The median ransom payment in 2023 was $6.6 million for lower education and $4.4 million for higher education organisations, according to a report from Sophos.
The report is based on the findings of an independent, vendor-agnostic survey commissioned by Sophos of 5,000 IT/cybersecurity leaders across 14 countries in the Americas, EMEA, and Asia Pacific.
Among respondents, 600 respondents were from educational organisations, split into 300 from lower education (catering to students up to 18 years) and 300 from higher education (for students over 18 years).
The survey was conducted by research specialist Vanson Bourne between January and February 2024, and participants were asked to respond based on their experiences over the previous year.
The survey shows that 55% of lower education respondents and 67% of higher education respondents paid more than the initial demand.
Ransomware attacks are causing more of a strain as only 30% of ransomware victims surveyed in both lower and higher education were able to fully recover in a week or less, down from the previous year’s 33% (lower education) and 40% (higher education).
Sophos said this slowing recovery rate is likely due to education organisations operating with limited teams and resources, making it harder for them to coordinate recovery efforts.
“Unfortunately, schools, universities and other educational institutions are targets that are beholden to municipalities, communities and the students themselves, which inherently creates high-pressure situations if they are hit and destabilised by ransomware,” said Chester Wisniewski, director and global field CTO at Sophos.
“Educational institutions feel a sense of responsibility to remain open and continue providing their services to their communities,” said Wisniewski. “These two factors could be contributing to why victims feel so much pressure to pay.”
He added that compromising the victims’ backups is now a mainstream element of ransomware attacks, giving adversaries the opportunity to subsequently increase the ransom demand when it is clear that the data cannot be recovered without the decryption key.
In fact, 95% of respondents said that cybercriminals tried to compromise their backups during the attack, with 71% being successful – the second highest backup compromise rate across all industry sectors.
Having backups compromised also considerably increases recovery costs, with the total bill coming in five times higher in lower education and four times higher in higher education.
Yet, despite difficult dealings with ransomware, the overall attack rate dropped over the last year. Sixty-three percent of lower education organisations and 66% of higher education organisations were hit by ransomware attacks – down from 80% and 79%, respectively.
At the same time, the rate of data encryption has increased slightly, with 85% of attacks on lower education and 77% of attacks on higher education organisations resulting in data encryption, slightly up from the 81% and 73%, respectively, reported in the 2023 survey.
Unfortunately, cybercriminals are not only encrypting data, they’re also stealing it, using it as leverage to further monetise the attack. Twenty-two percent of lower education organisations that had data encrypted said the data was also stolen, together with 18% in higher education.
The survey reveals that exploited vulnerabilities were the leading root cause of attacks in education, providing cybercriminals with a way into the network for 44% of lower education and 42% of higher education ransomware attacks.