Reducing ransomware recovery costs in education

2024 continued the trend of ransomware attacks in the education sector making headlines. The year opened with Freehold Township School District in New Jersey canceling classes due to a ransomware attack. Students at New Mexico Highlands University missed classes for several days while employees experienced disruption of their paychecks after a ransomware attack. The attack on the Alabama Department of Education served as a reminder that all school systems are vulnerable.

The year closes with some positive news about ransomware in the education sector. Sophos State of Ransomware in Education 2024 found that ransomware attacks on educational institutions decreased in 2024. Attacks on higher-education institutions dropped from 79% reporting attacks in 2023 to 66% in 2024. Lower education saw a similar decrease, from 80% in 2023 to 63% in 2024. However, the attack rates for both are still higher than the global cross-sector average of 59%.

Not surprisingly, a recent study also found that students are impacted by ransomware attacks on the education sector. A study from Action1 found that the majority (64%) of education IT workers report that ransomware impacts education quality. Researchers found the reasons for the attacks are multifold, including that 44% devote only 10% of their IT budget to cybersecurity and the majority of schools (78%) do not employ cybersecurity specialists.

In an NPR article, Noelle Ellerson Ng with the School Superintendents Association said that the reason for targeting the education sector is that schools are often low-hanging fruit. Additionally, she points to the fact that school systems, which collect a lot of valuable data from both students and employees, often are the largest employers in a community.

“That makes it very, very ripe,” says Ng. “And then you layer on the fact that [the data] is so sensitive and so longitudinal and so personal, and there’s a huge vulnerability.”

Even with the decline, schools should continue to focus on reducing their vulnerabilities.

Here are some ways schools can reduce ransomware risk:

• Install antivirus and anti-malware software on all devices. Be sure to also include tablets and phones. Make sure that updates and patches are installed on a timely basis.
• Provide training to all employees and students. Teach good cybersecurity practices, including choosing strong passwords and how to avoid being a victim of phishing. Continually send reminders on not clicking on unknown links or downloading suspicious files.
• Install filtering software. By filtering out potentially malicious links and files, you can reduce the chance of students or employees falling victim to a phishing scheme.
• Use multi-factor authentication (MFA). Because ransomware attacks can start with unauthorized access, educational organizations should take extra steps to ensure that every user who logs in is who they claim to be. With MFA, users must use email, text or token in addition to a password, adding an extra layer of security.

While the decrease in attacks was positive, Sophos’ report found a troubling trend, the recovery costs have more than doubled for ransomware attacks in education. Lower-education organizations reported a mean cost of USD 3.76 million to recover from a ransomware attack in 2024, compared to USD 1.59 million. Researchers found the increase even higher in higher education, more than four times higher from 2023 to 2024 (USD 1.06 million to USD 4.02 million).

Here are ways to reduce recovery costs:

• Back up your data. In addition to backing up data in real-time, educational institutions should take precautions to secure the backups, such as by using air-gapped backups as well as immutable backups that cannot be erased. Sophos found that costs for lower-education institutions whose backups were compromised were five times higher (USD 3 million versus USD 562,500) than those who had a backup to revert to.
• Segment the network. When a ransomware attack happens on a segmented network, cyber criminals can encrypt only the portion of the network that they accessed. By reducing the amount of data breached and the systems impacted, schools can significantly reduce recovery time and costs.
• Create an incident response plan. Often, the recovery is extended due to schools not containing the ransomware quickly enough. Additionally, business disruption also adds to the recovery time. With an incident response plan, employees know exactly what to do when a ransomware attack occurs by including the four fundamentals of a response plan, planning, detection, recovery and post-incident actions.

Recovery costs are also increasing due to the changes in the ransom payment patterns and amounts. When an educational organization pays the ransom to gain access to their data, that exponentially increases the recovery costs.

The Sophos Report found that the decision to pay the ransom has increased in both higher and lower education. In 2023, 56% of educational organizations attacked by ransomware paid the ransom, compared with 67% in 2024. The number of higher-education institutions paying the ransom also increased from 47% to 62%.

Additionally, the amount of the ransom has increased, which also adds to the rising recovery costs. The average ransom in lower education was USD 3.9 million, with 44% of demands of more than USD 5 million. Higher education demands also increased to USD 4.4 million. Ransoms in critical infrastructure sectors, such as education, tend to be higher due to the urgency of restoring operations as well as the sensitive nature of the data. Additionally, cyber criminals increasingly use double extortion, demanding a ransom to unencrypt the data and then a second ransom to not make the data public, which increases recovery costs.

While the decrease in attacks is positive, educational organizations must pay attention to the rising recovery costs. Because every dollar spent in education towards recovering from an attack means money is not available for learning, the costs of ransomware recovery are even more impactful than other sectors. By proactively taking steps to both reduce risks and reduce recovery costs, educational organizations can keep their focus on what matters most, educating students.