Our State of Ransomware 2022 report documented 64 publicly reported ransomware attacks against the education sector, representing a massive 48.8% increase on 2021. This alarming increase saw the education sector move from second place in 2021 to first place in 2022 ransomware, ranking above both government and healthcare, two of the other most highly targeted sectors.
The US reported the most attacks in the sector, with around 45 incidents making headlines throughout the year. Within the US ransomware groups targeted mostly school districts, with student numbers ranging from 259 to 565,000, followed closely by universities and further education. California was the most targeted state with around 9 attacks including LAUSD, one of the most notable attacks of 2021 which saw 500GB of sensitive data exfiltrated and leaked by the Vice Society criminal gang.
Extortion Reigns Supreme
When it came to the attackers, Vice Society took the lead with a total of 9 publicly disclosed attacks, followed by BlackCat and LockBit. However, it’s worth noting that a large number of attacks on education have remained unclaimed to date. Ransomware groups claimed 48.4% of attacks which is a notable increase against the 11.6% of claimed attacks in education during 2021. This is likely due to the increase in data exfiltration leading to extortion attempts. When the organization fails to negotiate with the cybercriminals or pay the ransom, samples of the exfiltrated data are more likely to end up on the groups data leak site.
Data exfiltration was involved in 34 of the 64 incidents recorded that we know of. We expect this figure to rise as data breaches following these incidents are typically disclosed many months later. Data held by schools is sensitive in nature, and personally identifiable information relating to employees, students (past and present) and their families, makes it a desirable target for criminal gangs.
Due to skills shortages, resourcing and budgetary issues, the education sector is often regarded as low hanging fruit for attackers. Data exfiltration is often the main incentive as the integrity of the data is highly important to not only the schools but the individuals within them, thus making a potential ransom payment more probable to avoid a range of consequences such as legal action.
Glory and Money
Other motivations behind attacks on this sector are often unclear, however during an attack on Mars K-12 district, Vice Society gave us a glimpse of the mentality behind the groups when Pennsylvania law prevented the school from entering into ransom negotiations and payments. The criminal gang stated to media outlet DataBreaches.net that “we don’t care about laws. Any attacked company is glory or money. They can choose what to give us. We love both of it.”
Ransom demands and payments are subjects rarely discussed by education establishments in response to attacks. Glenn County Office of Education made news when they had a ransom demand of $1 million and ended up paying $400,000 to Quantum for the decryption key to unlock their data. We also saw the University of Pisa in Italy get hit with a massive 4.5 million Euro ransom. Ransom amounts vary and although some do not appear to be exceptionally high value, for some smaller school districts or community colleges, paying any ransom is not an option due to budgetary constraints.
The fallout from a ransomware attack can be devastating, as it was for Lincoln College in Illinois. The 157 year old college was forced to close it doors following a 2021 attack. The college was able to survive multiple disasters including a major fire, the Spanish Flu, the Great Depression, World Wars and the 2008 global financial crisis, but a ransomware attack proved to be the final straw.
What can we Learn?
As long as education sector continues to be under resourced when it comes to cybersecurity investment, the sector will continue to be at the top of the ransomware statistics in 2023. Educational institutions rely heavily on cyberinsurance, with 78% adopting it. While previous claims have been successful for most institutions, new restrictions threaten to change the cyber insurance landscape in 2023.
Educational institutions need to take action and ensure they are doing everything they can to prevent attacks in order to preserve or obtain coverage. The key takeaway for those responsible for IT with the sector is that it’s not a question of if, but when. Without an investment into next generation cybersecurity tools like anti data exfiltration to prevent attacks, they maybe the next headline and may find insurance isn’t the answer.
Learn more about how BlackFog protects enterprises from the threats posed by ransomware.
Related Posts
CDK Global Ransomware: What Happened and How It Impacted Businesses
Here you will learn about the CDK Global ransomware attack, the impact on auto dealerships, relevant recovery steps and general cybersecurity practices for businesses.
Ransomware Containment: Effective Strategies to Protect Your Business
Discover effective ransomware containment strategies for your business. This guide discusses network segmentation, zero trust, and practical best practices for IT managers and cybersecurity professionals to reduce ransomware damage.
Ransomware Meets Retail: Sainsbury’s, Starbucks and Morrisons Feel the Heat from Blue Yonder Attack
The Blue Yonder ransomware attack disrupted major retailers like Sainsbury’s, Starbucks, and Morrisons, highlighting the vulnerabilities of global supply chains and the urgent need for stronger cybersecurity defenses.
Top 5 Cyberattacks During Black Friday and Thanksgiving
Find out about the top five biggest cyberattacks for Black Friday and Thanksgiving, from data breaches and ransomware, to see the risks businesses experience during the holidays.
Healthcare Ransomware Attacks: How to Prevent and Respond Effectively
Learn how to protect yourself from healthcare ransomware attacks. We discuss the main security weaknesses, suggest security steps, and offer possible means of protecting patient information.
Everything That You Need to Know About the Dark Web and Cybercrime
Learn about the dark web, including who uses it, how it operates, and what tools cybercriminals obtain on it. Find out how BlackFog monitors networks, forums, and ransomware leak sites in order to stay ahead of new threats.