We’ve spent the last few weeks discussing ransomware's impacts on different subsets. First, we discussed how a ransomware attack impacts the customers of the infected business, and then we touched on the infected business itself. To end, we want to touch on ransomware's impacts on society, specifically regarding economic health and geopolitical security, known as third-order harms.

Make No Mistake, Ransomware Impacts Society as a Whole

Unfortunately, in addition to the businesses and their customers that ransomware can wreak havoc on, the impact of these cyberattacks can create some significant issues for civilization overall. As you might expect, the impacts of ransomware are severe enough and, unfortunately, common enough to have permeated upwards into the general public and government.

• A study by Sophos showed that ransomware attacks against state and local governments not only saw high levels of successful data encryption (76% of attacks) but also low rates of successful encryption avoidance (19%).
• In 2023, 28% of businesses paid over $1 million to ransomware, while only 5% did so the year prior.
• The Federal Bureau of Investigation reported that government facilities were the third largest target for ransomware attacks in 2023.
• Ransomware incidents against government organizations were also 51% more prominent in January through August of 2023 than they were in the same span of 2022.

Ransomware’s Effects on the State are Referred to as “Third-Order Harms”

To define third-order harms, we again turn to The Scourge of Ransomware, a paper produced by Royal United Services, a think tank based in the UK. This category, as the paper describes it, refers to “the cumulative effects of ransomware incidents on a state’s economy, society and national security.” Again, these harms are designated by how far removed they are from the initial attack and break down thusly:

1. First-Order Harms directly impacted the business that was attacked and its staff.
2. Second-Order Harms impacted organizations downstream from the attacked business as well as the individuals who relied on or trusted the attacked business.
3. Third-Order Harms impacted entire societies, organizations, and governments through all the ransomware incidents the collective experienced on an economic and security-based level.

As we’ve said, we highly recommend that you read the paper in its entirety. It is fascinating and thought-provoking. However, to help make our point, we have gathered some third-order harms the paper cites.

What are the Third-Order Harms of Ransomware?

Third-order harms have the widest reach of the different degrees of harm that ransomware causes. This is to be expected… after all, we’re discussing the impacts of these cyberattacks on the societal scale. Despite this, many of these impacts tend to go undiscussed until they actively influence everyday life. Indeed, the paper itself states:

“It should be noted, however, that there are significant knowledge gaps about the impact of ransomware at a national level. This makes it challenging to assess the severity of the harm caused by ransomware to the UK and other countries, and creates the risk that governments will not prioritise and properly resource responses to ransomware.”

Many of these impacts are admittedly pretty obvious in retrospect, but certainly aren’t the first that one would associate with ransomware.

For instance, on an economic level, it makes sense that ransomware could disrupt key companies or put roadblocks in the supply chain. However, while it makes logical sense looking back on it, it isn’t typical to associate the average ransomware attack with a reduction of economic output or national productivity. Reflecting on the rest of the paper, it becomes too clear that ransomware could (and does) severely impact the economy, especially if certain businesses are targeted. The paper references an attack on MKS, a US-based manufacturer that produces the tools to make semiconductor chips, a piece of technology essential to creating many—if not most—modern infrastructures.

Furthermore, it is incredibly difficult to accurately measure the combined impact of any ransomware incident on the economy, making the true extent of the damage very challenging to determine.

Regarding national security, ransomware attacks against what the report calls critical national infrastructure, or CNI, can also have widespread impacts and implications. Public safety will be inherently reduced, and the data needed to keep people safe will be interrupted, but the public’s faith in their government and law enforcement is also apt to take a hit. It also must be said that these attacks can give competitors and rivals on the world stage an unwelcome advantage.

Societally, many of the micro-level impacts of ransomware still apply on the macro scale… arguably, they are only made worse by their increased scope. For instance, there are many essential government services and support that people rely on. A ransomware attack against one of these services would interrupt them and make the recipients less inclined to trust the afflicted service.

Plus, cybercrime becomes normalized the more ransomware appears, creating a very unwelcome new normal. It also doesn’t help that ransomware harms more vulnerable populations in general.

It is Everyone’s Responsibility to Fight Ransomware

We’re here to help.

While we can’t possibly fix every societal problem ransomware has caused by ourselves, we see it as our responsibility to help protect the businesses of Maryland from its impacts. That’s why we ask that you read and share this blog and The Scourge of Ransomware with everyone you know.

If you happen to own one of the businesses of Maryland, we’d love to get in touch with you to discuss how we can assist you in avoiding ransomware, its impacts, and other issues that could affect your operations. Give us a call at (410) 531-6727.