Education sector is battling a significant increase in the number of ransomware attacks, and in some cases is taking months to recover
Sophos in its annual ‘State of Ransomware in Education’ report, has painted a bleak security picture for the educational sector.
The annual ‘State of Ransomware in Education’ report gathers data from around the world and summarises the impact of ransomware attacks on the education sector globally.
The Sophos report found that education institutions – both higher and lower education – are increasingly being hit with ransomware, with 60 percent suffering attacks in 2021 compared to 44 percent in 2020.
As part of its State of Ransomware 2022 report, Sophos asked 730 education respondents – 320 in lower education and 410 in higher education – about their experiences with ransomware.
And it makes for grim reading for security staff.
The findings reveal that Education institutions faced the highest data encryption rate (73 percent) compared to other sectors (65 percent), and the longest recovery time, with 7 percent taking at least three months to recover – almost double the average time for other sectors (4 percent).
Higher education institutions in particular report the longest ransomware recovery time; while 40 percent say it takes at least one month to recover (20 percent for other sectors), 9 percent report it takes three to six months.
Indeed, education institutions report the highest propensity to experience operational and commercial impacts from ransomware attacks compared to other sectors; 97 percent of higher education and 94 percent of lower education respondents say attacks impacted their ability to operate, while 96 percent of higher education and 92 percent of lower education respondents in the private sector further report business and revenue loss.
Only 2 percent of education institutions recovered all of their encrypted data after paying a ransom (down from 4 percent in 2020); schools, on average, were able to recover 62 percent of encrypted data after paying ransoms (down from 68 percent in 2020)
Sophos provided the following video of its findings.
“Schools are among those being hit the hardest by ransomware,” said Chester Wisniewski, principal research scientist at Sophos. “They’re prime targets for attackers because of their overall lack of strong cybersecurity defenses and the goldmine of personal data they hold.”
“Education institutions are less likely than others to detect in-progress attacks, which naturally leads to higher attack success and encryption rates,” Wisniewski added. “Considering the encrypted data is most likely confidential student records, the impact is far greater than what most industries would experience.”
“Even if a portion of the data is restored, there is no guarantee what data the attackers will return, and, even then, the damage is already done, further burdening the victimised schools with high recovery costs and sometimes even bankruptcy,” said Wisniewski.
A good example of this was in May this year when Lincoln College, a private college in the US state of Illinois, announced it would close its doors permanently after 157 years in existence, after it failed to recover from a ransomware attack in December.
“Unfortunately, these attacks are not going to stop, so the only way to get ahead is to prioritise building up anti-ransomware defenses to identify and mitigate attacks before encryption is possible,” said Wisniewski.
Interestingly, education institutions report the highest rate of cyber insurance payout on ransomware claims (100 percent higher education, 99 percent lower education).
However, as a whole, the sector has one of the lowest rates of cyber insurance coverage against ransomware (78 percent compared to 83 percent for other sectors).
“Four out of 10 schools say fewer insurance providers are offering them coverage, while nearly half (49 percent) report that the level of cybersecurity they need to qualify for coverage has gone up,” said Wisniewski.
“Cyber insurance providers are becoming more selective when it comes to accepting customers, and education organisations need help to meet these higher standards,” said Wisniewski. “With limited budgets, schools should work closely with trusted security professionals to ensure that resources are being allocated toward the right solutions that will deliver the best security outcomes and also help meet insurance standards.”
In the light of the survey findings, Sophos recommends the following best practices for all organisations across all sectors:
- Install and maintain high-quality defenses across all points in the environment. Review security controls regularly and make sure they continue to meet the organization’s needs
- Proactively hunt for threats to identify and stop adversaries before they can execute attacks – if the team lacks the time or skills to do this in-house, outsource to a Managed Detection and Response (MDR) team
- Harden the IT environment by searching for and closing key security gaps: unpatched devices, unprotected machines and open RDP ports, for example. Extended Detection and Response (XDR) solutions are ideal for this purpose
- Prepare for the worst, and have an updated plan in place of a worst-case incident scenario
- Make backups, and practice restoring from them to ensure minimize disruption and recovery time
The Sophos report certainly showcases the large number ransomware attacks on the education sector worldwide, and establishments on this side of the pond are also very much at risk – and have been for years.
In October 2021 the University of Sunderland admitted that a cyberattack caused “extensive IT issues”, that led to the cancellation of all online classes.
In March 2021 email access for 37,000 students was cut off by a ransomware attack affecting a London-based group of schools (Harris Federation).
The UK education sector was also hit by a wave of ransomware attacks in August and September 2020.
A ransomware incident affecting University College London caused significant disruption in 2017, encrypting shared and networked files belonging to the university.
In 2016 SentinelOne revealed that British universities are being actively attacked by ransomware hackers.