were used.

“There is an NCSC training, I think it’s a 45-minute training online that all staff have had to undergo, just to be, you know, partly cyber aware. So, we’ve done that now. We [also] send out [emails] just to remind people how to behave online.”

Medium-sized business

In other cases, businesses implemented more extensive training, including simulation training, to test staff responses to phishing emails.

“We run simulation training now. We didn’t use to do that before. And when I run that, I don’t even tell my team about it, so I just do it once a year, and that helps us to identify [weaknesses and] people would be that’d fall susceptible to such a spearfishing email.”

Large-sized business

Similarly, individuals commonly reported changes to their online behaviour following the ransomware attack. Mostly, this involved being more cautious when going online or using technology. Some reported being more aware of potential spam and phishing emails and being wary of giving out personal information online. One individual reported avoidant behaviour following the attack (see case study 4).

“It’s opened my eyes to what is out there. It’s stopped me letting anyone else into my computer unless I know who they are.”

Individual

5. Experiences and perceptions of law enforcement

Key findings:

Lack of awareness of Action Fraud could be a barrier to reporting. Individual victims and sole traders mentioned they were unaware that reporting ransomware attacks was an option. There was also evidence that victims did not understand the severity of the attack or the importance of reporting ransomware, even if they had successfully retrieved their files. Messaging on how to report ransomware attacks and the importance of doing so could be considered. Messaging could include how reporting data can enable improved law enforcement and government responses, policies and measures.

Mirroring previous research with victims, negative experiences of Action Fraud could be fuelled by a gap between victim expectations and reality (Experiences of victims of fraud and cyber crime, Home Office (2025)). Those who had positive or neutral experiences of Action Fraud often had lower expectations of what their report to Action Fraud may involve. Those who reported the attack out of a moral imperative or for insurance or legal reasons were more likely to receive the response they expected. Some victims hoped to receive live technical expertise, support retrieving their data and/or a criminal investigation into their case. When this was not delivered, they experienced disappointment. Further exploration into how messaging could be used to decrease the victim-expectation gap. Increasing awareness and uptake of insurance and/or awareness of other support options available could help victims find alternative means of support.

Organisations and individuals mentioned different types of guidance they would have found helpful from Action Fraud, acknowledging the limited resources or capacity among law enforcement agencies. This included: advice on how long it would take to retrieve their data; advice on trusted external suppliers to instruct; and signposting to wider help and support.

5.1 Factors influencing reporting to Action Fraud

Awareness of Action Fraud prior to the ransomware attacks experienced was varied. Individual victims, sole traders or micro-sized businesses rarely described knowing of Action Fraud. Those who reported to Action Fraud said they had found the online reporting option after Googling or searching for what to do, or who to contact once they realised, they were experiencing a cyber attack. Larger businesses or public sector organisations were more likely to be aware of Action Fraud prior to the attack or were advised about Action Fraud from external hired support, for example, insurers, legal support, PR companies.

Reasons for reporting to Action Fraud

Reporting to Action Fraud was often linked to higher victim expectations about the capabilities of law enforcement and the potential outcomes of reporting the attack. Often, victims expected law enforcement to do more to help them following the attack. Some victims reported the attack to Action Fraud hoping for support and guidance on what steps they should take to limit the impact of the attack, or technical expertise to support them with the recovery of their data. There were also those who had hoped reporting to law enforcement would lead to a police investigation of the ransomware attack. For micro-sized businesses or individuals with limited technical expertise, reporting to Action Fraud was sometimes done out of desperation, as there could be limited options for support from elsewhere.

“Just desperate. It’s just, like, just explore every avenue, you know. Explore every avenue… Just panic, right? You know, again, what else can I do? I can report it. Fully in the knowledge, dare I say, that nothing was going to be of any use, right? That’s just like reporting your bicycle’s been stolen to the police, you know, it’s one of those useless things, but you do everything you can just in case it’s of use.”

Micro-sized business

Reporting to law enforcement could also be a requirement of their organisational protocol. Some organisations reported the attack to obtain a crime number for insurance or auditing purposes. External support agencies often advised organisations to report the attack to Action Fraud. Some schools also had a response protocol involving reporting or were told by DfE to report the attack to law enforcement and/or the ICO.

“We, kind of, immediately looked at our obligations. We could see that reporting to Action Fraud and to the ICO was something that we needed to do.”

School

Some victims also cited feeling a sense of “duty” to report the ransomware attack. They saw reporting as a way of providing law enforcement with intelligence, or to improve an awareness of the scale of the issue. These victims saw a link between reporting their attack and helping to prevent future ransomware attacks, even if it would not lead to support or action for their specific case.

“At that stage I wasn’t doing it in terms of expecting support or anything of that nature. I just simply wanted to make sure that it was logged so that people were aware of it… If nobody ever says anything, then nobody in any form of authority is in any position to do anything about it.”

Micro-sized business

Reasons for not reporting to Action Fraud

Among those who did not report the attack to Action Fraud, a lack of awareness of how or where to report acted as a barrier. This was the case particularly among those who had experienced the attack individually. These participants mentioned they had found it difficult to find information on who to contact.

“I wish I knew; I would have done it. I’m the kind of person, I’m proactive, I do it, you know, and not reporting it did not help anyone, and, obviously, did not help me in any way.”

Individual

Some victims had a perception that reporting the ransomware attack was not necessary or appropriate. If the attackers were identified as being outside the UK, they perceived reporting would not be helpful or the right thing to do. In addition, there were concerns that reporting the attack would “bother” or waste the time of law enforcement, particularly if their files had been recovered. Similarly, some individuals or micro-sized businesses thought their ransomware attack was too small for law enforcement to prioritise or respond to. This could be the case even if files or hardware were permanently lost. For example, one individual lost all the data on their phone following a ransomware attack but did not report the incident to law enforcement as they did not see it as a police priority.

“I just felt that, you know, there [are] more important things that they should be looking at, and, you know, I don’t want to be wasting their time if that makes sense.”

Individual

One individual said they had not reported out of a sense of shame. The feeling of embarrassment was more acute as they worked in IT.

“Partially, to be brutally honest, it was a little bit of embarrassment. That, you know, someone who had spent years in IT had been themselves a victim to a ransomware attack.”

Individual

5.2 Perceptions of Action Fraud and law enforcement

Generally, participant experiences of Action Fraud were split between those who felt neutral about their experience and those who reflected negatively on Action Fraud. However, some positive aspects of victim interactions with Action Fraud were identified^{[footnote 9]}. This is similar to findings from previous research (Experiences of victims of fraud and cyber crime, Home Office (2025)).

At time of writing, Action Fraud is being replaced with an improved national reporting service and work is underway with the City of London Police (CoLP) to carry out this transformation. The new service will use the latest technology to improve reporting tools and support services for victims, providing far greater intelligence to policing for investigations, and allowing for greater prevention and disruption at scale. A number of improvements to the existing system have already been put in place to improve the victim reporting experience and the quality and timeliness with which cases are sent to police forces for action. The new service will have a phased launch into 2025.”

Factors influencing negative experiences

Many victims spoken to felt they did not receive sufficient information, guidance or support from Action Fraud. Some said they had experienced long delays before receiving any email or telephone follow-up from law enforcement, with some victims citing days or even weeks. Some did not remember receiving any response from Action Fraud after the automatic log of the report. If victims had expected ‘live’ technical support from Action Fraud, the longer response times could feel very disappointing. Often victims received responses from Action Fraud after the situation had moved on significantly, they had found other support, or their files had been recovered. This reflects findings from previous research with victims of fraud and cyber crime, which found that opinions of Action Fraud could be impacted negatively if victims expected cases to be investigated or to reach a judicial outcome (Experiences of victims of fraud and cyber crime, Home Office (2025)).

“To be honest, their response times, when this is a real live time problem for us, their response times were, ‘Oh well, it’s in the queue’… We realised that nothing was going to happen, so what’s the point of dealing with them any longer, to be honest?”

Small business

Victims who felt ill-equipped to respond or re-build software or hardware after a ransomware attack felt particularly let down by the reporting process. Some had relied on Action Fraud to provide technical skills to limit the impact of the attack and felt abandoned when they did not receive this. If victims had hoped law enforcement could help retrieve their data, they could be left feeling significantly disillusioned.

Conversely, the advice and support that victims did receive from Action Fraud could feel hollow or unhelpful. Victims reported that Action Fraud advice had felt limited to advising them not to engage with the attackers and informing them there was nothing further that could be done.

“It felt like, in reality, there was no help from either the police or the National Cyber Centre… if anything, and the reporting was a distraction from dealing with the issue… The advice and support was negligible. It was, ‘We advise you don’t engage with them, but we understand you might want to’ and it was literally like that.”

Medium-sized business

Organisations and individuals mentioned different types of guidance they would have found helpful, including advice on how long it would take to retrieve their data; advice on trusted external suppliers to instruct; and signposting to wider help and support.

“I did expect more actually. I expected some support, and there was nothing, and the fact that it was a global attack as well, I expected them to be aware of that and at least be able to offer some guidance. You know, I do understand that they might not be able to give you the answers you want but they could at least provide some guidance, to confirm that they were aware, that this is what was happening and, ‘This is what you need to do.’”

Individual

Victims also said they did not feel they had been kept informed about law enforcement decisions around investigations or progress on the case. Victims were not always clear whether their report had led to further action by the police, or why their report had not led to an investigation. In cases where law enforcement had opened a case, victims could report a lack of regular updates. This could lead to victims feeling forgotten, or that the police had not taken their attack seriously.

“I expected them to investigate and do what I would envisage a police force to do. Because the police are only there to gather evidence and it looks like they didn’t even gather evidence, you know? So, the outcome was disappointing, but yes, I did trust them with the information. It’s just that they didn’t appear to do much with it. They may have done, but they’ve never told us.”

Large-sized business

Ultimately, the gap between expectations and reality of the reporting process could leave victims feeling demoralised and unheard. In some cases, this had led to a wider undermining of trust in law enforcement.

“Unhelpful, distraction, and pretty demoralising to think that it’s a massive crime, and actually, there was zero that they would do to either help or support.”

Medium-sized business

Factors influencing a positive experience

Those who had a positive or neutral experience often had lower expectations of what their report to Action Fraud may involve. Victims who reported to Action Fraud purely for insurance purposes or to provide intelligence to law enforcement were more likely to have more managed expectations. Even if victims did not have much or any contact from Action Fraud after reporting, they could still feel satisfied if this was as expected. This was sometimes linked to an awareness of limited resources or capacity among law enforcement agencies.

“They took their time a bit to come back, which I was, kind of, expecting, and eventually they did ring, and I had a conversation with them… I wasn’t really expecting Action Fraud to do anything other than just to note it… It’s like any police when you ring them about things, they’re under resourced and over worked and they probably get hundreds of these things every day.”

Charity

In some cases, victims mentioned that Action Fraud had tried to manage their expectations at the outset. They said Action Fraud responders had made clear the police were unlikely to investigate their case or prosecute the attackers.

“They were like, ‘They’re amazing at what they do’ you know? A direct quote, ‘We’re not going to catch them.’ That was it, it was a Russian hacking group, they said ‘They are brilliant at what they do and there is not a hope in hell of us actually catching these perpetrators.’ So, I was like, ‘Great, thanks.’”

School

Victims were also more likely to think positively if proactive support or advice from Action Fraud was less crucial to them. Victims who had managed to recover all or most of their data could pin less to the process or outcome of reporting. Organisations who had access to external support (for example, via insurance, lawyers, technical expertise) could also feel less of a need for advice from law enforcement.

Some victims said information provided by Action Fraud had been helpful, such as information about the source of the attack and advice for future prevention. A few individuals and IT staff felt Action Fraud had provided helpful emotional support, even if they had received little practical advice. These victims said Action Fraud had been understanding, reassuring and sympathetic. For example, victims felt it was important when Action Fraud conveyed that ransomware attacks had happened to others, and it was not the fault of the victims.

“It was good, in a sense, to hear that this was going on all over the place, and you know, ‘Don’t blame yourself’ kind of thing. You know, that was helpful. In terms of practical advice of what to do, I didn’t feel that I got that help.”

Small business

One individual had received several follow-up phone calls from the National Economic Crime Victim Care Unit (NECVCU). They found this process helpful and felt they had been treated with respect. The focus of the calls had been on the victim’s emotional wellbeing, how they felt being unable to access their files, and working to increase their confidence with technology.

“They wanted to know about me I think, and then how it had affected my future use of, like, banking, emails, and it was the way they, I don’t know, treated me, the way they were speaking to me… they weren’t condescending in any way. It was a very similar conversation to what we’re having, they were more listening. They asked questions and then they would allow me to express myself, how I felt.”

Individual

5.3 Perceptions of other law enforcement and regulatory agencies

Some victims had engagement and interaction with other law enforcement and regulatory agencies. The main agencies mentioned were the ICO, NCSC and NCA. Sometimes victims could find it difficult to differentiate between agencies and were not always sure who had contacted them, or which agency had provided certain advice or support.

ICO

It was common for businesses and schools to report to the ICO after the ransomware attack. Organisations were often aware of the requirement to report the attack to the ICO if there were concerns that personal information had been compromised. For the most part, victims saw the reporting process as necessary and straightforward. Organisations generally expected the ICO to log the incident and were not anticipating further guidance or support. One micro-sized business mentioned the ICO had been very helpful; they had scanned the dark web for data breaches and could provide reassurances that no consumer data had been breached.

One business had found their interactions with the ICO difficult. They had not initially reported the incident to the ICO due to a lack of awareness. After personal data on the dark web was linked to the ransomware attack experienced by the business, the ICO took punitive action against the organisation (see case study 2). The business reflected they would have valued being told of the need to report the attack to ICO sooner.

NCSC and NCA

Very few victims had contact from NCSC and NCA, although generally their experiences had been positive. Those who had contact from NCSC and NCA usually had experienced more severe impacts from the ransomware attack or had data leaked on the dark web. Victims had found both organisations proactive, and able to offer more specific technical advice and guidance related to their attack. NCSC had signposted a few support organisations and provided individual contacts in Regional Organised Crime Units (ROCUs) or local police forces. One large business said NCSC had recommended trusted technical firms to carry out an analysis of their system.

6. Conclusion

The following sets out a summary of the key findings and the resultant considerations:

Awareness of cyber attacks and ransomware attacks varied widely across the sample. Smaller businesses and individuals commonly described feeling shocked that they had been a victim of ransomware - seeing themselves as “too small to be targeted”. Regardless of their prior awareness of ransomware attacks, most victims said they had been unprepared for the scale, level of sophistication and impact of the attack. Further work to increase awareness of ransomware amongst organisations and individuals could potentially help preparedness. Findings suggest that there are gaps in awareness that ransomware attacks can happen to anyone - including individuals or smaller organisations - as well as how complex and damaging ransomware attacks can be.

No clear patterns emerged from the data regarding whether certain cyber security protocols, certain attitudes or technologies could increase the likelihood of ransomware attacks for individuals or different organisations. In some organisations, attitudes to cyber security were described as “negligent” and there were self-identified weaknesses in organisation’s cyber security apparatus, for example, old hardware, unpatched software, lack of external backups. However, other organisations had senior level buy-in to cyber security, had carried out training or raised awareness with their staff and/or had sophisticated cyber security apparatus including cloud-based backups, penetration testing and secure remote desktops. It was clear that cyber -security robustness varied widely across organisations and individuals. Prior to the attack, victims were rarely clear on what the key steps would be to mitigate against ransomware attacks. The set-up, resource and technical expertise available could vary depending on the size, type (that is, public organisation, business, charity) of organisation or whether they were individuals. Wider dissemination of the NCSC set of recommendations to help mitigate against malware and ransomware attacks could be considered (See ‘A guide to ransomware’). A tailored set of recommendations for different types of people and organisations at risk - for example, larger businesses, charities, schools, individuals - could help individuals and organisations digest information and implement key measures.

Organisations - regardless of sector or size - could have a variety of ways to back up data. Organisations that had regular, consistent and/or automatic backups, or backups offline on separate services or based on a cloud with restricted access, experienced minimal file losses. However, some individual victims or sole traders had difficulties in recovering important data because they had hardware-based backups or lack of automatic backups. Further exploration of how to increase uptake of NCSC cyber-aware behaviours, especially those relating to backups could be considered (that is, importance of secure, automatic, cloud-based backups of data).

Very few organisations described having a business continuity plan which applied to cyber attacks or ransomware attacks. Although many reported taking immediate action to limit file encryption - for example, shutting hardware down, taking systems offline – staff and management could rarely point to organisational protocol to limit damage or respond if data had been lost or leaked. Further guidance or advice on ransomware appropriate business continuity plans for different sizes and types of businesses and public sector organisations could be considered.

The vast majority of victims in this research did not pay the ransom. Many of those who did not engage with the attackers described taking a principled stance against paying the ransom and said they did not want to reward criminals. This emerged particularly strongly amongst individuals and small- or micro-sized businesses, and even among those who had lost important or personal data. Other reasons to not engage were a lack of guarantee that attackers would decrypt data, and a concern that engaging with the attackers could open them up to further attacks. This was sometimes mentioned as advice given by law enforcement, which had factored into the decision-making process of victims. Although some victims communicated with attackers, mostly there was no serious intention to pay the ransom. Victims described doing so to try to understand more about the attacks, test whether attackers would be able to decrypt data, and gain information for law enforcement investigations. Any messaging to discourage victims from paying ransom could consider focusing on the moral dimension and potential implications of funding criminal enterprises. It could also consider underlining the risks involved regarding re-victimisation.

The extent of the file encryption and likelihood of recoverability was a crucial part of all organisational decision-making regarding the ransom. Most organisations spoken to had recovered most of their files. The extent of the damage compared with the cost and risks of paying the ransom became a business decision, with some public sector organisations restricted by school or DfE-led policy not to pay the ransom. All 3 organisations who paid the ransom had lost business critical data and said they could not function or may have needed to dissolve without re-accessing the encrypted data. These organisations described feeling like they had “no choice”. There may be little that could dissuade businesses or organisations from paying ransoms if business critical files have been lost and they do not feel there is another way to recover them.

Direct and indirect financial costs could be severe for victims of ransomware. Some organisations needed to pay significant sums of money to commission external technical, legal or PR support or advice. Depending on the number and type of files encrypted and recovery timescales, the indirect costs of closure or disruption of services, as well as rebuilding hardware and software, could also be high. No individuals and very few organisations had cyber security insurance in place to cover a ransomware attack. Organisations who did have relevant insurance often found the support and guidance of insurers valuable. Further advice and guidance on the potential value of ransomware insurance, and how to find the right insurance, could help organisations make informed choices about insurance options.

Few organisations spoken to felt they had significant reputational impacts, although it is important to note that this could be related to the nature of the attacks experienced within the sample. Often businesses and public sector organisations limited client and shareholder exposure, opting to keep communications on any disturbances light on detail. Internal cultural impacts could be severe, particularly in schools where the attack had led to children losing files. In these cases, the attack and management responses to the attack eroded staff confidence and impacted the culture of the organisation. Further development and dissemination of guidance could be considered on how to communicate key information to relevant parties during an attack.

Individual victims described immediate and ongoing stress and anxiety resulting from the attack. In a few cases, this could be debilitating to everyday life and led to individuals engaging in avoidant behaviour, for example, not using online banking. Loss of personal files could be devastating and deeply personal to those who were unable to decrypt files. For example, students in schools who had permanently lost schoolwork faced anxiety in the lead up to exams. The emotional toll on staff within organisations were also significant, particularly on IT professionals directly dealing with ransomware incidents. Participants described feeling shame, ongoing anxiety and even physical impacts up until the point of the research. Consideration could be given to the kind of support made available to victims (for example. individuals and staff or students within organisations), including the provision of emotional and wellbeing support.

Lack of awareness of Action Fraud is a barrier to reporting. Individual victims and sole traders mentioned they had not known reporting ransomware attacks was an option. There was also evidence that victims did not understand the severity of the incident. Some victims who had successfully retrieved the majority of their data described not thinking reporting the attack was needed or important. Messaging on how to report ransomware attacks could increase awareness of Action Fraud. Messaging could include the importance of reporting ransomware attacks and how this can enable improved law enforcement and government responses, policies and measures.

Negative experiences of Action Fraud could be fuelled by a gap between victim expectations and reality. Some victims hoped to receive live technical expertise, support retrieving their data and/or a criminal investigation into their case. When this was not delivered, their experience could feel very disappointing. Victims felt most vehemently if they had struggled to, or ultimately could not, retrieve their data. Alternatively, those who had a positive or neutral experience often had lower expectations of what their report to Action Fraud may involve. Victims who reported to Action Fraud purely for insurance purposes or to provide intelligence to law enforcement were more likely to have more managed expectations. Even if victims did not have much or any contact from Action Fraud after reporting, they could still feel satisfied if this was as expected. Further exploration into how messaging could be used to decrease the victim-expectation gap could be considered.

Annex 1: Case studies

Participant names and some details within the following case studies have been altered to ensure participant anonymity.

Case study 1: Medium-sized company

‘Matt’^{[footnote 10]} worked for a medium-sized company. Several years prior to the ransomware attack, before Matt was in post, the company commissioned a review of the IT systems. A set of recommendations were put forward addressing security concerns within the company, including issues with patch levels of servers and a redundancy of data backups. The IT manager at the time did not act on any of the recommendations. The company did not have a ransomware policy, but their business insurance covered ransomware. A business continuity plan had been drafted, but none of the senior managers knew how to enact it.

The initial breach started sometime before the ransomware attack was discovered. The ransomware attackers moved laterally, reviewing files and documents on the server, while remaining dormant. When Matt started his role, he began arranging for an unpatched email server on the premises to be patched. Matt believes this triggered the attackers to initiate the ransomware virus as they realised their window of opportunity to attack was closing.

“That’s when they started encrypting files and leaving the messages on the machine sort of saying, ‘’Your files are encrypted, I’m afraid, send us some money to our Bitcoin.’’”

Matt

The ransomware began at night and Matt realised first thing in the morning when he found files were being encrypted and a ransom message was left. The message did not include an exact ransomware amount, but asked the business to contact the attackers to discuss.

Matt immediately shut down the firewalls to stop any further traffic. He escalated the attack to a senior member of the company and recommended that the company commission the services of an endpoint protection provider. Within an hour, the senior member had signed off on the contract for the provider and they started a thorough investigation of any malware which may be remaining on the system.

Within 48 hours, Matt reported the ransomware attack to the police, who forwarded the case onto Action Fraud. Matt kept Action Fraud updated with the information from the endpoint protection provider, while Action Fraud investigated the case. Overall, Matt found Action Fraud to be “kindly” but did not find the advice given helpful. Matt also contacted the ICO as there had been a potential breach of personal data.

“I expected [Action Fraud] to investigate and do what I would envisage a police force to do. Because the police are only there to gather evidence and it looks like they didn’t even gather evidence, you know? So, the outcome was disappointing, but yes, I did trust them with the information. It’s just that they didn’t appear to do much with it. They may have done, but they’ve never told us.”

Matt

Matt and senior management decided not to engage with the attackers as they did not want the group to realise that they had caused damage.

“But I took the decision not to engage with them at all, because that would indicate that we knew-, that would confirm to them that they’ve caused damage, which I didn’t want to do. So, we didn’t engage with them at all, to learn what they wanted.”

Matt

Over the course of a week, Matt and the external contractors carried out a review of the company’s IT systems and found out the extent of the damage. The critical database was found to be safe. However, backups, back up data, multiple servers, and the email server were lost. The business commissioned an external IT company to rebuild the infrastructure and recover some of the SQL server data. They encountered problems recovering some programs due to the operating systems being very outdated.

Once they had realised the full extent of the damage, the business considered paying the ransom. This was a group decision and involved lawyers and directors weighing up the risks and likelihood they could recover their data. They established they would probably be able to recover and rebuild in a month or so and took the decided not to engage with the attackers.

“And it was a case of, ‘Well, what’s the risk, if we don’t pay? What’s the risk if we do pay?’ That is, will they decrypt, you know, there’s a very low or a relatively low success rate even if you do pay. If we rebuild in time, do we need to pay, have we got what we need? And it turned out, we felt that we could rebuild within a relatively reasonable amount of time that would negate having to pay for any decryption services of them.”

Matt

The financial impact of the ransomware attack was significant. The company had to pay for cyber- security services, IT support, replacing servers and PC hardware, staff salaries, and account for lost opportunities during the aftermath of the ransomware attack. It took the business several weeks before they could start running again.

Following the attack, the business has upgraded their security dramatically. Restrictions and configurations of software and systems are constantly being updated and tightened. The business has not implemented any new policies but have raised awareness among staff about email security. The IT team block access and downloads from certain websites.

Case study 2: Medium-sized private organisation

‘Roger’ is the financial controller in a private organisation and has responsibilities relating to the software the organisation uses. The organisation had experienced ransomware before. A staff member had opened a phishing email that corrupted a few files. The organisation did not report the ransomware attack, as it was deemed small-scale. However, the attack did lead to the organisation investing in upgraded servers, operating systems, antivirus software and firewalls. As they were in the final stages of installing this hardware at the time of the attack, the organisation was not eligible for insurance that covered ransomware.

The latest ransomware incident occurred due to a compromised machine which enabled attackers to access the remote desktop server of the organisation when the user logged in using the remote desktop. The attacker had access to the organisation’s server system in a limited format due to the user’s limited credentials. The attacker used a brute force attack to guess the password on an admin account which had been set up many years earlier by a previous software company. Once the attackers had admin credentials, they disabled the company’s antivirus protection. (This enabled them to run the ransomware virus, which encrypted all the data on the systems.

Roger was alerted to the attack when he noticed emails were not working over a bank holiday weekend. He immediately contacted IT to restart the servers. IT staff found that all servers had been corrupted, including the in-house backups. At the same time, a message had come up on the computer screens when logging in to the servers, with instructions to follow a link to get information on how to pay the ransom and unlock the data. No members of staff clicked this link.

On the same day, IT staff ran an antivirus software on the machines, which picked up the ransomware software and messages from the attacker and deleted them. They then started the process of rebuilding the servers and getting copies of their data from scratch. Emails were downloaded over the cloud from an unencrypted external backup. All emails were recovered after a few days, with new emails visible to employees. Necessary software was downloaded over the rest of the week.

Within a week of the attack, Roger commissioned an external IT company to identify the vector of the attack. The IT company estimated that the attacker got into the system before the attack but did not choose to attack until there was a bank holiday weekend.

The NCSC contacted the organisation a few weeks after the attack, as they had traced personal information on the dark web back to the ransomware attack on the organisation. As soon as Roger was aware personal data had been exfiltrated, he contacted the ICO to inform them of the ransomware attack.

The NCSC and the NCA supported the organisation to scope the extent of the exfiltration.

Following the attack, the organisation has moved their servers onto the cloud.

“We won’t have anything on our own servers, we’ll be using a third-party company, all because we can’t go through what happened once more. So, we’re paying extra to avoid the problems we’ve had and having to then maintain servers, upgrade software all the time, not worry about anti-virus.”

Roger

Case study 3: Small-sized company

‘Sam’ worked as a manager at a small company. The company outsourced their IT and cyber security to an external IT consultant. The company also had a subscription to a backup service to ensure files were backed up on a daily basis. Sam described the company’s online security as very poor. The company had recently moved offices where the wiring had been incorrectly installed, meaning they did not have an active firewall.

On the morning of the attack, a member of the operations team was unable to log on to the company system. The system ran via the internet, so a staff member checked the internet was running , but no issues were found. The company screens then changed to a picture and text flashed up saying their server had been encrypted and to wait for further instructions.

Sam immediately contacted the external IT consultant and informed the director of the company. The IT consultant checked the backups and discovered the company subscription to the backup had not been renewed. This meant that the company did not have any backups of company data over the last 2 years. The virus had encrypted all data on the server, which meant the company was unable to access any company data or any backups of company data.

The attackers sent the company their ransom demand in Bitcoin (valued at around several thousand pounds at the time)via email. The company decided they would have to pay the ransom because all their data had been lost in the attack and there were no backups.

Sam reported the attack to Action Fraud the day of the attack to support any insurance claim. Sam spoke to Action Fraud several times over the next few days, but he found them unhelpful and uninterested. Sam thought Action Fraud struggled with capacity and did not have enough time or resources to investigate the case. Action Fraud advised the company not to pay the ransom. However, the company felt they needed to – even though they understood this could be a risk, as they were unsure whether the attackers would send the encryption key.

“So, the police did say at that time, ‘Don’t pay them.’ I said, ‘’So are you going to do something about it?’ ‘No.’ So, we just ignored them and went for it.”

Sam

Sam negotiated with the attackers and agreed upon a smaller amount in Bitcoin. The company signed off paying the Bitcoin.

The company told the attackers over email that they had paid the ransom. After tracking the Bitcoin payment, the attackers sent the decryption key. The company was back online after a few days, with access to all their files. Action Fraud re-contacted the firm after the company had paid the ransom request, but the company found their response too delayed to be helpful.

“To be honest, their response times, when this is a real live time problem for us, their response times were, ‘Oh well, it’s in the queue.’ So, we just put them out of our minds. ‘Okay, we’ve reported it.’ But we realised that nothing was going to happen.”

Sam

During the few days of being offline, the company had no access to their systems or data. They could not raise invoices, so emailed clients with payment amounts. As the company did not want to tell clients they had been hacked, they instead emailed clients with payment amounts and said the system was down.

Following the attack, the company acts with caution around spam and phishing emails. Sam now believes that preventing a ransomware attack is better than recovering afterwards, so has moved to a new server which has firewalls and better security. Sam felt annoyed about their own lack of cyber security, and now stressed the importance of keeping anti-virus software and firewalls up to date and having a business contingency plan in place. The insurance company did not pay out as the company did not have an operating firewall at the time of the attack.

However, Sam feels lucky the costs were not higher, noting it could have been worse.

Case study 4: Individual

‘Lewis’ would not describe himself as tech-savvy but had started using technology more in the years prior to the attack, for example, online banking, shopping. Lewis summarised his attitudes towards cyber security before the attack as “naïve” and did not have much, or any, awareness of cyber attacks.

“I would open any email, I would forward money, I would do that when needed. I wouldn’t really protect myself from outside influences, especially spam and phishing emails, I wouldn’t have had a clue what they were.”

Lewis

The attack was Lewis’s first experience of ransomware, which occurred when he was at home checking his emails on his iPad. Lewis clicked on an email, which triggered his screen to turn red. A ransom message appeared asking for over £1000. The note claimed that if this was not paid before a set deadline, the money would be taken out of his account.

At first, Lewis thought that it was a joke and tried turning the device off and on again. However, the message remained on screen and Lewis could not access his device or any of his files. Lewis began to feel nervous and, after speaking to his wife, began to worry that the attackers had access to all the data on his iPad and that money would be taken out of his accounts.

“I was scared that someone was going to actually access my bank account and take money from my bank account however they wanted to. Whether they could or not, I don’t know.”

Lewis

On the day following the ransomware attack, Lewis contacted his banks, who shut down his accounts, reissuing his cards. They reassured him that the attackers would be unable to access his accounts. The bank reported his case to the local county’s fraud team.

The ransomware attack had a significant emotional impact on Lewis. He lost all photos on his device, including photos of family members and friends who had passed away. Lewis felt very upset and found this impacted on his sleep.

Weeks later, an officer from the fraud team contacted Lewis to speak to him about the attack on the phone. The officer asked questions about how Lewis was feeling and his views on using technology after the attack. The officer put Lewis in contact with the National Economic Crime Victim Care Unit (NECVCU) who contacted Lewis several times. A representative from NECVCU spoke to him about embracing technology and how to stay protected online. The representative spoke to Lewis about the loss of the data (including photos of family members who had passed away) and how this made him feel. They reassured Lewis that was okay to use technology if done safely and advised him about how to stay protected online. Lewis found this eased his feelings of sadness and anxiety a little.

Despite this support, the attack has had a significant impact on Lewis’s use of technology. He no longer uses social media or online banking. His wages are paid electronically, so Lewis has to go to ATMs to check his finances.

“It’s put me right off everything. I can’t do my banking online; it’s now gone back to the old-fashioned times when I’ve got to go down to the bank.”

Lewis

When he does go online, he is more aware of the risks. He does not use Wi-Fi hotspots or the internet abroad and conducts thorough checks of websites before purchasing anything online.

1. Three individual victims experienced the attack in 2018, one in 2017 and one in 2015. ↩

2. Size of organisation or business was defined as: Micro (sole traders); small (2 to 49 staff); medium (49 to 249 staff); large (more than 250 staff). ↩

3. Recruitment was initially intended to be carried out by contacting ransomware victims identified in the NFIB dataset after reporting the incident to Action Fraud. Due to timings and data sharing agreement concerns, alternative recruitment routes were identified. ↩

4. Network-attached storage is dedicated file storage that enables multiple users and different types of devices to retrieve data from a centralised disk capacity. ↩

5. The National Centre for Cyber Security identifies the first stage of a ransomware attack as attackers gaining access to victim’s network. This is so they can plant the malicious encryption software and carry out the attack. The vector of attacks, that is, the means by which the attacker gains unauthorised access to servers, can take different forms. https://www.ncsc.gov.uk/ransomware/home#section_2. ↩

6. It was not disclosed during the interview how the account was compromised. ↩

7. The validity of these warnings was difficult to determine and out of scope of this research. ↩

8. The risk protection arrangement for schools: https://www.gov.uk/guidance/the-risk-protection-arrangement-rpa-for-schools. ↩

9. It should be noted that some of these interviews relate to experiences occurring prior to changes implemented in Action Fraud. For example, the Enhanced Cyber Reporting Service (ECRS) was implemented in 2022. ↩

10. All names in case studies have been anonymised. ↩