Schools, colleges and universities face growing costs from ransomware attacks, according to research from Sophos, and educational institutions are struggling to recover after an incident.
The State of Ransomware in Education 2024 report found that 44% of schools across 14 nations surveyed faced a ransom demand of $5m or more. In higher education, 32% faced demands of between $1m and $5m, and 35% over $5m.
Schools, Sophos found, paid out the highest median ransoms, at $6.6m. This was matched only by ransoms paid by federal government.
The researchers found that the number of ransomware attacks against education actually fell in 2024, compared with 2023.
In 2023, 80% of “lower education” establishments reported ransomware attacks, falling to 63% in 2024. For higher education, attacks dropped from 79% to 66%. In both cases, though, 2024 saw more attacks than 2022.
However, schools and universities were more likely to have data stolen – this happened to 22% of lower education bodies and 18% in higher education – with attackers using exfiltrated data “as leverage to further monetize the attack.”
Backup Compromise
Education institutions also faced longer recovery times, in part because ransomware groups increasingly target backups as well as primary data.
Of the organizations reporting ransomware attacks, 95% said cybercriminals attempted to compromise backups, and 71% succeeded in doing so.
Victims also faced higher ransom demands. Schools where attackers compromised backups were asked for, on average, five times as much. For higher education, demands doubled.
Schools that suffered backup compromise were also three times as likely to pay ransoms. Both schools and universities that suffered backup compromise faced higher recovery costs too.
“Ransomware attackers have upped the ante when it comes to getting paid,” said Sophos field CTO, Chester Wisniewski.
“Compromising their victims’ backups is now a mainstream element of ransomware attacks, giving adversaries the opportunity to subsequently increase the ransom demand when it is clear that the data cannot be recovered without the decryption key.”
The most common root causes for ransomware in the sector included vulnerability exploits, malicious email and compromised credentials.
“The education sector is interesting for attackers because they hold large swathes of sensitive information regarding students, parents and staff,” Daniel Shepherd, CEO of security consultants CSIS told Infosecurity.
“Schools and universities have undergone tremendous modernization programs, with all aspects of the learning experience for students, dependent on IT systems. These modernization programs have not always been accompanied by an appropriate focus on security.”