From 2018 to mid-September 2023, 561 educational institutions have been hit by a ransomware attack. We estimate these attacks cost the world economy more than $53 billion in downtime alone.
While ransomware attacks across other sectors dipped in 2022, the same wasn’t true in education. In fact, attacks on this industry have remained consistently high for the last four years. 2023, however, looks set to be a record-breaking year with a significant uptick in the number of attacks witnessed so far.
During the first half of 2023, we recorded 85 ransomware attacks on schools and colleges/universities across the globe. In the same period of 2022, we noted just 45.
Ransomware attacks on educational facilities can make a huge impact on students’ education, teachers’ resources, and key learning systems. But they can also have far-reaching consequences when data is stolen by hackers.
Below, we explore how ransomware attacks have developed across the educational sector, including what countries the attacks have occurred in, whether or not ransoms have been paid, what ransoms have been demanded, and how much downtime has been caused as a result.
Please note: while we may have logged a higher number of attacks in one country compared to another, this doesn’t necessarily mean it is more “targeted” by attackers. Rather, the awareness and reporting of such attacks may be more in-depth. For instance, data breach reporting tools and regulations in many US states help confirm these attacks. Those same tools and regulations don’t exist in many other countries.
Key findings:
From 2018 to mid-September 2023, we found:
- 561 confirmed ransomware attacks on schools and colleges/universities with 2020 and 2022 seeing the most attacks (116 each)
- Over 6.7 million individual records were breached as a result of these attacks–at least
- Schools (education up to the age of 16) accounted for the most breaches, but colleges/universities (ages 16+) have become more targeted in recent years. The latter also account for the vast majority of records impacted (5.7 million compared to just over 1 million)
- Ransom demands varied from $1,000 to $40 million
- On average, hackers demanded $1.5 million, suggesting around $1 billion in ransom payments has been demanded in total
- Hackers received $4.2 million in ransom payments across 16 attacks
- Downtime varied from a couple of hours to 36 days
- The average downtime from attacks has been consistent from 2018, being around six to eight days. 2023’s average so far is 11.6 days
- The overall cost of downtime is estimated at $53.4bn
- Ryuk was the most prolific ransomware strain in 2019, followed by Pysa in 2020 and 2021. Vice Society claimed a huge number in 2022 but has been joined by LockBit, Royal, Medusa, and Rhysida in 2023
Ransomware attacks on schools and colleges by month and year
As previously mentioned, the number of ransomware attacks on the education sector has remained pretty consistent over the last four years.
2023 is on track to exceed these figures, especially as many attacks are confirmed weeks or months after they’ve occurred. So far this year (up to mid-September), we have tracked 102 attacks. In the same period of 2022 (which includes all of September), we logged 73.
The number of records impacted in these attacks has also increased this year. Throughout all of 2022, just under 1.2 million records were breached in ransomware attacks on schools and colleges. Throughout 2023 so far, over 1.5 million have been affected (again, record figures are often confirmed months down the line when the true impact is known).
- Number of attacks:
- 2023 (to mid-Sep) – 102
- 2022 – 116
- 2021 – 107
- 2020 – 116
- 2019 – 104
- 2018 – 16
- Number of records impacted:
- 2023 (to mid-Sep) – 1,526,850
- 2022 – 1,191,393
- 2021 – 2,643,209
- 2020 – 1,332,215
- 2019 – 25,371
- 2018 – 2,000
- Average downtime:
- 2023 (to mid-Sep) – 11.6 days
- 2022 – 7.9 days
- 2021 – 5.8 days
- 2020 – 6.8 days
- 2019 – 6.2 days
- 2018 – 8 days
- Downtime caused (known cases):
- 2023 (to mid-Sep) – 593 days (51 cases)
- 2022 – 316 days (40 cases)
- 2021 – 244 days (42 cases)
- 2020 – 278 days (41 cases)
- 2019 – 260 days (42 cases)
- 2018 – 32 days (4 cases)
- Estimated downtime caused (based on known cases and average in unknown):
- 2023 (to mid-Sep) – 1,185 days
- 2022 – 915 days
- 2021 – 622 days
- 2020 – 787 days
- 2019 – 644 days
- 2018 – 128 days
- Estimated cost of downtime:
- 2023 (to mid-Sep) – $14.8bn
- 2022 – $11.4bn
- 2021 – $7.8bn
- 2020 – $9.8bn
- 2019 – $8bn
- 2018 – $1.6bn
How do things differ between schools and colleges?
Even though schools have seen a higher number of attacks overall (319 compared to 240–two entities cover all ages so are omitted from this), colleges have caught up in recent years. In 2022, more colleges/universities were targeted than schools (61 compared to 54) and this remains the same this year so far (52 compared to 50).
Ransomware attacks on colleges/universities also appear to have a greater impact. The number of records affected is much higher (5.7 million for colleges compared to just over 1 million for schools–for all years) and downtime is more significant (an overall average of 7.2 for schools compared to 8.8 for colleges/universities).
Schools are hit with higher ransom demands, though. Overall, colleges have received an average ransom demand of $1.3 million, while schools averaged $1.7 million.
The true cost of ransomware attacks on schools and colleges
As we’ve already noted, ransom demands on the education sector varied dramatically from $1,000 to $40 million. Conti demanded the latter from Broward County Public Schools in April 2021 before reducing the figure to $10 million–but the school district refused to pay. Conti went on to release stolen data which affected over 48,600 people.
Other big ransom demands include:
- Hope Sentamu Learning Trust – $18.3 million: Hit by unknown hackers in December 2022, the Trust was asked to pay £15 million GBP to regain access to its internal network. From the offset, the Trust said it wouldn’t pay any ransom out of principle.
- Regionaal Opleidingen Centrum (ROC Mondriaan) – $4.72 million: Another unknown group of hackers targeted ROC in August 2021 before demanding €4 million EUR. The institution refused to pay.
- Università di Pisa – $4.5 million: ALPHV/BlackCat targeted the University of Pisa in June 2022 before asking for $4.5 million to decrypt systems and prevent the release of stolen data.
- Autonomous University of Barcelona – $3.9 million: In October 2021, Pysa rendered the university’s systems unusable. A month later, it was still struggling to return to normal but refused to pay the ransom.
- University of California San Francisco (School of Medicine) – $1.4 million: While this isn’t one of the ‘biggest’ ransom demands as such (it ranks 15th in our data), it is the largest known ransom payment in this sector. In June 2020, the University paid NetWalker $1.14 million to decrypt its systems and restore data.
Based on the data that is available, we were able to determine the following:
- Average ransom demand:
- 2023 (to mid-Sep) – $352,200
- 2022 – $3.3m
- 2021 – $5.6m
- 2020 – $521,600
- 2019 – $396,500
- 2018 – $7,500
- Ransom demanded (known cases):
- 2023 (to mid-Sep) – $8.5m (24 cases)
- 2022 – $26.2m (8 cases)
- 2021 – $56.2m (10 cases)
- 2020 – $6.3 million (12 cases)
- 2019 – $4.4m (11 cases)
- 2018 – $15,000 (2 cases)
- Total ransom paid (known cases):
- 2023 (to mid-Sep) – $328,000 (2 cases)
- 2022 – $650,000 (2 cases)
- 2021 – $547,000 (1 cases)
- 2020 – $2.6m (6 cases)
- 2019 – $445,000 (6 cases)
- 2018 – $10,000 (1 cases)
Even though these ransoms are eye-watering in many cases, they are low when compared to other industries. As of time of writing, the education sector’s average ransom amounted to $1.5 million, government and healthcare organizations averaged around $2.1 million, and businesses a whopping $7.6 million. This is likely due to ransoms often being calculated based on a business’s worth.
Adding in downtime
Although ransom demands may be lower in the education sector, downtime is high. Causing downtime is one of the main priorities for cybercriminals when carrying out a ransomware attack. Schools can ill-afford for systems to go down as this often means lessons are disrupted or even canceled as a result.
As our findings suggest, downtime can extend for weeks and the effects felt for months after.
According to a report in 2017, the average cost of downtime (across 20 different industries) is $8,662 per minute. Based on that figure, schools and colleges around the world have lost an estimated $53 billion to downtime from ransomware attacks.
Although high, many educational institutions report million-dollar losses/expenses when recovering from a ransomware attack. For example, Buffalo School District was reported to be spending $10 million in response to its ransomware attack in March 2021, and the Autonomous University of Barcelona was given €3.7 million (around $3.9 million USD) from the government to aid its recovery efforts.
Schools and colleges remain a key focus for ransomware hackers
The fact that the education sector didn’t see the same dip in attacks as other industries last year highlights how schools and colleges remain a focus for ransomware hackers. Add to this the ongoing spike in ransomware attacks across all industries, and the threat of these cyber attacks remains high–if not higher–for the education sector.
As students have gone back to school after the summer holidays, a spate of cyber attacks took place. While many are still being confirmed (and the term ‘ransomware’ often avoided), it is likely we’ll see another spike over the coming months. As hackers seek to steal larger volumes of data, too, the number of records involved in these attacks will likely rise as well.
Methodology
Using the database from our ransomware attack map, our research found 561 ransomware attacks on the education sector in total. From this data, we were able to determine ransom amounts, whether or not ransoms were paid, and the downtime caused.
If no specific figures were given for downtime, i.e. “several days,” “one month” or “back to 80% after 6 weeks” were quoted, we created estimates from these figures based on the lowest figure they could be. For example, “several days” were calculated as 3, one month was calculated as the number of days in the month the attack happened, and the number of weeks quoted in % recovery statements was used (e.g. 6 weeks per the previous example).
For a full list of sources, please see our worldwide ransomware tracker.