In the last year, a Sophos report reveals that 79% of higher educational organizations surveyed, representing a 64% increase, reported falling victim to ransomware attacks.

Sophos’ “The State of Ransomware in Education 2023” report also saw that ransomware attacks targeted 80% of lower educational organizations surveyed, marking a 56% increase.

According to the cybersecurity solutions company, the education sector also witnessed one of the highest ransom payment rates, with over half (56%) of higher educational organizations and nearly half (47%) of lower educational organizations choosing to pay the ransom. As a result, data recovery costs surged for both educational sectors.

Sophos: Cyber defense impacts insurability
Sophos: Hackers utilize LOLbins to attack organizations

“While most schools are not cash-rich, they are very highly visible targets with immediate widespread impact in their communities,” said Chester Wisniewski, field CTO, Sophos.

Among higher educational organizations that paid the ransom, the cost of recovery amounted to $1.31 million, while those relying on data backups spent around $980,000. For lower educational institutions that paid the ransom, recovery expenses totaled $2.18 million, while those that refused to pay spent $1.37 million.

Extended recovery times

Organizations that chose to pay the ransom encountered longer waits for data recovery. Among higher educational organizations, 79% utilizing backups regained their data within a month, compared to only 63% of those that paid the ransom within the same timeframe. Among lower educational organizations, 63% using backups saw recovery within a month, while only 59% of those paying the ransom did.

“The pressure to keep the doors open and respond to calls from parents to ‘do something’ likely leads to pressure to solve the problem as quickly as possible without regard for cost,” said Wisniewski. “Unfortunately, the data doesn’t support that paying ransoms resolves these attacks more quickly, but it is likely a factor in victim selection for the criminals.” 

Regarding ransomware attack causes in the education sector, the root factors mirrored those across all industries. However, there was a notably higher incidence of ransomware attacks involving compromised credentials among both higher (37%) and lower (36%) educational organizations, in contrast to the cross-sector average of 29%.

Compromised credentials

“Abuse of stolen credentials is common across sectors for ransomware criminals, but the lack of adoption of multifactor authentication (MFA) technology in the education sector makes them even more at risk of this method of compromise,” Wisniewski said.

Exploits and compromised credentials constituted more than three-quarters (77%) of ransomware attacks on higher educational organizations, while these root causes accounted for over two-thirds (65%) of attacks on lower educational institutions.

The encryption rate remained relatively stable for higher educational organizations (74% in 2021, compared to 73% in 2022). Among lower educational institutions, the rate increased from 72% to 81% over the past year.

Higher educational organizations reported a lower rate of backup usage than the cross-sector average (63% versus 70%), ranking as the third lowest among all sectors. In contrast, lower educational institutions boasted a slightly higher rate of backup usage than the global average (73%).