Ransomware: Victim Insights on Harms to Individuals, Organisations and Society

Ransomware incidents remain a scourge on UK society. Based on interviews with victims and incident responders, this paper outlines the harm ransomware causes to organisations, individuals, the UK economy, national security and wider society. The research reveals a wide range of harms caused by ransomware, including physical, financial, reputational, psychological and social harms. We set out a framework of: First-order harms: Harms to any organisation and their staff directly targeted by a ransomware operation. Second-order harms: Harms to any organisation or individuals that are indirectly affected by a ransomware incident. Third-order harms: The cumulative effect of ransomware incidents on wider society, the economy and national security. Building on an existing taxonomy of cyber harms, 1. this framework will enable policymakers, practitioners and researchers to categorise more case studies on ransomware incidents and to better explain new and existing types of harm to the UK and other countries. Ransomware is a risk for organisations of all sizes. The findings from this paper highlight that ransomware can create significant financial costs and losses for organisations, which in some cases can threaten their very existence. Ransomware can also create reputational harm for businesses that rely on continuous operations or hold very sensitive data – although customers and the general public can be more forgiving than some victims believe. The harms from ransomware go beyond financial and reputational costs for organisations. Interviews with victims and incident responders revealed that ransomware creates physical and psychological harms for individuals and groups, including members of staff, healthcare patients and schoolchildren. Ransomware can ruin lives. Incidents highlighted in this paper have caused individuals to lose their jobs, evoked feelings of shame and self-blame, extended to private and family life, and contributed to serious health issues. The harm and cumulative effects caused by ransomware attacks have implications for wider society and national security, including supply chain disruption, a loss of trust in law enforcement, reduced faith in public services, and the normalisation of cybercrime. Ransomware also creates a strategic advantage for the hostile states harbouring the cyber-criminals who conduct such operations. Downstream harm to individuals from ransomware is more severe when attacks encrypt IT infrastructure, rather than steal and leak data. There is no evidence from this research that the ransomware ecosystem is exploiting stolen or leaked personal data in a systemic way for fraud or other financially motivated cybercrimes. At present, exploiting stolen data for other activities is less profitable than extortion-based crime that takes away victims’ access to their systems and data. This finding may inform victim decision-making on when they should and should not consider paying a ransom demand

Analysis and Design of Privacy-Enhancing Information Sharing Systems

Recent technological advancements have enabled the collection of large amounts of personal data of individuals at an ever-increasing rate. Service providers, organisations and governments can collect or otherwise acquire rich information about individuals’ everyday lives and habits from big data-silos, enabling profiling and micro-targeting such as in political elections. Therefore, it is important to analyse systems that allow the collection and information sharing between users and to design secure and privacy enhancing solutions. This thesis contains two parts. The aim of the first part is to investigate in detail the effects of the collateral information collection of third-party applications on Facebook. The aim of the second part is to analyse in detail the security and privacy issues of car sharing systems and to design a secure and privacy-preserving solution. In the first part, we present a detailed multi-faceted study on the collateral information collection privacy issues of Facebook applications; providers of third-party applications on Facebook exploit the interdependency between users and their friends. The goal is to (i) study the existence of the problem, (ii) investigate whether Facebook users are concerned about the issue, quantify its (iii) likelihood and (iv) impact of collateral information collection affecting users, (v) identify whether collateral information collection is an issue for the protection of the personal data of Facebook users under the legal framework, and (vi) we propose solutions that aim to solve the problem of collateral information collection. In order to investigate the views of the users, we designed a questionnaire and collected the responses of participants. Employing real data from the Facebook third-party applications ecosystem, we compute the likelihood of collateral information collection affecting users and quantify its significance evaluating the amount of attributes collected by such applications. To investigate whether collateral information collection is an issue in terms of users’ privacy we analysed the legal framework in light of the General Data Protection Regulation. To provide countermeasures, we propose a privacy dashboard extension that implements privacy scoring computations to enhance transparency towards collateral information collection