Educational organizations are paying significantly more than the original ransom demands in ransomware attacks. This is according to The State of Ransomware in Education 2024 report by Sophos. The report reveals that 55% of lower education and 67% of higher education institutions paid more than the attackers’ initial demands. With median payments reaching $6.6 million for lower education and $4.4 million for higher education.
The study also highlights that while ransomware attacks in the education sector have decreased, recovery costs have surged. Only 30% of ransomware victims in both lower and higher education managed to fully recover within a week. This is down from 33% and 40% last year. This prolonged recovery process is attributed to the limited resources and small IT teams available in most educational institutions.
“Unfortunately, schools, universities, and other educational institutions are targets that are beholden to municipalities, communities, and the students themselves. This inherently creates high-pressure situations if they are hit and destabilized by ransomware. Educational institutions feel a sense of responsibility to remain open and continue providing their services to their communities. These two factors could be contributing to why victims feel so much pressure to pay.” Said Chester Wisniewski, director, field CTO, Sophos.
Compromising Victims Back Ups
“We also know that ransomware attackers have upped the ante when it comes to getting paid. Compromising their victims’ backups is now a mainstream element of ransomware attacks. This allows adversaries to subsequently increase the ransom demand when it is clear that the data cannot be recovered without the decryption key.”
In fact, 95% of survey respondents indicated that cybercriminals attempted to compromise their backups. With 71% of these attempts being successful – the second-highest rate across all sectors. As a result, recovery costs soared to five times higher for lower education and four times higher for higher education institutions.
Explore How Sophos Exposed Chinese Cyberespionage in Southeast Asia
Despite these challenges, the overall attack rate has dropped. 63% of lower education and 66% of higher education organizations reported ransomware attacks, down from 80% and 79%, respectively, in the previous year. However, the rate of data encryption has increased. 85% of attacks on lower education and 77% on higher education leading to encrypted data, up from last year.
Stealing Data During Attacks
Cybercriminals are also increasingly stealing data during these attacks. With 22% of lower education and 18% of higher education institutions reporting data theft alongside encryption. The survey identifies exploited vulnerabilities as the leading cause of these attacks. They account for 44% of incidents in lower education and 42% in higher education.
Sophos recommends a layered security approach for educational organizations. It includes vulnerability scanning, anti-ransomware capabilities, and 24/7 managed detection and response [MDR] services. Wisniewski emphasized the importance of focusing on preventive measures to reduce the financial burden of ransomware recovery. This now costs a median of $3 million in education.
“While there appears to be some positive progress towards combatting ransomware in the education sector. It’s concerning that the rate of data encryption continues to increase year after year. This suggests educational organizations need to continue working towards improving their ransomware resilience. With stretched resources and limited budgets, education organizations need to focus on the controls that will have the greatest impact. With the median ransomware recovery cost for education now hitting $3 million. It’s clear that investing in strong prevention and protection solutions can considerably reduce the overall financial impact of cyber on educational organizations.” Said Wisniewski.
The report also sheds light on the role of law enforcement in ransomware incidents, with 99% of lower education and 98% of higher education organizations engaging with law enforcement post-attack. Many received advice, investigative support, and help recovering data.
The survey was conducted among 600 IT leaders from educational institutions in 14 countries between January and February 2024.