The long-term psychological effects of ransomware attacks

Northwave has conducted scientific research into the psychological effects of a ransomware crisis on both organizations and individuals. The findings reveal the deep marks that a ransomware crisis leaves on all those affected. It also shows how their IT and security teams can turn in disarray long after the crisis itself has passed.

psychological effects ransomware

Key findings on psychological effects of ransomware

“The research reveals how the psychological impact of ransomware attacks can persist on people in affected organizations for a very long time,” explains Organizational Psychologist Inge van der Beijl, Director Behaviour & Resilience at Northwave. “It shows that crisis team members may develop serious symptoms far later. Top management and HRM need to take measures against this, in fact right from the very beginning of the crisis. They are the ones bearing responsibility for the well-being of their staff.”

She continues: “We also discovered how teams haven fallen apart some time after the crisis, with members leaving or staying home on sick-leave. The study reveals that effects can linger throughout the organization. All in all the investigation shows that this invisible impact of a cyber crisis is an issue for the general business management, and certainly also for HRM.”

Northwave regards the response to a cyberattack as occurring in three phases. First comes the actual crisis situation, which evolves into an incident phase after about a week. A plan of action is then in place, and recovery measures are launched. The fire has been largely extinguished after a month or so, with the first (basic) functionalities available again.

Full recovery can take one to two years. Each phase has its specific effects on the minds and bodies of those involved, and by extension, on the organization or parts of it. “In average a company is down for three weeks following a malware attack,” notes Van der Beijl. “But it surprised us that the impact persists for so long afterwards. Psychological issues are still surfacing a year after the actual crisis.”

  • One of every seven employees involved in the attack, either directly or indirectly, exhibits severe enough symptoms several months later, at a level considered to be above the clinical threshold at which professional trauma treatment help is needed.
  • One in five employees say they would actually have needed more professional help subsequently in coming to terms with the attack.
  • One in three liked to have more knowledge and concrete tools to deal with the psychological effects of the attack.

A ransomware attack has enduring psychological effects on the way employees view the world. Two-thirds of employees, including those not actually involved in the attack, now believe the world is less safe. As one IT manager pointed out, “I’ve become far more suspicious. The outside world is a dangerous place.”

These long-term effects impact staff turnover:

  • One in five directly affected by the attack has considered, or is still considering, changing jobs.
  • More than half of managers and IT staff reports the extended absence of several employees months or even a year after the attack.

Positive effects

There were also positive residual effects arising from ransomware attacks, alongside the negative ones. IT departments found they could finally schedule overdue security maintenance given that their companies now assigned higher priority to cybersecurity. Non-IT colleagues also showed increased solidarity and empathy.

  • Almost half of those interviewed believed collaboration had improved immensely.
  • One in five employees involved in a ransomware attack said they had become closer to their colleagues.


The research findings highlight the importance of senior management being involved actively in recovery from both the visible and invisible impacts of ransomware attacks.

In phase 1, ensure regular check-ins. It’s impossible to run a marathon at a sprinter’s pace, and a ransomware attack is a marathon. Ensure that staff take regular breaks, and that they work in shifts. People feel responsible, so that some of them need to be told to take time off. See what coping mechanisms people use, as unhealthy coping is common.

In phase 2, use policies to manage the incident team’s workload. Distinguish between incident-related work and regular duties. Where possible, find extra people for regular duties. Create a rhythm with rest and recovery time for everyone.

In phase 3, schedule evaluations. Be aware of the likelihood that many of those involved in ransomware attacks will develop psychological symptoms. Because peer bonding has increased, creating an open environment where negative feelings can be aired proves to be a powerful tool. People want to talk about what happened and what it meant to them. Facilitating this can be enormously useful.

Don't miss