Ransomware attacks knock schools out for months, some don't recover


The wealth of valuable data held in schools make education institutions lucrative targets. Many don't recover from attacks for months.

While cyberattacks are a heavy burden to any victim, the effect intrusions have on education institutions can be particularly devastating. For example, Lincoln College, established in 1865, had to close up shop recently after a ransomware attack disrupted the admission process last December.

The price of an attack goes way above what threat actors demand in ransom. Even though the Netherlands-based Maastricht University is close to retrieving double the money paid to hackers, heads of the institution say it's not nearly close to covering the actual costs of the attack.

ADVERTISEMENT

One of the reasons ransomware weighs heavy on education institutions is that it takes schools and universities to recover from the attacks the longest.

According to a recent survey report from cybersecurity firm Sophos, a staggering 9% of higher education schools take over three months to recover from ransomware attacks, more than double the average time for other sectors. A whole quarter of downtime would spell financial disaster even for the strongest organizations.

Scant defensive preparations

Threat actors target education institutions for two key reasons, Chester Wisniewski, a principal research scientist at Sophos, says. First, schools lack strong cybersecurity defenses. Second, there's a wealth of personal data on students.

"Education institutions are less likely than others to detect in-progress attacks, which naturally leads to higher attack success and encryption rates. Considering the encrypted data is most likely confidential student records, the impact is far greater than what most industries would experience," Wisniewski said.

Results of the survey report show that threat actors take note of education institutions more often. 60% of 499 respondents claim to have dealt with a ransomware attack in 2021, up from 44% in 2020. Although it's impossible to know why attackers increase their focus on schools for sure, Wisniewski thinks the growth is related to the level of security.

"They are less well prepared to detect an attack in progress and hence are more often getting to the final stage of an attack where files are stolen and then encrypted or as it is called double extortion," Wisniewski told Cybernews.

ADVERTISEMENT

Education institutions have the highest data encryption rate (75%) among all sectors (65%). Report's authors claim that the high rate of data encryption shows that education institutions are hardly prepared to withstand ransomware attacks and lack the layered defenses needed to prevent intruders from successful encryption attacks.

"You don't get all your data back, even if you pay. So, why pay at all? You are gambling on which files you may get, even though it is nearly certain you will be missing important files,"

Chester Wisniewski, a principal research scientist at Sophos, said.

Dwindling recovery rate

The report shows that education institutions have gotten better at dealing with the attack's aftermath, as over 98% of victims get some of the encrypted data back. One reason for data recovery is the increasing use of backups, with three-quarters of institutions following the recommendation to keep copies of their data.

However, using backups isn't always enough, as nearly half of victimized institutions resort to paying the ransom. The worst part is that few schools restore all of the data even if they pay the ransom. Merely 4% of victims who paid the ransom retrieved all of their data last year, down from 8% in 2020.

While 62% of those who paid the ransom did restore at least some of the stolen information, Wisniewski thinks succumbing to attackers' demands is never worth it.

"You don't get all your data back, even if you pay. So, why pay at all? You are gambling on which files you may get, even though it is nearly certain you will be missing important files," Wisniewski explained to Cybernews.

According to the report's authors, victims who pay risk becoming a target for further attacks, as threat actors from competing ransomware cartels often attack institutions that have paid in the past.

"Even if a portion of the data is restored, there is no guarantee what data the attackers will return, and, even then, the damage is already done, further burdening the victimized schools with high recovery costs and sometimes even bankruptcy," Wisniewski said.

ADVERTISEMENT

Generous payments

Another reason threat actors have set their sights on education institutions is that schools tend to make high ransom payments. The survey report shows that lower education schools are among the top three in the amount of ransom paid ($1.97 million).

Nonetheless, ransom payment is only one side of the coin. Nearly 95% of education institutions said ransomware attacks impacted their ability to continue operating, with most private institutions experiencing a loss of revenue.

Long recovery periods can partly explain the loss in revenue. For example, 33% of organizations hit by ransomware took over a month to recover from the most significant attack. 26% took between 1-3 months and 7% between 3-6 months to recover.

Report authors claim that operational disruptions and slow recovery rates translate to high overall remediation costs. Lower education institutions, on average, spend $1.58 million to recover, while higher education schools use up $1.42 million.