Sophos report reveals education sector's ransomware battle
Sophos has unveiled its latest findings from the "The State of Ransomware in Education 2024" report, shedding light on the challenges educational institutions face in dealing with ransomware attacks.
The report highlights significant issues within both lower and higher education sectors regarding ransomware payment demands, recovery times, and attack strategies.
According to the report, the median ransom payment in the education sector was USD $6.6 million for lower education and USD $4.4 million for higher education institutions. Notably, a considerable proportion of the respondents paid more than the initial demand, with 55% of lower education and 67% of higher education respondents indicating so.
The recovery process from these attacks appears to be increasingly arduous. Only 30% of ransomware victims surveyed in both lower and higher education sectors managed to fully recover within a week or less. This rate has decreased from last year's figures, which saw 33% in lower education and 40% in higher education achieving such quick recovery. The slower recovery times are attributed to the limited resources and teams within educational institutions, complicating coordination efforts.
Chester Wisniewski, director and field CTO at Sophos, commented on the situation stating, "Unfortunately, schools, universities and other educational institutions are targets that are beholden to municipalities, communities and the students themselves, which inherently creates high pressure situations if they are hit and destabilised by ransomware." He added, "These two factors could be contributing to why victims feel so much pressure to pay."
Wisniewski further noted the evolving tactics of ransomware attackers, explaining, "We also know that ransomware attackers have upped the ante when it comes to getting paid. Compromising their victims' backups is now a mainstream element of ransomware attacks, giving adversaries the opportunity to subsequently increase the ransom demand when it is clear that the data cannot be recovered without the decryption key."
The report revealed that 95% of respondents experienced attempts by cybercriminals to compromise their backups during the attack, with 71% reporting that these attempts were successful. This high rate of backup compromise significantly increases recovery costs, multiplying the financial burden by five times in lower education and four times in higher education settings.
Despite the persistent challenges, the overall rate of ransomware attacks in the education sector has seen a decrease over the past year. Sixty-three percent of lower education and 66% of higher education organisations reported being hit by ransomware, compared to prior rates of 80% and 79%, respectively. However, the rate of data encryption during these attacks has slightly increased, with 85% of lower education and 77% of higher education attacks resulting in encrypted data, up from 81% and 73% respectively. The report also indicated that cybercriminals are increasingly not only encrypting data but also stealing it. 22% of lower education organisations and 18% of higher education institutions that had data encrypted reported that some data was also stolen during the attacks.
In examining the root causes of these attacks, the survey found that exploited vulnerabilities were a leading factor, accounting for 44% of lower education and 42% of higher education ransomware attacks. This points to the need for improved vulnerability management within educational institutions.
Wisniewski highlighted the importance of a multi-layered security approach for schools and universities. He suggested, "Educational organisations need to focus on the controls that will have the greatest impact. With the median ransomware recovery cost for education now hitting USD $3 million, it's clear that investing in strong prevention and protection solutions can considerably reduce the overall financial impact of cyber attacks on educational organisations."
The survey, which included responses from 600 cybersecurity and IT leaders across 14 countries, underscored that law enforcement and official government bodies play an influential role post-attack. Nearly all respondents engaged with these entities, resulting in significant support and advice on handling and investigating the attacks.