Growing Ransomware Attacks on Schools and Universities

A recent study from Sophos on the state of ransomware in education found that 80% of K-12 schools and 79% of higher education institutions reported incidents of ransomware attacks in 2023. Research from 2021-2022 shows that the number of attacks continues to rise at an alarming rate.

From 2018 through 2023, it is reported that ransomware attacks on the education sector have cost the world economy over $53 billion in downtime – with the United States being hit the hardest at over $35 billion.

These attacks are not a simple inconvenience to schools, they’re costing governments resources and putting students and citizens at great risk. In addition to the loss of sensitive data and money, the U.S. Government Accountability Office (GAO) reported that schools were forced to close down because of these cybercrimes.

This prompts us to ask two questions: Why are schools being targeted, and how do schools respond to these threats?

To shed light on this growing crisis, we explore some of the reasons hackers are targeting the education sector and what schools and universities can do to be prepared and remain resilient in the case of an attack.

Why Are Schools Being Targeted?

Valuable and Sensitive Data. Schools and universities hold a vast amount of sensitive data, making them prime targets for ransomware attacks. This data includes personal information of students, staff and faculty, such as social security numbers, addresses, and financial details.

Additionally, research institutions often hold valuable intellectual property and proprietary research data. Cybercriminals target this data because it can be exploited for identity theft, sold on the dark web, or used to exert pressure on the institution for ransom.

Limited Cybersecurity Resources. Educational institutions, particularly public schools and smaller colleges, often operate under significant budget constraints. This limitation can lead to underinvestment in cybersecurity infrastructure.

Many schools lack modern and robust cybersecurity measures, have outdated IT systems and insufficiently trained staff to manage and secure their networks effectively. This makes them easier targets compared to organizations with more resources dedicated to cybersecurity.

Increased Technological Dependence. The shift towards digital education, especially accelerated by the COVID-19 pandemic, has increased schools’ and universities’ reliance on technology for teaching, learning and administration.

This dependency means that a successful ransomware attack can cripple critical systems, disrupting educational processes and administrative functions. The urgency to restore operations quickly to minimize educational disruption can make educational institutions more likely to pay the ransom.

Exploitation of Open Networks. Universities, in particular, are known for their open and collaborative networks, designed to foster academic freedom and information sharing.

This openness, while academically beneficial, can also create vulnerabilities. Cyber attackers exploit these less secure and more accessible networks to infiltrate and deploy ransomware.

Once inside the network, the interconnected nature of university systems allows the spread of ransomware, magnifying the potential impact of the attack.

Public Profile and Pressure. Schools and universities are integral parts of communities and have a significant public profile. An attack on these institutions can attract media attention and public scrutiny.

The potential damage to the institution’s reputation, coupled with the pressure from affected students and parents, can compel schools to resolve the situation swiftly, often by giving in to ransom demands. Cybercriminals exploit this public pressure, knowing that it can work in their favor.

The Impact of Ransomware Attacks

The impact of ransomware attacks on schools and universities has been significant and multifaceted, affecting both operational aspects and financial costs.

In 2022, the education sector experienced a high volume of ransomware attacks, with an estimated total cost of around $9.45 billion. This staggering figure is partly due to the trend of “double extortion” attacks, where hackers not only lock out institutions from their critical systems but also steal data, threatening to leak it online if the ransom isn’t paid.

These incidents have caused significant disruptions, including instances where entire school districts were forced to close temporarily, such as in Albuquerque Public Schools, and others where sensitive data was leaked, as in the case of Bluefield University.

The number of ransomware attacks has been consistently high over recent years, with 2023 already showing a significant increase in both the number of attacks and the records impacted.

By mid-September 2023, over 1.5 million records had already been breached in such attacks on schools and colleges, surpassing the total for the entire year of 2022. The average downtime caused by these attacks in 2023 was around 11.6 days, significantly higher than the previous years, indicating a growing severity in the impact of these incidents.

Moreover, educational institutions are facing increasing ransom demands. In 2023, the average ransom demanded was approximately $1.5 million, with total ransom payments amounting to millions of dollars. Despite the high costs, not all institutions choose to pay the ransom.

For instance, in 2022, the Little Rock School District decided to pay a $250,000 ransom, while the Norman Public Schools refused to engage with the attackers’ demand of $950,000.

The consequences of ransomware attacks extend beyond the immediate financial burden. Paying the ransom often leads to increased recovery costs and extended recovery times.

For example, higher educational organizations that paid the ransom incurred an average recovery cost of $1.31 million, compared to $980,000 for those that relied on backups. Furthermore, the sector reported one of the highest rates of ransom payment, with more than half of higher educational organizations paying the ransom.

From a geographical perspective, the United States has been the most frequently attacked country, with states like California and New York experiencing the highest number of attacks and the most significant number of students impacted.

How to Prepare and Remain Resilient

To combat and prepare for ransomware attacks, schools and universities need to adopt a multi-faceted approach that involves technological solutions, training, and robust response planning.

Educational institutions must maintain up-to-date and secure IT infrastructures. This includes regular patching of software, employing strong endpoint protection, and implementing multi-factor authentication to enhance security.

Additionally, segmenting networks can prevent the lateral movement of malware in the event of a breach. Vulnerability testing, particularly of internet-facing systems and services, is also important.

Effective backup strategies are essential. Schools should ensure regular, successful completion of backups and establish a plan for data restoration. It’s important to regularly test these backups and the restoration process to confirm they work as expected.

In the event of an attack, institutions need to ensure that ransomware is fully purged from the system before restoration from backups to prevent re-infection. Keeping an air-gapped (physically or logically isolated) copy of backup data is also advisable.

With human error often being a significant vulnerability, educating staff and students about cybersecurity is vital.

Regular training on recognizing phishing emails and other common cyber threats can significantly reduce the risk of a successful attack. Creating a culture of cybersecurity awareness across the institution is essential.

In the event of an attack, having alternative channels of communication is important, especially if primary systems like email are compromised. This may include phone trees, non-internet-based phone lines and other methods of communication.

In case a school considers paying a ransom, it’s important to weigh the legal and policy implications and consult with legal counsel and law enforcement.

Collaboration between departments within the institution and sharing information with external bodies like law enforcement can also aid in both preventing and responding to attacks. Institutions can benefit from sharing information and strategies with Information Sharing and Analysis Centers and other relevant organizations.

Having a dedicated team or personnel assigned to handle potential cyber threats and breaches can ensure a swift and effective response. This team should be equipped with the necessary tools and authority to manage cybersecurity incidents.

Building cyber resilience, which involves not just defending against attacks but also ensuring the ability to operate during and recover after an attack, is crucial. This includes having systems in place to ensure no data is lost in the event of an attack and improving communication and collaboration between different departments.

Prepare Your Agency

The increasing frequency and severity of ransomware attacks on educational institutions highlight a critical vulnerability in our society.

The financial and operational impacts of these attacks are profound, with millions of dollars in ransom payments and recovery costs, not to mention the disruption to educational processes and potential damage to institutional reputations.

However, there is a path forward. By adopting an approach that includes technological upgrades, staff and student training and robust response planning, schools can enhance their defenses against these cyber threats.

Learn more about how CentralSquare supports agencies to combat cybersecurity and ransomware attacks through modern technology and the power of the cloud.