Ransomware Stages of Grief

Secureworks conducts more than 1400 incident response engagements annually. Since 2018, we have completed over 700 post-detonation ransomware engagements. These engagements provide us with a broad perspective on both threat behaviors and their respective tradecraft, as well as victim behaviors. We have noticed a pattern of common behaviors among victims, so much so that we have labelled our observations as the 'stages of ransomware grief'.

Similar to the emotional journey people undergo when mourning the loss of a loved one, as illustrated by the Kübler-Ross Grief Cycle, business leaders and key personnel go through a comparable emotional journey when dealing with the disruptive impacts of a ransomware attack on their business. We argue that if business leaders can objectively recognize their emotional response as normal and manageable, they and their teams can reach a state of acceptance more quickly. This then enables them to make more rational and pragmatic decisions, leading to faster recovery.

Shock and Denial: Business leaders often ask 'how did this happen to us?'. They struggle to comprehend the extent of a ransomware attack's impact on their business, which is often crippling. The financial impacts accumulate quickly, and the scope, impact, and recovery time are hard to calculate in the initial hours and days following the attack. Leaders often push their teams to the brink of exhaustion, under the misconception that sheer hard work can swiftly remedy the situation. In reality, ransomware recovery feels like a sprint but is really a marathon – it takes time to understand the breadth and scope of the damage and map out a path to recovery.

Anger: Being a victim of a crime naturally induces anger and indignation. However, it's vital to take care not to misdirect this anger towards team members and partners. Leaders often seek someone to blame for the situation, and when the actual culprits are unreachable, the blame is assigned internally. This can be harmful; for optimal recovery, teams need to know that their leaders are supportive. If team members feel blamed, they might defend themselves, retaliate, or even leave when they are most needed.

Bargaining: Facing potential or complete business failure, leaders naturally want to rally their teams for a major response. Leaders might beg their teams to work overtime and push their limits in the hope of restoring operations in an unrealistic timeframe. Although the situation calls for urgent action, ransomware recovery is multi-faceted, often grueling and time consuming. It rarely goes as fast as what the executives, boards, partners and customers' demand. What is needed is a strategic, deliberate and coordinated recovery effort, implemented with urgency but without burning out the team or leading to fatigue-induced poor decisions.

Depression: A ransomware attack is often unexpected and could leave a business on the ropes. It is normal to feel exhausted, overwhelmed, and frustrated in these circumstances. It's crucial to protect yourself and your team from depression by insisting on adequate rest, regular breaks, exercise, and proper nutrition. Keeping positive is crucial as negativity can exacerbate the situation. Teams draw energy from leaders, so it's important to maintain good spirit and resilience during these tough times.

Acceptance: Understanding the situation at hand and the challenges ahead is the first step towards fast recovery. Acceptance allows leaders to make rational, informed decisions and effectively plan systematic recovery. This leads to a stronger, more resilient team and business. Conversely, if leaders remain in a state of anger or bargaining with their teams for continued extreme efforts, the recovery period is likely to be prolonged.

In conclusion, the 'stages of ransomware grief' demonstrate the overall emotional journey businesses and their leaders embark on after a crippling ransomware attack. Each stage, from shock and denial to acceptance, poses its unique challenge, revealing the importance of management at each step. The key takeaway is the transformative power of acceptance. The sooner leaders can navigate through the distraught confusion, misdirected anger, destructive bargaining, and the consequential depression to achieve acceptance, the quicker they can make rational and pragmatic decisions. The speed at which acceptance is reached hence becomes the catalyst for recovery, as it enables the creation of effective recovery plans and leads to stronger, more resilient teams and businesses. Understanding this progression of stages is essential to minimizing the recovery time and mitigating the overall impact from a ransomware attack, underlining the need for leaders to acknowledge and manage their emotional responses robustly and effectively.