Sophos is publishing the “Sophos State of Ransomware in Education 2021,” which looks at the extent and impact of ransomware attacks on educational institutions worldwide during 2020.
In the wake of headline-grabbing ransomware attacks impacting education, including the REvil ransomware attack on Kaseya that hit schools in New Zealand, and recent alerts from the FBI and the UK’s National Cyber Security Centre warning of spikes in ransomware attacks targeting schools, the research findings confirm the particular vulnerability of educational institutions to this relentless cyberthreat.
The main research findings include:
Education, together with retail, faced the highest level of ransomware attacks during 2020, with 44% of organizations hit (compared to 37 percent across all industry sectors)
For educational institutions, the financial impact of a ransomware attack in 2020 was crippling. The total bill for rectifying a ransomware attack in the education sector, considering downtime, people time, device cost, network cost, lost opportunity, ransom paid, and more, was, on average, US$2.73 million – the highest across all sectors
surveyed, and 48 percent above the global average
Over half (58 percent) of the education organizations hit by ransomware said the attackers had
succeeded in encrypting their data
Over a third (35 percent) of those with encrypted data gave in to the attackers’ demands and paid the ransom. Only the energy, oil/gas and utilities (43 percent), and local government (42 percent) sectors were more likely to pay
The average ransom payment was US$112,435 (lower than the global average of US$170,404) However, those who paid recovered on average only around two-thirds (68 percent) of their data, leaving almost a third inaccessible; and just 11 percent got all their encrypted data back
Of those institutions that were not hit with ransomware last year (55 percent of respondents), the majority (61%) expect to be targeted in the future. The main reasons are given for this are that cyberattacks are now so sophisticated (46 percent) and prevalent (42 percent) that they are almost impossible to stop
“The education sector has long been an attractive target for cyber-attackers,” said Chester Wisniewski, the principal research scientist at Sophos. The budgets for IT and cybersecurity can be very tight, with stretched IT, teams, battling to protect what is often outdated infrastructure using limited tools and resources, coupled with risky end-user behaviors, such as downloading pirated software.“All this increases exposure to risk in any year, but in 2020 the pandemic happened, and education establishments had to switch, with short notice, to virtual learning environments, with very little time to think about security or provide basic cybersecurity training for all the new remote users. This significantly increased the sector’s vulnerability and adversaries were quick to seize the opportunity, leaving victims with the huge financial impact of having to rebuild IT infrastructure from scratch.
“To secure the network against ransomware, we advise IT teams to focus resources on three critical areas: building stronger defenses against cyberthreats, introducing security skills training for users, and, where possible, investing in more resilient infrastructure.”
The Sophos State of Ransomware in Education, 2021, survey polled 5,400 IT decision makers, including 499 education IT managers, in 30 countries across Europe, the Americas, Asia-Pacific and Central Asia, the Middle East, and Africa.
The full “Sophos State of Ransomware in Education 2021” paper is available here. If you’d like to speak to one of our experts about the impact of ransomware on education and what defenders can do to enhance security, or about ransomware in general, please get in touch.
Additional resources
Tactics, techniques, and procedures (TTPs), and more, for different types of ransomware can be found on SophosLab Uncut, the home of Sophos’ latest threat intelligence
Information on attacker behaviors, incident reports, and advice for security operations professionals can be found on Sophos News SecOps
Understand adversary behaviors and TTPs in the wild in Sophos’ Active Adversary Report 2021
Learn more about the global prevalence and impact of ransomware in the State of Ransomware 2021
To help stop ransomware attacks, read the five early indicators an attacker is present
Learn more about Sophos’ Rapid Response service that contains, neutralizes and investigates attacks 24/7
The four top tips for responding to a security incident from Sophos Rapid Response and the Managed Threat Response Team