4 minute read
Ransomware attacks: a growing threat to educational institutions
ART By REBEccA vON TERScH AND JAcK HANSEN
Ransomware attacks are a growing threat to educational institutions
Advertisement
JAcK HANSEN
It’s the day before school starts, and you’re an administrator about to send students their schedules. There’s one massive problem: all the student records, schedules, and teacher communications are encrypted, and the perpetrators demand $50,000 for their decryption.
As inconceivable as it sounds, this happened to the Athens Independent School District in Texas, delaying the start of school by a week and costing the district tens of thousands of dollars. This is one of many examples of ransomware attacks on places such as schools, hospitals, police departments, and private companies.
A ransomware attack is a kind of cyberattack in which criminals encrypt the victim’s computer network, making it impossible for them to access. Similar to its physical counterpart, hackers hold the victim’s files hostage until they pay a ransom, usually in a cryptocurrency, which is harder to track.
After getting hacked, the victims have two main options to get their data back. They can try to restore data from backups or pay the ransom. According to Sophos’ State of Ransomware 2021 report, the majority of victims who have had their systems encrypted restored their data from backups. However, 32% of the affected organizations paid the ransom in 2021, a 6% increase from 2020.
Additionally, the average cost of ransomware attacks has more than doubled between 2020 and 2021. The price included the ransom itself and the downtime of the service, people’s time, and missed opportunities. According to the same Sophos report, the average cost in 2021 was $1.85 million.
These upward trends in payout rate and cost mean ransomware is increasing in popularity across all sectors, including the education sector.
In 2020, 44% of educational organizations in Sophos’ report said they were hit by ransomware attacks, tying retail for the highest rates of ransomware. Ransomware attacks are more likely to succeed against educational organizations than the average success rate.
Attacks are also much costlier for the education sector. Even though the ransom is usually smaller than other sectors, the cleanup is much more expensive. The average ransomware attack costs educational organizations $2.73 million, almost 50% more than the cross-sectional average.
One possible explanation for this increased cost is weak infrastructure. After suffering a ransomware attack, a school district with poor IT infrastructure may rebuild its system.
Targeting educational organizations has several advantages.
Due to the aforementioned weak infrastructure, they can be easier to hack. Efforts were made to reach the Sequoia Union High School District, but they did not respond. Additionally, they can be more valuable targets. At first, this may seem counterintuitive, as the average payment is tens of thousands of dollars lower. However, according to FortiGuard Labs, the value comes from the data they can provide.
“While attacking universities may not result in the large sums of ransom money that can be obtained by attacking large businesses, stolen information can be used for financial gain. Many university systems include valuable research data as well as contact information and emails for government agencies, defense industries, pharmaceutical labs, and other private companies that leverage university researchers,” a report from FortiGuard Labs said.
As ransomware grows more prevalent, the importance of protecting against it grows. Unfortunately, many believe that ransomware attacks are inevitable. According to the Sophos report, many respondents who had not yet experienced a ransomware attack believe they will experience one in the future. Forty percent of respondents believe “ransomware is so prevalent it is inevitable we will get hit.” A similar percentage believes that it’s becoming harder to stop due to their sophistication.
Thankfully, the education sector is improving along with the attackers. Ninety percent of educational organizations have a plan for a cyberattack, should the worst happen. Additionally, the education sector is the most likely to admit security weaknesses, opening up an avenue for improvement.
Biden also signed the K-12 Cybersecurity Act of 2021 on Oct. 8, which gives the Cybersecurity and Infrastructure Security Agency (CISA) Director the authority to study the cybersecurity risks facing educational institutions, provide recommendations to the institutions, and create a training toolkit for schools.
It seems unlikely that ransomware is going away any time soon. However, with the proper preparation and training, educational institutions and other sectors can mitigate as much damage as possible.
Education Ransomware
By the numbers:
Was your district affected by ransomware in 2021?
Yes 44%
No 56%
37% across all sectors
Average ransomware payout:
Global $170,404
Education $112,435
$0 $50,000 $100,000 $150,000 $200,000
Average recovery cost: $2.73 Million
48% higher than global average
61% of respondents expect to be hit by ransomware in the future
90% of respondents have a plan to recover from a ransomware ransomware attack
Source: Sophos JAcK HANSEN
Source: Sophos