Many high-profile ransomware attacks, like last year’s attack on colonial pipeline from DarkSide, have focused on businesses. But the bad guys behind those digital attacks aren’t limited to the business world. They also seem to target schools.
In 2021, 67 individual ransomware According to a study by security firm Comparitech, attacks hit 954 schools and colleges, potentially affecting the data of more than 950,000 students. Demands of varying amounts — from $100,000 to $40 million — were made on the schools to regain control of their systems. Few schools reported whether they paid the ransom, but at least one school paid $547,000, according to Comparitech. In total, the firm estimates, the incidents cost schools over $3.5 billion in downtime†
Costs get even higher when data recovery, system upgrades, and costs to restore computers are collapsed. Some schools were unable to recover this.
Lincoln College, a private, predominantly black college in Illinois that has been in existence for 157 years, closed last month, citing cyber-attacks and the pandemic. The school had a record number of enrollments in 2019, but the pandemic impacted campus life and limited the school’s ability to raise funds. Then, in December, a ransomware attack “thwarted admissions activities and hampered access to all institutional data, leaving a blurry picture of enrollment forecasts for fall 2022,” the school said.
The systems necessary for recruiting, retention and fundraising stopped working after the attack – and although the school paid the hackers ransom, the system didn’t fully come back online until March of this year. By then it was too late. Significant shortages of enrollment placed the school in a hole it could not get out of.
“Lincoln College has been serving students from around the world for more than 157 years,” wrote David Gerlach, the university’s president, in a statement† “The loss of history, careers and a community of students and alumni is immense.”
Gather accurate information about ransomware attacks is challenging. The Identity Theft Information Center notes that data breach reporting is inconsistent at best. Of the 367 cyber attacks in the first quarter of 2022, almost half lacked details about the cause of the breach (such as ransomware or phishing). In particular, ransom-paying companies are reluctant to report the breach.
Based on available data, Comparitech estimates that there have been 270 separate ransomware attacks on educational institutions between January 2018 and mid-May 2022. That has a potential impact of more than 3 million students and nearly 4,300 schools and colleges.
Hackers have collected at least $2.64 million in ransom from schools during that time, with an average payment of $239,733. However, the company estimates that the additional downtime costs for the attacks add up to nearly $20 billion during that period.
California, New York and Texas have seen the most attacks since 2018, with more than 20 each. Illinois had reported 13 and Pennsylvania saw 12.
Ransomware peaked in the education sector in 2019, when the number of attacks rose to 96 (up from just 10 the year before). Since then, the number has shrunk somewhat, but attackers are targeting school districts with bigger budgets, such as Florida’s Broward County, where hackers demanded $40 million. (The school district counter-offered $500,000. The group behind the ransomware lowered their demand to $10 million, but ended up putting the school records — nearly 26,000 files — online.)
The good news is that 2022 has been a relatively light year so far for ransomware attacks in schools – and those targeted are getting back online faster.
“While hackers may become more targeted in their approach,” Comparitech wrote in its report, “the lower downtime numbers suggest that schools better prepared for these attacks and are better able to recover their systems from backups or mitigate the effects of the attacks.”