3.65 billion reasons why ransomware is a costly threat to school IT systems

A little bit of good news: The number of ransomware attacks and the downtime they cause declined in 2021.
By: | June 23, 2022

$3.56 billion: That’s what ransomware attacks cost U.S. schools and colleges—in downtime alone—in 2021. Administrators also faced additional “astronomical recovery costs” to restore computers, recover data, and fortify their systems against future attacks, a new report says.

In 2021, 67 individual ransomware attacks—which essentially take a computer network hostage and can bring operations to a screeching halt for days—hit 954 schools and colleges that served more than 950,000 students, says a report by Comparitech, a company that reviews and researches cybersecurity products. The little bit of good news is that the attacks and the downtime they cause declined in 2021.

Still, the attacks have been deeply disruptive. In a relatively new wrinkle, some districts faced “double-extortion” attempts where hackers locked down computer systems and stole data that they threatened to post online. Hackers demanded $40 million from Broward County Public Schools, which offered to pay $500,000. The hackers reduced their ransom to $10 million before posting 25,971 of the Florida district’s files online. Hackers also posted thousands of files online when Clover Park School District in Washington and the Logansport Community School Corporation in Indiana did not pay ransoms in separate attacks, the report says.

Sometimes, the recovery costs far exceeded the ransom demand. Buffalo Public Schools in New York refused to pay a $100,000 to $300,000 ransom but spent an estimated $10 million on recovery costs. Judson ISD in Texas, however, paid $547,000 to prevent the release of sensitive data and regain control of its phone and email systems, the report says.

FETC 2023

The Future of Education Technology® Conference takes place live and in-person Jan. 23-26, 2023, in New Orleans. Register now!

The attacks can also be catastrophic. Lincoln College, a historically Black college in Illinois, closed for good in May after it could not recover from the combined blows of COVID and a December 2021 ransomware attack that blocked access to all institutional data and severely disrupted admissions. It was only when the college’s networks were restored that administrators realized the gravity of significant enrollment shortfalls.

Measuring the full impact of these cyber-crimes on education is difficult because some schools and colleges do not report the attacks publically, particularly when a ransom has been paid. Administrators are forced to disclose the incidents when student data is compromised or systems are significantly disrupted. Administrators are also more likely to publicize an attack when a ransom isn’t paid.

Here are some of the report’s key figures:

  • 19% decrease: The number of attacks on schools and colleges in 2021 compared to 2020
  • 46% decrease: The number of schools and colleges targeted in 2021 compared to 2020
  • $100,000 to $40 million: The range of ransoms demanded
  • 4 days: The average downtime caused by cyberattacks
  • 1 month: The average time it takes to recover from an attack
  • $547,000: The ransom hackers were paid in one attack
  • 6: The number of incidents reported in New York, the state with the most attacks

So far this year, ransomware attacks and downtimes have been lower across K-12. However, districts often don’t disclose the attacks until after they’ve happened. “We are seeing a promising trend of reduced downtime and attacks,” the report says. “While hackers may be becoming more targeted in their approach, the lower downtime figures suggest schools are more prepared for these attacks and are better able to restore their systems from backups or mitigate the effects of the attacks.”

More from DAHow 3 ed-tech leaders will help their districts avoid the ESSER fiscal cliff 

Interested in edtech? Keep up with DA's Future of Education Technology Conference®.