- Both K-12 and higher-ed reported alarmingly high rates of ransomware attacks in 2022
- Survey results show that paying ransoms increases recovery times
- See related article: Defending against the most common cyberattacks
Education reported the highest rate of ransomware attacks in 2022, and over the past year, 79 percent of higher-ed organizations surveyed reported being hit by ransomware, while 80 percent of K-12 organizations surveyed were targeted—an increase from 64 percent and 56 percent in 2021, respectively.
Additionally, the education sector reported one of the highest rates of ransom payments, with more than half (56 percent) of higher-ed organizations paying and nearly half (47 percent) of K-12 educational organizations paying the ransom. However, paying the ransom significantly increased recovery costs for both higher-ed and K-12 educational organizations. Recovery costs (excluding any ransoms paid) for higher-ed organizations that paid the ransom were $1.31 million when paying the ransom versus $980,000 when using backups. For K-12 educational organizations, the average recovery costs were $2.18 million when paying the ransom versus $1.37 million when not paying.
Paying the ransom also lengthened recovery times for victims. For higher-ed organizations, 79 percent of those that used backups recovered within a month, while only 63 percent of those that paid the ransom recovered within the same timeframe. For K-12 educational organizations, 63 percent of those that used backups recovered within a month versus just 59 percent of those that paid the ransom.
“While most schools are not cash-rich, they are very highly visible targets with immediate widespread impact in their communities. The pressure to keep the doors open and respond to calls from parents to ‘do something’ likely leads to pressure to solve the problem as quickly as possible without regard for cost. Unfortunately, the data doesn’t support that paying ransoms resolves these attacks more quickly, but it is likely a factor in victim selection for the criminals,” said Chester Wisniewski, field CTO, Sophos.
For the education sector, the root causes of ransomware attacks were similar to those across all sectors, but there was a significantly greater number of ransomware attacks involving compromised credentials for both higher-ed and K-12 educational organizations (37 percent and 36 percent respectively versus 29 percent for the cross-sector average).
Additional key findings from the report include:
- Exploits and compromised credentials accounted for more than three-fourths (77 percent) of ransomware attacks against higher-ed organizations; these root causes accounted for more than two-thirds (65 percent) of attacks against K-12 educational organizations
- The rate of encryption stayed about the same for higher-ed organizations (74 percent in 2021 versus 73 percent in 2022), but increased from 72 percent to 81 percent across K-12 educational organizations during the past year
- Higher-ed organizations reported a lower rate of using backups than the cross-sector average (63 percent versus 70 percent). This is the third lowest rate of backup use across all sectors. K-12 educational organizations, on the other hand, had a slightly higher rate of using backups than the global average (73 percent)
“Abuse of stolen credentials is common across sectors for ransomware criminals, but the lack of adoption of multifactor authentication (MFA) technology in the education sector makes them even more at risk of this method of compromise. Like the U.S. federal government’s initiative to mandate all agencies use MFA, it is time for schools of all sizes to employ MFA for faculty, staff and students. It sets a good example and is a simple way to avoid many of these attacks from getting in the door,” said Wisniewski.
Sophos recommends the following best practices to help defend against ransomware and other cyberattacks:
- Strengthen defensive shields with:
- Security tools that defend against the most common attack vectors, including endpoint protection with strong anti-exploit capabilities to prevent exploitation of vulnerabilities, and Zero Trust Network Access (ZTNA) to thwart the abuse of compromised credentials
- Adaptive technologies that respond automatically to attacks, disrupting adversaries and buying defenders time to respond
- 24/7 threat detection, investigation and response, whether delivered in-house or by a specialist Managed Detection and Response (MDR) provider
- Optimize attack preparation, including making regular backups, practicing recovering data from backups and maintaining an up-to-date incident response plan
- Maintain good security hygiene, including timely patching and regularly reviewing security tool configurations
This press release originally appeared online.
- Teacher burnout persists, but solutions are emerging - September 22, 2023
- “Ambitious growth” is needed to accelerate learning recovery - September 15, 2023
- 5 reasons to use a one-stop-shop communications platform - September 14, 2023