Education Sector Tops 2022 Ransomware Statistics

Our State of Ransomware 2022 report documented 64 publicly reported ransomware attacks against the education sector, representing a massive 48.8% increase on 2021. This alarming increase saw the education sector move from second place in 2021 to first place in 2022 ransomware, ranking above both government and healthcare, two of the other most highly targeted sectors.

The US reported the most attacks in the sector, with around 45 incidents making headlines throughout the year.  Within the US ransomware groups targeted mostly school districts, with student numbers ranging from 259 to 565,000, followed closely by universities and further education. California was the most targeted state with around 9 attacks including LAUSD, one of the most notable attacks of 2021 which saw 500GB of sensitive data exfiltrated and leaked by the Vice Society criminal gang.

When it came to the attackers, Vice Society took the lead with a total of 9 publicly disclosed attacks, followed by BlackCat and LockBit. However, it’s worth noting that a large number of attacks on education have remained unclaimed to date.  Ransomware groups claimed 48.4% of attacks which is a notable increase against the 11.6% of claimed attacks in education during 2021. This is likely due to the increase in data exfiltration leading to extortion attempts. When the organization fails to negotiate with the cybercriminals or pay the ransom, samples of the exfiltrated data are more likely to end up on the groups data leak site.

Data exfiltration was involved in 34 of the 64 incidents recorded that we know of. We expect this figure to rise as data breaches following these incidents are typically disclosed many months later. Data held by schools is sensitive in nature, and personally identifiable information relating to employees, students (past and present) and their families, makes it a desirable target for criminal gangs.

Due to skills shortages, resourcing and budgetary issues, the education sector is often regarded as low hanging fruit for attackers. Data exfiltration is often the main incentive as the integrity of the data is highly important to not only the schools but the individuals within them, thus making a potential ransom payment more probable to avoid a range of consequences such as legal action.

Other motivations behind attacks on this sector are often unclear, however during an attack on Mars K-12 district, Vice Society gave us a glimpse of the mentality behind the groups when Pennsylvania law prevented the school from entering into ransom negotiations and payments. The criminal gang stated to media outlet DataBreaches.net that “we don’t care about laws. Any attacked company is glory or money. They can choose what to give us. We love both of it.”

Ransom demands and payments are subjects rarely discussed by education establishments in response to attacks. Glenn County Office of Education made news when they had a ransom demand of $1 million and ended up paying $400,000 to Quantum for the decryption key to unlock their data. We also saw the University of Pisa in Italy get hit with a massive 4.5 million Euro ransom. Ransom amounts vary and although some do not appear to be exceptionally high value, for some smaller school districts or community colleges, paying any ransom is not an option due to budgetary constraints.

The fallout from a ransomware attack can be devastating, as it was for Lincoln College in Illinois. The 157 year old college was forced to close it doors following a 2021 attack. The college was able to survive multiple disasters including a major fire, the Spanish Flu, the Great Depression, World Wars and the 2008 global financial crisis, but a ransomware attack proved to be the final straw.

As long as education sector continues to be under resourced when it comes to cybersecurity investment, the sector will continue to be at the top of the ransomware statistics in 2023. Educational institutions rely heavily on cyberinsurance, with 78% adopting it. While previous claims have been successful for most institutions, new restrictions threaten to change the cyber insurance landscape in 2023.

Educational institutions need to take action and ensure they are doing everything they can to prevent attacks in order to preserve or obtain coverage. The key takeaway for those responsible for IT with the sector is that it’s not a question of if, but when. Without an investment into next generation cybersecurity tools like anti data exfiltration to prevent attacks, they maybe the next headline and may find insurance isn’t the answer.

Learn more about how BlackFog protects enterprises from the threats posed by ransomware.