Schools suffer greatest cost of ransomware attacks

Four in every five (79%) of higher educational organisations reported being hit by ransomware over the past year, while 80% of lower educational groups surveyed were targeted—an increase from 64% and 56% in 2021, respectively.

These are some of the findings of the The State of Ransomware in Education 2023 from Sophos. The survey covered 3,000 IT/cybersecurity leaders in 400 from the education sector across 14 countries in the Americas; Europe, Middle East and Africa, and the Asia-Pacific regions.

Results show that the sector reported one of the highest rates of ransom payment with more than half (56%) of higher educational organisations paying, as did nearly half (47%) of lower educational organisations. 

However, paying the ransom significantly increased recovery costs for both higher and lower educational organisations. Recovery costs (excluding any ransoms paid) for higher educational organisations that paid the ransom were $1.31 million when paying the ransom versus $980,000 when using backups. 

For lower educational organisations, the average recovery costs were $2.18 million when paying the ransom versus $1.37 million when not paying.

Paying the ransom also lengthened recovery times for victims. For higher educational organisations, 79% of those that used backups recovered within a month, while only 63% of those that paid the ransom recovered within the same time frame. 

For lower educational organisations, 63% of those that used backups recovered within a month versus just 59% of those that paid the ransom.

Chester Wisniewski, field CTO of Sophos, said that while most schools are not cash-rich, they are very highly visible targets with immediate widespread impact in their communities. 

“The pressure to keep the doors open and respond to calls from parents to ‘do something’ likely leads to pressure to solve the problem as quickly as possible without regard for cost,”  said Wisniewski. “Unfortunately, the data doesn’t support that paying ransoms resolves these attacks more quickly, but it is likely a factor in victim selection for the criminals.”

For the education sector, the root causes of ransomware attacks were similar to those across all sectors, but there was a significantly greater number of ransomware attacks involving compromised credentials for both higher and lower educational organisations — 37% and 36% respectively versus 29% for the cross-sector average.

The study also found that exploits and compromised credentials accounted for more than three-fourths (77%) of ransomware attacks against higher educational organisations. These root causes accounted for more than two-thirds (65%) of attacks against lower educational organisations.

The rate of encryption stayed about the same for higher educational organisations (74% in 2021 versus 73% in 2022), but increased from 72% to 81% across lower educational organisations during the past year.

Higher educational organisations reported a lower rate of using backups than the cross-sector average (63% versus 70%). This is the third lowest rate of backup use across all sectors. 

Lower educational organisations, on the other hand, had a slightly higher rate of using backups than the global average (73%).

“Abuse of stolen credentials is common across sectors for ransomware criminals, but the lack of adoption of multifactor authentication (MFA) technology in the education sector makes them even more at risk of this method of compromise,” said Wisniewski.