Ransomware attacks on US schools and colleges cost 945bn
p
ppSince 2018 Comparitech recorded 491 ransomware attacks on US schools and colleges that breached more than 67 million individual records We estimate that these attacks cost education institutions over 25 billion in downtime alone Most schools faced astronomical recovery costs as they tried to restore computers recover data and shore up their systems to prevent future attacksppOver the last few years ransomware attacks have become an increasing concern for schools and colleges worldwide They take down key systems shut schools for days on end and prevent teachers from accessing lesson plans and student datapp2023 saw a recordbreaking number of attacks with 121 in total50 higher than the total recorded in 2022 71 The number of days of downtime caused by these attacks has also increased in recent years rising from just under nine days in 2021 to 126 days in 2023ppOn average it costs a US educational institution 550000 per day of downtime it suffers as a result of a ransomware attackppWhat is the true cost of these ransomware attacks across the education sector in the US how has the ransomware threat changed over the last few years and what has happened so far in 2024ppTo find out our team of researchers gathered information on all of the ransomware attacks affecting schools and colleges since 2018 Many entities are reluctant to disclose ransomware attacks especially when ransom amounts have been paid Information might only be released to the public when the school must acknowledge the breach due to disrupted systems or when student data is compromised If the latter is the case these reports will have been included in our studyppOur team sifted through several different education resourcesspecialist IT news data breach reports and state reporting toolsto collate as much data as possible on ransomware attacks on US education providers We then applied data from studies on the cost of downtime to estimate a range for the likely cost of ransomware attacks to schools and colleges Due to the limitations with uncovering these types of breaches we believe the figures only scratch the surface of the problemppFrom 2018 to July 2024ppAs mentioned previously ransom demands vary by millions of dollars Plus only a handful of providers publicly release the figures involved we could only find ransom demand figures for 51 of the attacks Understandably organizations dont want to discuss ransom amounts or whether they have paid these as it may incentivize further attacksppHowever some of the biggestknown ransom demands on US schools and colleges areppBased on all of the figures weve collated we knowppAs you can see the average ransom demand overall 14 million is far higher than the average ransom payment overall 169000 Often hackers will hit their targets with huge ransom demands before negotiating with them A prime example was the case with Broward County Public Schools in which the ransom was reduced by 30 million Nevertheless negotiations will often fail either due to the ransom demand remaining high as with Broward County or the targeted organization may use negotiations as a stalling tactic while they try to restore systemsppWhile few schools and colleges reveal whether or not they paid the ransoms and how much was involved the downtime and recovery periods that arise because of these attacks are often reported This is due to schools often shutting down for several days andor systems being down for long periods of timeppAccording to the figures we did find for 211 of the attacks schools suffered an average downtime of 107 days overall The average downtime hasnt altered much over the last few years ranging from 87 days in 2021 to 126 days in 2023 2024s average is lower at present just under seven days but this will likely rise as more information becomes availableppSo how much could this have cost education providersppTo try and estimate this weve used the overall ransomware recovery costs quoted by 26 organizations Using these amounts we were able to establish an average cost of downtime per day of 548185ppAccording to our findings the average cost per day by year was as followsppDue to the wide variation in average downtime costs we have used the overall average across all years 548185 in our estimations where individual costs are unavailable Using this we estimate the total cost of ransomware attacks on US schools and colleges since 2018 is 2543411107ppSome of the biggest recovery costs are as followsppRansomware really started to take hold in the education sector in 2019 increasing from just 11 attacks in 2018 to 100 in 2019 Figures fell in 2020 to 85 and even further to 69 in 2021 before stabilizing in 2022 71 In 2023 we saw another huge spike with 121 reported to date a number of breach notifications are still being processed for last yearppThe number of records impacted in these attacks also rose exponentially in 2023 with 29 million affected in total up from 12 million 2022 As hackers increase their focus on stealing vast amounts of data it is clear they have become more tactical in their approach by going after bigger school districts with higher budgets and a larger number of studentsppAs we can see from the above map California had the most ransomware attacks 43 and is closely followed by New York with 42 But as the states with the highest population and fourthhighest populations this perhaps isnt too much of a surpriseppIf we look at the states with the highest number of records impacted in ransomware attacks however things change quite significantly California and New York drop to twelfth and eighth place respectively and were overtaken in the top spots by Washington and OhioppWashingtons high figure of 845950 records affected stems largely from three attacks all of which occurred in 2023 These were Shoreline Community College with 400000 records affected Pierce College with 156000 records affected and Edmonds School District with 146000 records affected In SCCs case a ransom of 228000 was paid to ransomware group RoyalppOhios biggest breach was in November 2022 when Cincinnati State Technical and Community College was hit by Vice Society No ransom was paid but 408189 records were affected Lakeland Community College also saw a large breach in March 2023 when 285948 records were affectedppAs we can see from the above table ransomware attacks across schools have been significantly lower throughout the first seven months of this year Hackers often target schools in the latter part of the year so its possible we will see an uptick in ransomware attacks on educational institutions for 2024 but its unlikely the figures will reach 2023s highppDowntime figures and records affected have also dipped so far this year Because the impact of attacks is often not being feltreported on accurately until months later these figures will also rise but again are unlikely to get anywhere near the totals noted last yearppNorth Carolina and Florida have introduced laws to prevent state agencies including schools from paying a ransom with several states considering similar laws including Arizona Pennsylvania New York and TexasppHave these laws workedppIts hard to tell just yet but North Carolina and Florida both saw three attacks each in 2023 and two each in 2022 While none have been noted in North Carolina so far this year two have been reported in Florida These were the attacks on Webber International University in February via RansomHouse and Florida Memorial University in March via INC Neither university has provided many details about the incidents at present although Webber did issue a data breach notification to 5251 peopleppPaying ransoms should be discouraged but legislation banning these payments is only part of the overall solution It doesnt prevent the astronomical recovery costs educational facilities face after being targeted with such attacks nor does it prevent the risk of students personal data being posted on the dark web In fact refusing to pay ransoms can increase those risks Focusing on educating schools on the risk of ransomware and how best to prevent these attacks should be a key focusppWith the threat of ransomware attacks across the US and worldwide remaining high across all industries its never been more important to ensure employees are clued up systems are updated and frequent backups are being carried outppOur research found 491 ransomware attacks in total affecting 8054 schools and colleges From this we were able to ascertain how much ransom had been demanded how much had been paid and how much downtime had been caused as a result of the attacks Where the amount of downtime wasnt available we used an estimated number of days based on the average in that particular yearppWe looked through each organizations financial statements and reports where available to find out the financial impact of these attacks We then used these figures and the number of days of downtime to create an average cost of downtime per day This was then used to estimate the cost of each attack where figures were unavailable For example New Mexico Highlands University had to cancel classes for five days and saw recovery costs of 150000 This creates an average cost of 30000 per day of downtimeppWe have only included ransomware attacks that have specifically targeted an education facilitynot a ransomware attack that has affected a thirdparty used by the schools or colleges eg Blackbaud or MOVEitppWhere possible we have assigned the attack to the month in which it happened However in some cases the attack may have been assigned to the month in which it was reported due to a lack of datappData researchers Charlotte Bond DankaDelić and Rebecca MoodyppFor a list of sources please see our US ransomware trackerpp ppCommentdocumentgetElementByIdcommentsetAttribute id a6caad6c99282907b41b14a6311c9eab documentgetElementByIdee9645f862setAttribute id comment ppName ppEmail pp
ppcomparitechfrontenddatatranslationscommentssubmittedpublishedafterapprovalp
ppSince 2018 Comparitech recorded 491 ransomware attacks on US schools and colleges that breached more than 67 million individual records We estimate that these attacks cost education institutions over 25 billion in downtime alone Most schools faced astronomical recovery costs as they tried to restore computers recover data and shore up their systems to prevent future attacksppOver the last few years ransomware attacks have become an increasing concern for schools and colleges worldwide They take down key systems shut schools for days on end and prevent teachers from accessing lesson plans and student datapp2023 saw a recordbreaking number of attacks with 121 in total50 higher than the total recorded in 2022 71 The number of days of downtime caused by these attacks has also increased in recent years rising from just under nine days in 2021 to 126 days in 2023ppOn average it costs a US educational institution 550000 per day of downtime it suffers as a result of a ransomware attackppWhat is the true cost of these ransomware attacks across the education sector in the US how has the ransomware threat changed over the last few years and what has happened so far in 2024ppTo find out our team of researchers gathered information on all of the ransomware attacks affecting schools and colleges since 2018 Many entities are reluctant to disclose ransomware attacks especially when ransom amounts have been paid Information might only be released to the public when the school must acknowledge the breach due to disrupted systems or when student data is compromised If the latter is the case these reports will have been included in our studyppOur team sifted through several different education resourcesspecialist IT news data breach reports and state reporting toolsto collate as much data as possible on ransomware attacks on US education providers We then applied data from studies on the cost of downtime to estimate a range for the likely cost of ransomware attacks to schools and colleges Due to the limitations with uncovering these types of breaches we believe the figures only scratch the surface of the problemppFrom 2018 to July 2024ppAs mentioned previously ransom demands vary by millions of dollars Plus only a handful of providers publicly release the figures involved we could only find ransom demand figures for 51 of the attacks Understandably organizations dont want to discuss ransom amounts or whether they have paid these as it may incentivize further attacksppHowever some of the biggestknown ransom demands on US schools and colleges areppBased on all of the figures weve collated we knowppAs you can see the average ransom demand overall 14 million is far higher than the average ransom payment overall 169000 Often hackers will hit their targets with huge ransom demands before negotiating with them A prime example was the case with Broward County Public Schools in which the ransom was reduced by 30 million Nevertheless negotiations will often fail either due to the ransom demand remaining high as with Broward County or the targeted organization may use negotiations as a stalling tactic while they try to restore systemsppWhile few schools and colleges reveal whether or not they paid the ransoms and how much was involved the downtime and recovery periods that arise because of these attacks are often reported This is due to schools often shutting down for several days andor systems being down for long periods of timeppAccording to the figures we did find for 211 of the attacks schools suffered an average downtime of 107 days overall The average downtime hasnt altered much over the last few years ranging from 87 days in 2021 to 126 days in 2023 2024s average is lower at present just under seven days but this will likely rise as more information becomes availableppSo how much could this have cost education providersppTo try and estimate this weve used the overall ransomware recovery costs quoted by 26 organizations Using these amounts we were able to establish an average cost of downtime per day of 548185ppAccording to our findings the average cost per day by year was as followsppDue to the wide variation in average downtime costs we have used the overall average across all years 548185 in our estimations where individual costs are unavailable Using this we estimate the total cost of ransomware attacks on US schools and colleges since 2018 is 2543411107ppSome of the biggest recovery costs are as followsppRansomware really started to take hold in the education sector in 2019 increasing from just 11 attacks in 2018 to 100 in 2019 Figures fell in 2020 to 85 and even further to 69 in 2021 before stabilizing in 2022 71 In 2023 we saw another huge spike with 121 reported to date a number of breach notifications are still being processed for last yearppThe number of records impacted in these attacks also rose exponentially in 2023 with 29 million affected in total up from 12 million 2022 As hackers increase their focus on stealing vast amounts of data it is clear they have become more tactical in their approach by going after bigger school districts with higher budgets and a larger number of studentsppAs we can see from the above map California had the most ransomware attacks 43 and is closely followed by New York with 42 But as the states with the highest population and fourthhighest populations this perhaps isnt too much of a surpriseppIf we look at the states with the highest number of records impacted in ransomware attacks however things change quite significantly California and New York drop to twelfth and eighth place respectively and were overtaken in the top spots by Washington and OhioppWashingtons high figure of 845950 records affected stems largely from three attacks all of which occurred in 2023 These were Shoreline Community College with 400000 records affected Pierce College with 156000 records affected and Edmonds School District with 146000 records affected In SCCs case a ransom of 228000 was paid to ransomware group RoyalppOhios biggest breach was in November 2022 when Cincinnati State Technical and Community College was hit by Vice Society No ransom was paid but 408189 records were affected Lakeland Community College also saw a large breach in March 2023 when 285948 records were affectedppAs we can see from the above table ransomware attacks across schools have been significantly lower throughout the first seven months of this year Hackers often target schools in the latter part of the year so its possible we will see an uptick in ransomware attacks on educational institutions for 2024 but its unlikely the figures will reach 2023s highppDowntime figures and records affected have also dipped so far this year Because the impact of attacks is often not being feltreported on accurately until months later these figures will also rise but again are unlikely to get anywhere near the totals noted last yearppNorth Carolina and Florida have introduced laws to prevent state agencies including schools from paying a ransom with several states considering similar laws including Arizona Pennsylvania New York and TexasppHave these laws workedppIts hard to tell just yet but North Carolina and Florida both saw three attacks each in 2023 and two each in 2022 While none have been noted in North Carolina so far this year two have been reported in Florida These were the attacks on Webber International University in February via RansomHouse and Florida Memorial University in March via INC Neither university has provided many details about the incidents at present although Webber did issue a data breach notification to 5251 peopleppPaying ransoms should be discouraged but legislation banning these payments is only part of the overall solution It doesnt prevent the astronomical recovery costs educational facilities face after being targeted with such attacks nor does it prevent the risk of students personal data being posted on the dark web In fact refusing to pay ransoms can increase those risks Focusing on educating schools on the risk of ransomware and how best to prevent these attacks should be a key focusppWith the threat of ransomware attacks across the US and worldwide remaining high across all industries its never been more important to ensure employees are clued up systems are updated and frequent backups are being carried outppOur research found 491 ransomware attacks in total affecting 8054 schools and colleges From this we were able to ascertain how much ransom had been demanded how much had been paid and how much downtime had been caused as a result of the attacks Where the amount of downtime wasnt available we used an estimated number of days based on the average in that particular yearppWe looked through each organizations financial statements and reports where available to find out the financial impact of these attacks We then used these figures and the number of days of downtime to create an average cost of downtime per day This was then used to estimate the cost of each attack where figures were unavailable For example New Mexico Highlands University had to cancel classes for five days and saw recovery costs of 150000 This creates an average cost of 30000 per day of downtimeppWe have only included ransomware attacks that have specifically targeted an education facilitynot a ransomware attack that has affected a thirdparty used by the schools or colleges eg Blackbaud or MOVEitppWhere possible we have assigned the attack to the month in which it happened However in some cases the attack may have been assigned to the month in which it was reported due to a lack of datappData researchers Charlotte Bond DankaDelić and Rebecca MoodyppFor a list of sources please see our US ransomware trackerpp ppCommentdocumentgetElementByIdcommentsetAttribute id a6caad6c99282907b41b14a6311c9eab documentgetElementByIdee9645f862setAttribute id comment ppName ppEmail pp
ppcomparitechfrontenddatatranslationscommentssubmittedpublishedafterapprovalp
