Sophos report highlights rising ransomware recovery costs in education sector

The latest report from cybersecurity company Sophos reveals the growing financial and operational strain ransomware is placing on educational institutions. 

The “State of Ransomware in Education 2024” report found that while ransomware attacks on schools and universities have dropped slightly, recovery costs have soared, leaving institutions with higher financial burdens. 

This year, the median ransom payment was reported as $6.6 million for lower education and $4.4 million for higher education.

The data for the report is based on a vendor-agnostic survey of 600 cybersecurity and IT leaders working in the education sector. The survey was conducted between January and February 2024 and covered respondents from 14 countries across the Americas, EMEA, and Asia Pacific. 

All respondents represented organisations with between 100 and 5,000 employees. 

Increasing pressure to pay

The report highlights a sharp increase in recovery costs, with lower education institutions seeing costs surge from $1.59 million in 2023 to $3.76 million in 2024, while higher education costs rose from $1.06 million to $4.02 million during the same period. Recovery efforts have also become more protracted, with only 30% of educational institutions fully recovering within a week, a decrease from last year’s figures of 33% (lower education) and 40% (higher education).

Despite fewer overall attacks—63% of lower education institutions and 66% of higher education institutions were hit, down from 80% and 79% last year—the pressure to pay ransoms is still mounting. 

A staggering 55% of lower education institutions and 67% of higher education organisations reported paying more than the initial ransom demand. The growing reliance on digital systems, coupled with limited resources, is likely to be contributing to the rising costs and willingness to pay higher ransoms.

Chester Wisniewski, Field CTO at Sophos, remarked:

“Unfortunately, schools, universities and other educational institutions are targets that are beholden to municipalities, communities and the students themselves, which inherently creates high pressure situations if they are hit and destabilised by ransomware. Educational institutions feel a sense of responsibility to remain open and continue providing their services to their communities. These two factors could be contributing to why victims feel so much pressure to pay.

 “We also know that ransomware attackers have upped the ante when it comes to getting paid. Compromising their victims’ backups is now a mainstream element of ransomware attacks, giving adversaries the opportunity to subsequently increase the ransom demand when it is clear that the data cannot be recovered without the decryption key.” 

 Cybercriminals targeting backups

According to the report, 95% of education sector respondents said that cybercriminals attempted to compromise their backups during the attack, with 71% of these attempts being successful.

 This high success rate is the second highest across all industry sectors surveyed. Once backups are compromised, recovery costs can balloon to as much as five times higher for lower education and four times higher for higher education institutions.

Even though the overall number of ransomware attacks has decreased, the rate of data encryption has risen. In lower education, 85% of attacks resulted in data encryption, while in higher education, 77% of attacks led to encrypted data. These figures have both increased compared to last year’s data, indicating that cybercriminals are becoming more sophisticated in their approach. 22% of lower education institutions and 18% of higher education institutions also reported that their encrypted data was stolen during the attacks, adding another layer of complexity to the recovery process.

Sophos’ report indicates that exploited vulnerabilities remain the primary entry point for ransomware attacks on education institutions, accounting for 44% of lower and 42% of higher education attacks. 

For the first time, Sophos’ 2024 report examined the involvement of law enforcement in ransomware recovery. After an attack, 99% of lower education institutions and 98% of higher education institutions sought help from law enforcement or government agencies. 

Of those who engaged law enforcement, 64% of lower education organisations and 66% of higher education institutions received advice, while around 61% benefited from investigative support. Additionally, 49% of lower education institutions and 48% of higher education institutions requested help recovering encrypted data.

Moving forward: A layered security approach

Based on the findings, Sophos recommends that educational institutions adopt a layered security approach to protect themselves from ransomware better. This includes vulnerability scanning, prioritising patches, endpoint protection with anti-ransomware capabilities, and 24/7 human-led managed detection and response (MDR) services. 

Wisniewski added:

“While there appears to be some positive progress towards combatting ransomware in the education sector, it’s concerning that the rate of data encryption continues to increase year after year, which suggests educational organisations need to continue working towards improving their ransomware resilience.

“With stretched resources and limited budgets, education organisations need to focus on the controls that will have the greatest impact. With the median ransomware recovery cost for education now hitting $3 million, it’s clear that investing in strong prevention and protection solution can considerably reduce the overall financial impact of cyber to educational organisations.”

Previous
Previous

SMART Technologies partners with N50 Project to bridge global digital divide in education

Next
Next

Learning Pool launches AI Coach for scalable employee professional development