It started as a simple statement on Twitter: “What’s upsetting is there’s been many suicides as a result of ransomware. ”
The assertion surprised me, and I asked, “Where are you seeing/reading reports of suicides as a result of ransomware attack(s)? Can you point me to some specific reports/links/whatever? Thanks.”
After an exchange of tweets, it seemed that the only examples in news that people could point to were two cases reported in the news in 2014 and 2015.
One involved a Romanian man who had been the victim of so-called “police” ransomware which falsely informed him he needed to pay a fine for downloading porn or risk going to jail. As The Register reported:
Marcel Datcu, 36, from the village of Movila Miresii, hanged himself while holding his four-year-old son in his arms with a rope around his neck. Both perished.
The second involved a teenager who also received the “police” ransomware. As The Hacker News reported in 2015:
Joseph Edwards, a 17-year-old schoolboy from Windsor, Berkshire, hanged himself after receiving a bogus email appeared to be from police claiming that he’d been spotted browsing illegal websites and that a fine of 100 pound needed to be paid in order to stop the police from pursuing him.
Now ransomware was involved in both those tragic cases, but was it the fact that their files had been encrypted that led to suicide or was it the fear of shame, embarassment, or threat of jail time that led the victims to take their own lives? Was ransomware’s effect to make the threat seem more credible and to increase pressure on the vicitms to pay? It would appear so. And while the distinction may seem to be unimportant to some, it is actually quite important to those who try to predict behavior or try to immunize vulnerable people from self-harm.
There have been a number of reported cases of people committing suicide because of sextortion schemes, where criminals get people to engage in sex acts that are recorded and then used to extort them by threatening to show the recordings to friends and family. Those cases do not involve ransomware.
And there have been reports of people committing suicide because of fraudulent emails claiming that a trojan had been placed on their system that had recorded them visiting porn sites or exposing themselves and those (alleged) recordings will be shown to family and friends if the extortion demand is not paid. But in those cases, although there is a claim that malware was involved, there was no malware involved and no ransomware.
For the most part, the suicides reported in the news appear to be a result of people feeling overwhelmed and unable to cope with the fear that they will be publicly shamed or jailed — although there is generally no ransomware or malware involved in almost all of the reported cases.
Have there been any reports of anyone committing suicide because their files/systems were encrypted and they couldn’t decrypt them?
I did find reference to one — and only one — case where a suicide did appear to be the result of a malware attack where the destruction of files led to despair and suicide:
According to an analysis carried out by a team of researchers from Vanson Bourne, ransomware attacks are also having the potential to destroy lives. The company’s research discovered that two middle-aged women who had a fashion studio in the UK had to file for bankruptcy in 2017 when all their hard work was digitally destroyed by a malware which eventually led to a suicide of one woman in early 2018.
We know that ransomware attacks can result in delay of treatment and potentially, the loss of life. We know it can result in financial losses and reputation harm, and massive disruption to societies. We know, anecdotally at least, that such attacks can be stressful to victims and increase their own health problems.
And we know that too many people continue to commit suicide over sextortion schemes, for fear of embarassment if pictures are exposed as threatened. Within the past month alone, I have read two such reports. One involved a teenager in New York. And one involved a 26-year-old man in Bengaluru.
But where is there evidence that there have been “many” suicides due to ransomware? A search of PubMed does not return any results of any medical/psychiatric articles discussing the topic. And there is nothing on the CDC’s site or in the mortality data I looked at. And a search of news did not return any relevant results other than the two “police ransomware” reports of 2014 and 2015.
I am not saying that the person who made the claim is wrong. I am asking, though, whether there are data to support it, because if true, this needs to be factored in to government and global policies, strategies, and law enforcement approaches to prosecuting those who deploy ransomware. And it needs to be addressed more in public awareness campaigns to try to address the mental health aspects.
If any reader knows of specfic cases where ransomware appeared to causally contribute to a suicide, please let me know via email to breaches[at]protonmail[dot]ch