Addressing a ransomware attack is a costly process. Leaders are faced with sky-high recovery costs to restore computers, recover data and bolster their security systems to ensure they never fall victim again. But just how much are school leaders spending?
In 2023, we saw a record-breaking number of ransomware attacks with 121 against K12 schools and higher education institutions, according to a new analysis from Comparitech, a cybersecurity and privacy product review site. That’s 50 more than the total recorded in 2022.
Additionally, the average days of downtime caused by these attacks has also increased, from nearly nine days in 2021 to 12.6 days in 2023.
Perhaps the most significant finding from the research is the cost of ransomware attacks in education. On average, it costs schools and universities around $550,000 per day of downtime.
Comparitech also compiled a list of some of the most expensive ransomware demands and recovery costs since the company began tracking such data in 2018. Here are some examples:
- Broward County Public Schools – April 2021, $40 million: The district offered $500,000 but Conti, the ransomware gang, would only lower its demands to $10 million. The district refused, which led to the publication of stolen files and a breach of nearly 49,000 records.
- Michigan State University – May 2020, $6 million: Michigan State also refused to pay the demands made by Netwalker. As a result, 7,276 people were notified of a data breach after the attack. The university spent nearly $1.1 million in recovery costs.
- Buffalo Public Schools – $10 million in recovery costs: Classes were only canceled for one day after its March 2021 attack. However, the district spent weeks investigating the attack and improving its security systems.
- Morehead State University – $4 million: It took more than a month for Morehead State to recover from its July 2023 ransomware attack. Only about 20 people were notified of a data breach.
Additional data
Here are some additional facts about the state of ransomware in education and how costly these attacks can be for schools:
- Average ransom demand in 2024 (to July): $733,00
- Ransom demanded (known cases) through July 2024: $2.2 million (3 cases)
- Average ransom payment through July 2024: N/A. Was $168,000 in 2023 (3 cases)
The researchers predict that we’ll see an increase in attacks in the fall and winter.
“Hackers often target schools in the latter part of the year, so it’s possible we will see an uptick in ransomware attacks on educational institutions for 2024, but it’s unlike the figures will reach 2023’s high,” the analysis reads.
More from DA: Let’s take a look at back-to-school’s ‘Big 3’