New report reveals education sector’s ransomware recovery costs skyrocket, despite fewer overall attacks

Claire Halliday
Claire Halliday
Ransomware attacks in the global education sector may be dropping overall, but the amount of money being paid is skyrocketing.

Findings from a new annual sector survey report exploring ransomware in the global education sector shows that educational organisations paid more than the original ransom demand.

Sophos, a global leader of innovative security solutions that tackle cyberattacks, released the findings from The State of Ransomware in Education 2024 report on 16 September.

According to the report, the median ransom payment was $6.6 million for lower education and $4.4 million for higher education organisations. The survey also states that 55 per cent of lower education respondents and 67 per cent of higher education respondents paid more than the initial demand.

Fighting cybersecurity attacks

The data highlights a battle the education sector is facing on a daily basis, with ransomware attacks causing more of a strain, as only 30 per cent of ransomware victims surveyed in both lower and higher education were able to fully recover in a week or less. That’s a drop from last year’s 33 per cent (lower education) and 40 per cent (higher education). This slowing recovery rate is likely due to education organisations operating with limited teams and resources, making it harder for them to coordinate recovery efforts.

- Advertisement -

“Unfortunately, schools, universities and other educational institutions are targets that are beholden to municipalities, communities and the students themselves, which inherently creates high pressure situations if they are hit and destabilised by ransomware,” says Chester Wisniewski, director, field CTO, Sophos.

“Educational institutions feel a sense of responsibility to remain open and continue providing their services to their communities. These two factors could be contributing to why victims feel so much pressure to pay.”

Wisniewski says “we also know that ransomware attackers have upped the ante when it comes to getting paid”.

“Compromising their victims’ back-ups is now a mainstream element of ransomware attacks, giving adversaries the opportunity to subsequently increase the ransom demand when it is clear that the data cannot be recovered without the decryption key.” 

- Advertisement -

Protecting back-ups is critical

In fact, 95 per cent of respondents said that cybercriminals tried to compromise their back-ups during the attack, with 71 per cent being successful – the second highest back-up compromise rate across all industry sectors. Having back-ups compromised also considerably increases recovery costs, with the total bill coming in five times higher in lower education and four times higher in higher education.

But despite difficult dealings with ransomware, the overall attack rate dropped over the last year. Sixty-three percent of lower education organisations and 66 per cent of higher education organisations were hit by ransomware attacks – down from 80 per cent and 79 per cent, respectively.  At the same time, the rate of data encryption has increased slightly, with eighty-five percent of attacks on lower education and 77 per cent of attacks on higher education organisations resulting in data encryption, slightly up from the 81 per cent and 73 per cent, respectively, reported in the 2023 survey.

Unfortunately, cybercriminals are not only encrypting data, they’re also stealing it, using it as leverage to further monetise the attack. Twenty-two percent of lower education organisations that had data encrypted said the data was also stolen, together with 18 per cent in higher education.

The survey reveals that exploited vulnerabilities were the leading root cause of attacks in education, providing cybercriminals with a way into the network for 44 per cent of lower education and 42 per cent of higher education ransomware attacks.

Layered security approach reduces vulnerabilities

Sophos’ report this year incorporates new areas of study: insight into the role of law enforcement in ransomware remediation for education providers.

- Advertisement -

Ninety-nine per cent of lower education and 98 per cent of higher education organisations engaged with law enforcement and/or official government bodies following a ransomware attack. As a result, 64 per cent of lower education organisations and 66 per cent of higher education organisations benefitted from advice about dealing with the attack. Sixty-one per cent of lower and higher education organisations received help and support investigating the attack, and nearly 49 per cent of lower education organisations and 48 per cent of higher education organisations sought law enforcement’s help recovering data encrypted in the attack.

Data for the State of Ransomware in Education 2024 report comes from a survey of 600 cybersecurity/IT leaders working in the education sector conducted between January and February 2024. Respondents were based in 14 countries across the Americas, EMEA, and Asia Pacific. All respondents represent organisations with between 100 and 5,000 employees.

Based on this Sophos survey data, schools and other educational organisations could benefit from a layered security approach that includes vulnerability scanning and patching prioritisation guidance to reduce their attack surface, endpoint protection with anti-ransomware capabilities that automatically detect and stop attacks, and 24/7 human-led managed detection and response (MDR) services to neutralise advanced human-led attacks, ideally leveraging telemetry from back-up solutions to detect and stop adversaries before they can cause damage.

“While there appears to be some positive progress towards combatting ransomware in the education sector, it’s concerning that the rate of data encryption continues to increase year after year, which suggests educational organisations need to continue working towards improving their ransomware resilience. With stretched resources and limited budgets, education organisations need to focus on the controls that will have the greatest impact. With the median ransomware recovery cost for education now hitting $3 million, it’s clear that investing in strong prevention and protection solutions can considerably reduce the overall financial impact of cyber to educational organisations,” Wisniewski says.

Share This Article
Claire Halliday has an extensive career as a full-time writer - across book publishing, copywriting, podcasting and feature journalism - for more than 25 years. She lives in Melbourne with children, two border collies and a grumpy Burmese cat. Contact: claire.halliday[at]brandx.live