Just under half (47%) of public and private lower education, or K-12, institutions worldwide hit by a ransomware attack ultimately paid to recover their stolen data, according to a report from U.K.-based cybersecurity firm Sophos.
Nearly three-quarters (73%) of polled lower education providers were able to use backups to restore data following such an attack. The survey, conducted between January and March, included 200 lower education respondents in 14 countries.
Nearly a quarter (23%) used multiple recovery methods to restore data, though recovery costs averaged about $2.18 million for those paying ransoms compared to $1.37 million for those restoring with backups.
Education has become a prime target for cyberattacks due to a lucrative combination of the amount of sensitive personal data available and an IT funding environment that hasn’t kept pace with cybersecurity staffing and resource needs amid growing digitization. Ransomware is a particularly popular mode of attack in which a perpetrator infiltrates the target’s network with malware that encrypts and locks sensitive data and systems until a ransom is paid.
According to the Sophos report, the rate of ransomware attacks on lower education providers rocketed to 80% in 2023, up from 56% last year. The education sector reported the highest rates of ransomware attacks of any industry polled by the firm.
While the actual number of schools impacted by cyberattacks is often believed to be higher than what’s publicly disclosed, a January report from endpoint protection firm Emsisoft found the number of U.S. schools hit specifically by ransomware climbed to 1,981 in 2022, nearly double the level potentially compromised in 2021.
A global cyberattack on clients of file transfer platform MOVEit tallied multiple education victims, including New York City Public Schools, the Minnesota Department of Education and teacher retirement fund TIAA.
High-profile K-12 ransomware targets in other data breaches have included the Los Angeles Unified School District, Iowa’s Des Moines Public Schools, and Arkansas’ Little Rock School District, the last of which ultimately paid a $250,000 ransom.
The FBI, the Cybersecurity and Infrastructure Security Agency, and the Multi-State Information Sharing and Analysis Center discourage victims from paying ransoms, as there’s no guarantee the files will actually be recovered.