Since 2018, Comparitech recorded 491 ransomware attacks on US schools and colleges that breached more than 6.7 million individual records. We estimate that these attacks cost education institutions over $2.5 billion in downtime alone. Most schools faced astronomical recovery costs as they tried to restore computers, recover data, and shore up their systems to prevent future attacks.
Over the last few years, ransomware attacks have become an increasing concern for schools and colleges worldwide. They take down key systems, shut schools for days on end, and prevent teachers from accessing lesson plans and student data.
2023 saw a record-breaking number of attacks with 121 in total–50 higher than the total recorded in 2022 (71). The number of days of downtime caused by these attacks has also increased in recent years, rising from just under nine days in 2021 to 12.6 days in 2023.
On average, it costs a US educational institution $550,000 per day of downtime it suffers as a result of a ransomware attack.
What is the true cost of these ransomware attacks across the education sector in the US, how has the ransomware threat changed over the last few years, and what has happened so far in 2024?
To find out, our team of researchers gathered information on all of the ransomware attacks affecting schools and colleges since 2018. Many entities are reluctant to disclose ransomware attacks, especially when ransom amounts have been paid. Information might only be released to the public when the school must acknowledge the breach due to disrupted systems or when student data is compromised. If the latter is the case, these reports will have been included in our study.
Our team sifted through several different education resources—specialist IT news, data breach reports, and state reporting tools—to collate as much data as possible on ransomware attacks on US education providers. We then applied data from studies on the cost of downtime to estimate a range for the likely cost of ransomware attacks to schools and colleges. Due to the limitations with uncovering these types of breaches, we believe the figures only scratch the surface of the problem.
Key findings
From 2018 to July 2024:
- 491 ransomware attacks on schools and colleges
- 8,054 separate schools and colleges were potentially affected
- 6,705,758 individual records were breached in these attacks
- Ransom demands varied from $5,000 to $40 million with the average ransom being just less than $1.4 million
- Downtime varied from minimal disruption (thanks to frequent data backups) to months upon months of recovery time
- On average, schools lose 10.7 days to downtime with 2023 seeing the longest periods of all the years covered (12.6 days of downtime)
- The overall cost of these attacks is estimated at around $2.54 billion
- Ryuk dominated in 2019, followed by Pysa in 2020/21. Vice Society was the top noted strain in 2022, while LockBit and Medusa have dominated over the last year or so
The true cost of ransomware attacks on the US education sector
As mentioned previously, ransom demands vary by millions of dollars. Plus, only a handful of providers publicly release the figures involved; we could only find ransom demand figures for 51 of the attacks. Understandably, organizations don’t want to discuss ransom amounts or whether they have paid these as it may incentivize further attacks.
However, some of the biggest-known ransom demands on US schools and colleges are:
- Broward County Public Schools – April 2021, $40 million: Conti demanded this extortionate ransom after hitting the Florida school district in April 2021. The district offered $500,000 but Conti would only lower its demands to $10 million. The district refused to pay which led to the publication of stolen files and a breach of nearly 49,000 records.
- Michigan State University – May 2020, $6 million: MSU also refused to meet its hackers’ (Netwalker) demands. Subsequently, 7,276 people were notified of a data breach following the attack, and the university spent nearly $1.1 million on remediation efforts.
- Monroe College – July 2019, $2 million: After being locked out of its systems, Monroe College was presented with a $2 million ransom from an unknown group of hackers. The college declined to say whether or not it paid the ransom. No data breach was ever reported.
Based on all of the figures we’ve collated, we know:
- Average ransom demand:
- 2024 (to July) – $733,000
- 2023 – $495,000
- 2022 – $533,000
- 2021 – $7.3 million (due to the $40m demand via Conti mentioned above)
- 2020 – $905,000
- 2019 – $414,000
- 2018 – $10,000
- Ransom demanded (known cases):
- 2024 (to July) – $2.2 million (3 cases)
- 2023 – $9.4 million (19 cases)
- 2022 – $1.6 million (3 cases)
- 2021 – $43.5 million (6 cases)
- 2020 – $8.1 million (9 cases)
- 2019 – $4.1 million (10 cases)
- 2018 – $10,000 (1 case)
- Average ransom payment:
- 2024 (to July) – N/A
- 2023 – $168,000 (3 cases)
- 2022 – $325,000 (2 cases)
- 2021 – $547,000 (1 case)
- 2020 – $192,000 (4 cases)
- 2019 – $44,000 (5 cases)
- 2018 – $10,000 (1 case)
As you can see, the average ransom demand overall ($1.4 million) is far higher than the average ransom payment overall ($169,000). Often, hackers will hit their targets with huge ransom demands before negotiating with them. A prime example was the case with Broward County Public Schools in which the ransom was reduced by $30 million. Nevertheless, negotiations will often fail either due to the ransom demand remaining high (as with Broward County) or the targeted organization may use negotiations as a stalling tactic while they try to restore systems.
Adding in downtime
While few schools and colleges reveal whether or not they paid the ransoms and how much was involved, the downtime and recovery periods that arise because of these attacks are often reported. This is due to schools often shutting down for several days and/or systems being down for long periods of time.
According to the figures we did find (for 211 of the attacks), schools suffered an average downtime of 10.7 days overall. The average downtime hasn’t altered much over the last few years, ranging from 8.7 days in 2021 to 12.6 days in 2023. 2024’s average is lower at present (just under seven days) but this will likely rise as more information becomes available.
So how much could this have cost education providers?
To try and estimate this, we’ve used the overall ransomware recovery costs quoted by 26 organizations. Using these amounts, we were able to establish an average cost of downtime per day of $548,185.
According to our findings, the average cost per day by year was as follows:
- 2024 (to July) – $11,429 (1 known case)
- 2023 – $45,237 (3 known cases)
- 2022 – $35,601 (4 known cases)
- 2021 – $3,357,355 (3 known cases)
- 2020 – $576,168 (6 known cases)
- 2019 – $48,244 (9 known cases)
- 2018 – N/A
Due to the wide variation in average downtime costs, we have used the overall average across all years ($548,185) in our estimations where individual costs are unavailable. Using this, we estimate the total cost of ransomware attacks on US schools and colleges since 2018 is $2,543,411,107.
Some of the biggest recovery costs are as follows:
- Buffalo Public Schools – $10 million: While classes were only canceled for one day after its March 2021 attack, Buffalo Public Schools spent weeks investigating the attack and bolstering its systems. It didn’t pay the ransom to the hackers responsible (Pysa). The demand was estimated to be between $100,000 and $300,000.
- Baltimore County Public Schools – $9.7 million: After its attack in November 2020, BCPS canceled classes for three days but was still recovering from the attack over a year later. It didn’t pay the ransom to its unknown hackers.
- Morehead State University – $4 million: It took more than a month for MSU to recover from its July 2023 ransomware attack, which was carried out by Akira. Recovery efforts cost approximately $4 million but only 20 to 21 people were identified to have had their data breached in the attack. It’s unclear whether or not the university paid a ransom.
Ransomware attacks on US schools and colleges by year
Ransomware really started to take hold in the education sector in 2019, increasing from just 11 attacks in 2018 to 100 in 2019. Figures fell in 2020 to 85 and even further to 69 in 2021 before stabilizing in 2022 (71). In 2023, we saw another huge spike with 121 reported to date (a number of breach notifications are still being processed for last year).
The number of records impacted in these attacks also rose exponentially in 2023 with 2.9 million affected in total (up from 1.2 million 2022). As hackers increase their focus on stealing vast amounts of data, it is clear they have become more tactical in their approach by going after bigger school districts with higher budgets and a larger number of students.
- Number of attacks:
- 2023 – 121
- 2022 – 71
- 2021 – 69
- 2020 – 85
- 2019 – 100
- 2018 – 11
- Number of records affected:
- 2023 – 2,876,984
- 2022 – 1,224,725
- 2021 – 1,004,961
- 2020 – 1,332,215
- 2019 – 25,371
- 2018 – 0
- Average downtime:
- 2023 – 12.55 days
- 2022 – 11.53 days
- 2021 – 8.68 days
- 2020 – 10.71 days
- 2019 – 9.96 days
- 2018 – 12.2 days
- Downtime caused (known cases):
- 2023 – 628 days (50 cases)
- 2022 – 404 days (35 cases)
- 2021 – 217 days (25 cases)
- 2020 – 407 days (38 cases)
- 2019 – 468 days (47 cases)
- 2018 – 61 days (5 cases)
- Estimated downtime caused (based on known cases and average in unknown):
- 2023 – 1,519 days
- 2022 – 819 days
- 2021 – 599 days
- 2020 – 910 days
- 2019 – 996 days
- 2018 – 134 days
- Estimated cost of downtime:
- 2023 – $766m
- 2022 – $391m
- 2021 – $298m
- 2020 – $445m
- 2019 – $447m
- 2018 – $74m
Which state had the most ransomware attacks on schools and colleges?
As we can see from the above map, California had the most ransomware attacks (43) and is closely followed by New York with 42. But as the states with the highest population and fourth-highest populations, this perhaps isn’t too much of a surprise.
If we look at the states with the highest number of records impacted in ransomware attacks, however, things change quite significantly. California and New York drop to twelfth and eighth place, respectively, and were overtaken in the top spots by Washington and Ohio.
Washington’s high figure of 845,950 records affected stems largely from three attacks, all of which occurred in 2023. These were Shoreline Community College with 400,000 records affected, Pierce College with 156,000 records affected, and Edmonds School District with 146,000 records affected. In SCC’s case, a ransom of $228,000 was paid to ransomware group Royal.
Ohio’s biggest breach was in November 2022 when Cincinnati State Technical and Community College was hit by Vice Society. No ransom was paid but 408,189 records were affected. Lakeland Community College also saw a large breach in March 2023 when 285,948 records were affected.
How is 2024 looking for ransomware attacks on schools and colleges?
As we can see from the above table, ransomware attacks across schools have been significantly lower throughout the first seven months of this year. Hackers often target schools in the latter part of the year, so it’s possible we will see an uptick in ransomware attacks on educational institutions for 2024, but it’s unlikely the figures will reach 2023’s high.
Downtime figures and records affected have also dipped so far this year. Because the impact of attacks is often not being felt/reported on accurately until months later, these figures will also rise but, again, are unlikely to get anywhere near the totals noted last year.
North Carolina and Florida have introduced laws to prevent state agencies (including schools) from paying a ransom, with several states considering similar laws (including Arizona, Pennsylvania, New York, and Texas).
Have these laws worked?
It’s hard to tell just yet, but North Carolina and Florida both saw three attacks each in 2023 and two each in 2022. While none have been noted in North Carolina so far this year, two have been reported in Florida. These were the attacks on Webber International University in February via RansomHouse and Florida Memorial University in March via INC. Neither university has provided many details about the incidents at present, although Webber did issue a data breach notification to 5,251 people.
Paying ransoms should be discouraged but legislation banning these payments is only part of the overall solution. It doesn’t prevent the astronomical recovery costs educational facilities face after being targeted with such attacks, nor does it prevent the risk of students’ personal data being posted on the dark web. In fact, refusing to pay ransoms can increase those risks. Focusing on educating schools on the risk of ransomware and how best to prevent these attacks should be a key focus.
With the threat of ransomware attacks across the US and worldwide remaining high across all industries, it’s never been more important to ensure employees are clued up, systems are updated, and frequent backups are being carried out.
Methodology
Our research found 491 ransomware attacks in total affecting 8,054 schools and colleges. From this, we were able to ascertain how much ransom had been demanded, how much had been paid, and how much downtime had been caused as a result of the attacks. Where the amount of downtime wasn’t available, we used an estimated number of days based on the average in that particular year.
We looked through each organization’s financial statements and reports (where available) to find out the financial impact of these attacks. We then used these figures and the number of days of downtime to create an average cost of downtime per day. This was then used to estimate the cost of each attack where figures were unavailable. For example, New Mexico Highlands University had to cancel classes for five days and saw recovery costs of $150,000. This creates an average cost of $30,000 per day of downtime.
We have only included ransomware attacks that have specifically targeted an education facility–not a ransomware attack that has affected a third-party used by the schools or colleges, e.g. Blackbaud or MOVEit.
Where possible, we have assigned the attack to the month in which it happened. However, in some cases, the attack may have been assigned to the month in which it was reported due to a lack of data.
Data researchers: Charlotte Bond, Danka-Delić, and Rebecca Moody
Sources
For a list of sources, please see our US ransomware tracker.