Many high-profile ransomware attacks, like last year’s assault on Colonial Pipeline by DarkSide, have focused on corporations. But the bad actors behind those digital assaults don’t limit themselves to the business world. They also appear to be targeting schools.
In 2021, 67 separate ransomware attacks impacted 954 schools and colleges, potentially affecting the data of more than 950,000 students, according to a study by security firm Comparitech. Demands of varying amounts—from $100,000 all the way up to $40 million—were made of the schools in order to regain control of their systems. Few schools reported whether they paid the ransoms, but at least one school paid $547,000, according to Comparitech. In all, the firm estimates, the incidents cost schools more than $3.5 billion in downtime.
The costs go even higher when data recovery, system upgrades, and costs to restore computers are folded in. Some schools were unable to recover.
Lincoln College, a private, predominantly Black university in Illinois that has been around for 157 years, closed permanently last month, citing cyberattacks and the pandemic as reasons. The school had record enrollment in 2019, but the pandemic impacted campus life and limited the school’s ability to raise money. Then, in December, a ransomware attack “thwarted admissions activities and hindered access to all institutional data, creating an unclear picture of fall 2022 enrollment projections,” the school said.
The systems required for recruitment, retention, and fundraising efforts were inoperable after the attack—and while the school paid the hackers a ransom fee, the system didn’t completely come back online until March of this year. By then it was too late. Significant enrollment shortfalls put the school in a hole it couldn’t get out of.
“Lincoln College has been serving students from across the globe for more than 157 years,” wrote David Gerlach, the college’s president, in a statement. “The loss of history, careers, and a community of students and alumni is immense.”
Gathering precise information on ransomware attacks is challenging. The Identity Theft Resource Center notes that reporting on data breaches is inconsistent at best. Of the 367 cyberattacks in the first quarter of 2022, nearly half lacked details about the cause of the breach (such as ransomware or phishing). Companies that pay ransoms are especially reluctant to report the breach.
Based on available data, Comparitech estimates there have been 270 separate ransomware attacks on educational institutions between January 2018 and mid-May 2022. That has a potential impact of more than 3 million students and nearly 4,300 schools and colleges.
Hackers have collected at least $2.64 million in ransom payments from schools in that time, with the average payment totaling $239,733. The company estimates the additional downtime costs for the attacks in that time frame, however, add up to nearly $20 billion.
California, New York, and Texas have seen the most attacks since 2018, with more than 20 each. Illinois had 13 reported and Pennsylvania saw 12.
Ransomware hit a peak in the education sector in 2019, when attacks jumped to 96 (from just 10 the year before). They’ve shrunk in number slightly since then, but attackers are focusing on school districts with bigger budgets, such as Broward County in Florida, where hackers demanded $40 million. (The school district offered $500,000 as a counter offer. The group behind the ransomware dropped their demand to $10 million, but ultimately dumped the school’s data—nearly 26,000 files—online.)
The good news is, that so far 2022 has been a relatively light year for ransomware attacks on schools—and those who are targeted are getting back online faster.
“While hackers may be becoming more targeted in their approach,” Comparitech wrote in its report, “the lower downtime figures suggest schools are more prepared for these attacks and are better able to restore their systems from backups or mitigate the effects of the attacks.”