Home How to Ransomware attacks on US schools and colleges cost $6.62bn in 2020

Ransomware attacks on US schools and colleges cost $6.62bn in 2020

by Sudhir kumar

Ransomware attacks on US schools and colleges cost $6.62bn in 2020

In 2020, 77 individual ransomware attacks affected over 1,740 schools and colleges, potentially impacting 1.36 million students. We estimate that these attacks cost education institutions $6.62 billion in downtime alone. Most schools will have also faced astronomical recovery costs as they tried to restore computers, recover data, and shore up their systems to prevent future attacks.

Over the last few years, ransomware attacks have become an increasing concern for schools and colleges worldwide. They take down key systems, shut schools for days on end, and prevent teachers from accessing lesson plans and student data. But what we did notice in 2020 was that while individual attack figures decreased quite significantly, the number of schools and students impacted by the attacks grew exponentially. This suggests hackers targeted larger school districts with bigger annual budgets, hoping to cause greater disruption and increase their ransom payment demands.

This trend looks as though it has continued in 2021, too, exemplified by the “bizarre” $40 million ransom request made to Broward County Public Schools in April.

So, what is the true cost of these ransomware attacks across the education sector in the US, how has the ransomware threat changed over the last few years, and what has happened in the first half of 2021?

To find out, our team of researchers gathered information on all of the ransomware attacks affecting schools and colleges since 2018. However, many entities are reluctant to disclose ransomware attacks, especially when ransom amounts have been paid. It is often only when the school has to acknowledge the breach due to disrupted systems or lost student data that information about the attack is released to the public. If the latter is the case, these reports will have been included in our study.

Our team sifted through several different education resources—specialist IT news, data breach reports, and state reporting tools—to collate as much data as possible on ransomware attacks on US education providers. We then applied data from studies on the cost of downtime to estimate a range for the likely cost of ransomware attacks to schools and colleges. Due to the limitations with uncovering these types of breaches, we believe the figures only scratch the surface of the problem.

Key findings

In 2020:

  • 77 individual ransomware attacks on schools and colleges–a 20 percent decrease from 2019
  • Over 1,740 separate schools and colleges were potentially affected–a 39 percent increase from 2019
  • 1,358,035 individual students could have been impacted–a 67 percent increase from 2019
  • Ransomware amounts varied from $10,000 to over $1 million
  • Downtime varied from minimal disruption (thanks to frequent data backups) to months upon months of recovery time
  • On average, schools lose nearly 7 days to downtime and spend 55.4 days recovering from the attack
  • Hackers received at least $1,909,058 in ransom payments
  • The overall cost of these attacks is estimated at around $6.62 billion

Recently, many schools have been subject to double-extortion attempts where hackers not only lock them out of critical systems but steal data and threaten to post it online if the ransom isn’t paid. Recent examples include Somerset Independent School District, Union Community School District, and Affton School District.

Which state had the most ransomware attacks on schools and colleges in 2020?

As we can see from the above map, Texas had the most ransomware attacks, accounting for 13 percent of the attacks in 2020. But as the state with the second-highest population in the US, this isn’t too much of a surprise. The most populated state, California, was a close second with 9 reported ransomware attacks in 2020.

Based on the number of students potentially impacted by the ransomware attacks on these schools and colleges, the most heavily affected state changes accordingly.

Nevada had the highest number of impacted students in 2020 with 328,991 students affected by one single breach. Hackers targeted Clark County School District, which is the fifth-largest school district in the US with 374 individual schools. As the county didn’t pay the requested ransom, the hackers (Maze) dumped student records. The data breach report filed says 44,139 students were thought to have been affected by this aspect of the attack. The county and its staff and students also faced ongoing system disruptions in the month that followed.

Due to its larger number of attacks, Texas also had a high number of students affected–245,460 in total. This was closely followed by Virginia (195,408) and Maryland (115,038).

Nevada saw the highest percentage of students impacted by ransomware attacks in 2020

With such a huge school district being attacked in 2020, it’s no surprise that it’s the state with the highest percentage (54%) of students being impacted by ransomware attacks last year.

After Nevada were Virginia (10.5 percent of students affected) and Maryland (8.8 percent of students affected). Those with the highest number of attacks, Texas and California, saw 3.6 percent and less than a percent of their students being impacted by ransomware attacks respectively.

How much did these ransomware attacks cost schools and colleges in 2020?

As mentioned previously, ransom demands varied dramatically from $10,000 to over $1 million. Plus, only a handful of providers publicly release the figures involved (we could only find ransom demands for 9 out of the 77 attacks). Understandably, organizations don’t want to discuss ransom amounts or whether they have paid these as it may incentivize further attacks.

What we do know, however, is the following:

  • The University of California San Francisco paid $1.14 million to NetWalker hackers after they encrypted data within the School of Medicine’s servers
  • Imperial Valley College paid Sodinokibi hackers $55,068 after they rendered the college’s servers inaccessible 11 days before the Fall semester was due to start
  • Athens Independent School District paid hackers $50,000 to regain access to student grades, class assignments, student schedules, and teacher communications
  • Sheldon Independent School District negotiated a payment of $206,931 from $350,000 because a crucial server had been encrypted in the attack
  • The University of Utah paid hackers $457,000 to prevent them from releasing data stolen during the attack

Adding in downtime

While few schools and colleges reveal whether or not they paid the ransoms and how much was involved, the downtime and recovery periods that arise because of these attacks are often reported. This is due to schools often shutting to students for several days and/or systems being down for long periods of time.

As we have already seen, servers may be taken offline for hours, weeks, and even months. And in some cases, data and/or computers are unrecoverable.

According to the figures we did find (for 39 out of 77 attacks), schools suffered an average downtime of just under 7 days in 2020. But the recovery process lasted 55.4 days. Downtime relates to schools being shut and/or services being largely unavailable, while the recovery period may mean schools are open but certain servers, devices, and services are unavailable.

Based on these figures, ransomware attacks may have caused 201 days of downtime and 1,108 days of recovery time in 2020.

So how much could this have cost education providers?

A 2017 estimate places the average cost per minute of downtime at $8,662 (across 20 different industries). This would mean the cost of downtime to education organizations in 2020 was around $6.62 billion. This is $1.6 billion less than 2019’s figure ($8.2 billion) but over 10.5 times 2018’s figure of $623.7 million.

Even though these figures may seem extremely high, they are in line (and perhaps conservative estimates) with publicly revealed figures from schools. For example, Baltimore County Public Schools reported recovery costs of around $8.1 million after its November 2020 attack. And Michigan State University’s recovery from its May 2020 attack is estimated at around $3 million.

Key findings from January 2018 to June 2021:

Our team has logged all of the ransomware attacks from January 2018 to June 2021. During this time:

  • 222 separate individual ransomware attacks have been carried out on schools and colleges
  • 3,880 individual schools and colleges have been potentially impacted and nearly 3.04 million students
  • Schools and colleges have suffered an estimated 1,387 days of downtime due to ransomware attacks with around 9,525 days spent on recovery efforts
  • 22 schools/colleges revealed the amount involved in their recovery efforts with nearly $19.2 million spent by these entities in total. This is an average of nearly $960,000
  • Ransom requests varied from $5,000 to $40 million
  • Hackers have received at least $2.95 million in ransom payments with the average payment being $268,000
  • Hackers have requested at least $59.1 million in ransom payments with the average request being $2.47 million
  • We estimate that downtime has cost schools and colleges over $17.3 billion with potential recovery costs adding millions (if not billions) to the total
  TOTALS 2021 (to June) 2020 2019 2018
State Attacks Schools Affected Students Disrupted Cost of Downtime ($) Attacks Schools Affected Students Disrupted Cost of Downtime ($) Attacks Schools Affected Students Disrupted Cost of Downtime ($) Attacks Schools Affected Students Disrupted Cost of Downtime ($) Attacks Schools Affected Students Disrupted Cost of Downtime ($)
Alabama 4 160 95,997 185,228,208 1 11 11,695 0 1 46 23,882 87,312,960 2 103 60,420 97,915,248
Alaska 1 1 5,027 86,439,830 1 1 5027 86,439,830
Arizona 3 32 207,236 197,701,488 1 10 196,000 87,312,960 2 22 11,236 110,388,528
Arkansas 3 8 9,104 146,561,040 2 6 7,889 60,121,210 1 2 1,215 86,439,830
California 18 288 245,479 1,469,851,315 3 53 58,421 269,921,779 9 98 85,995 594,351,792 6 137 101,063 605,577,744
Colorado 1 1 6,908 85,441,968 1 1 6,908 85,441,968
Connecticut 9 145 73,172 624,038,198 2 43 20,690 98,913,110 6 91 47,934 512,651,808 1 11 4,548 12,473,280
Delaware 0 0 0 0
Florida 4 390 289,459 359,479,930 1 331 269,172 47,647,930 2 34 11,478 224,519,040 1 25 8,809 87,312,960
Georgia 3 47 36,207 172,754,928 1 4 2,131 24,946,560 1 37 30,221 85,441,968 1 6 3,855 62,366,400
Hawaii 0 0 0 0
Idaho 2 32 17,290 110,388,528 2 32 17,290 110,388,528
Illinois 9 70 87,869 774,840,154 5 11 16,847 433,072,282 4 59 71,022 341,767,872
Indiana 6 35 21,001 319,315,968 2 12 5,499 72,594,490 1 3 1,298 86,439,830 3 20 14,204 160,281,648
Iowa 5 17 31,980 482,341,738 2 5 24,329 197,327,290 1 7 3,841 24,946,560 2 5 3,810 260,067,888
Kansas 3 37 42,414 223,645,910 2 2 19,527 173,752,790 1 35 22,887 49,893,120
Kentucky 0 0 0 0
Louisiana 10 195 113,179 887,848,070 3 45 18,669 261,065,750 7 150 94,510 626,782,320
Maine 1 8 3,548 85,441,968 1 8 3,548 85,441,968
Maryland 1 178 115,038 86,439,830 1 178 115,038 86,439,830
Massachusetts 6 114 49,715 382,680,231 2 21 10,336 60,121,210 2 66 26,033 172,879,661 1 15 7,268 87,312,960 1 12 6,078 62,366,400
Michigan 7 46 76,539 493,068,759 2 16 9,986 85,067,770 3 24 64,632 260,192,621 1 3 1,215 85,441,968 1 3 706 62,366,400
Minnesota 2 14 4,409 149,679,360 1 6 1,728 87,312,960 1 8 2,681 62,366,400
Mississippi 8 60 27,656 550,071,648 3 29 12,998 142,943,789 3 26 9,561 259,319,491 1 4 2,950 85,441,968 1 1 2,147 62,366,400
Missouri 8 69 50,301 688,774,522 3 55 35,959 85,067,770 1 1 2,967 261,938,880 4 13 11,375 341,767,872
Montana 5 27 9,008 432,947,579 3 22 8,555 260,192,621 2 5 453 172,754,958
Nebraska 2 28 14,239 133,089,898 1 6 2,049 47,647,930 1 22 12,190 85,441,968
Nevada 2 394 338,025 171,881,798 1 374 328,991 86,439,830 1 20 9,034 85,441,968
New Hampshire 1 3 413 85,441,968 1 3 413 85,441,968
New Jersey 7 49 39,252 621,917,741 2 15 12,643 24,946,560 2 5 2,185 172,879,661 3 29 24,424 424,091,520
New Mexico 6 108 56,568 519,262,646 2 29 13,487 173,752,790 4 79 43,081 345,509,856
New York 16 138 97,247 1,066,215,974 3 72 42,656 149,679,360 4 11 10245 173,752,790 8 53 42,782 680,417,424 1 2 1,564 62,366,400
North Carolina 10 87 68,570 1,090,913,069 1 1 18,646 47,647,930 6 70 41,452 608,571,331 3 16 8,472 434,693,808
North Dakota 0 0 0 0
Ohio 5 68 38,032 295,741,469 2 56 29,525 172,879,661 3 12 8,507 122,861,808
Oklahoma 5 172 107,394 343,264,666 1 68 43,828 47,647,930 1 11 4,741 37,419,840 3 93 58,825 258,196,896
Oregon 2 22 12,227 110,014,330 1 9 6,095 47,647,930 1 13 6,132 62,366,400
Pennsylvania 7 26 15,481 540,093,024 1 1 538 47,647,930 1 1 538 86,439,830 5 24 14,405 406,005,264
Rhode Island 0 0 0 0
South Carolina 4 26 23,208 345,634,589 2 11 16,401 172,879,661 1 3 1,700 85,441,968 1 12 5,107 87,312,960
South Dakota 0 0 0 0
Tennessee 1 1 1,141 37,419,840 1 1 1,141 37,419,840
Texas 19 439 306,105 1,453,012,387 4 57 40,201 190,591,718 10 346 245,460 904,437,533 5 36 20,444 357,983,136
Utah 1 1 32,852 86,439,830 1 1 32,852 86,439,830
Vermont 0 0 0 0
Virginia 6 247 204,517 631,522,166 3 228 195,408 423,218,390 3 19 9,109 208,303,776
Washington 6 68 50,943 541,964,016 1 8 13,761 47,647,930 2 19 10,842 261,065,750 3 41 26,340 233,250,336
West Virginia 1 26 12,238 85,441,968 1 26 12,238 85,441,968
Wisconsin 2 3 1,265 147,808,368 1 2 253 62,366,400 1 1 1,012 85,441,968
Wyoming 0 0 0 0
Totals: 222 3,880 3,038,253 17,302,060,917 39 789 824,095 1,859,017,655 77 1,741 1,358,035 6,618,821,296 96 1257 814,496 8,200,557,966 10 93 41,627 623,664,000

How does 2020 compare to previous years?

Ransomware really started to take hold in the education sector in 2019. With just 10 attacks reported in 2018 but 96 reported in 2019, this was an 860 percent year-on-year increase. As we’ve already noted, this figure fell in 2020 to 77. But, as we’ve seen, this appears to have been in favor of larger, more targeted attacks on bigger school districts with higher budgets and larger numbers of students.

It may also have a lot to do with the pandemic and many schools being shut for a long period of time. If we look at attacks by month, we can see that these really ramped up in the latter half of 2019. Attacks remained high at the start of 2020 but dipped again in March (at the start of the pandemic). With many working from home, this potentially removed some of the effectiveness of the malware as teachers and students weren’t connected to school systems.

Things did, however, start to pick up again when schools started back after the summer break. This again suggests the lower figures for 2020 aren’t due to better defenses from schools or fewer attacks from hackers but the homeschooling that many faced for several months.

  • Number of attacks:
    • 2020 – 77
    • 2019 – 96
    • 2018 – 10
  • Number of students potentially impacted:
    • 2020 – 1,358,035
    • 2019 – 814,496
    • 2018 – 41,627
  • Average downtime:
    • 2020 – 6.93 days
    • 2019 – 6.85 days
    • 2018 – 5 days
  • Average recovery time:
    • 2020 – 55.4 days
    • 2019 – 41.7 days
    • 2018 – 25 days
  • Downtime caused (known cases):
    • 2020 – 201 days (29 cases)
    • 2019 – 267 days (39 cases)
    • 2018 – 15 days (3 cases)
  • Estimated downtime caused (based on known cases and average in unknown):
    • 2020 – 530.64 days
    • 2019 – 657.45 days
    • 2018 – 50 days
  • Estimated cost of downtime:
    • 2020 – $6.6bn
    • 2019 – $8.2bn
    • 2018 – $623.7m

How is 2021 looking for ransomware attacks on schools and colleges?

As we can see from the above table, ransomware attacks across schools have remained relatively high in the first half of 2021. And with many attacks often only being revealed after they’ve happened, these figures may rise even higher over the coming months.

Based on what has been reported already for the year, the downtime and recovery times are significantly lower than previous years (just less than 4 days and 26 days respectively). However, with the impact of attacks often not being felt/reported on accurately until months later, we anticipate the 2021 downtime figures to be more in line with previous years.

What we can see, however, is that ransom amounts are high. Aside from the astronomical $40 million we’ve already covered (which was reduced to $10 million by the hackers), several other schools have reported ransoms worth hundreds of thousands. Logansport Schools reported a ransom figure of $777,000, Buffalo Public Schools a figure of $100,000-$300,000, Judson Independent School District a figure of $547,000, and Clover Park School District a figure of $350,000. Based on all of these figures, this creates an average ransom request of at least $2.35 million and as much as $8.39 million.

Methodology

Our research found 222 ransomware attacks in total affecting 3,880 schools and colleges. From this, we were able to ascertain how much ransom had been demanded, how much had been paid, and how much downtime had been caused as a result of the attacks. We then used the figures we were able to find to create estimates (an average per year) for the amount of downtime caused by a ransomware attack and applied this to the schools where no downtime figures were available. Using an average cost per minute of downtime ($8,662) from a recent report, we were then able to create estimates for how much school closures and severe disruptions may have cost. This only took into consideration the amount of downtime schools suffered due to ransomware attacks–it does not cover the recovery period and expenses that follow.

We have only included ransomware attacks that have specifically targeted an education facility–not a ransomware attack that has affected a third-party used by the schools or colleges, e.g. Blackbaud.

Where possible, we have assigned the attack to the month in which it happened. However, in some cases, the attack may have been assigned to the month in which it was reported due to a lack of data.

Data researchers: George Moody, Rebecca Moody

Sources

For a list of attacks and sources, please request access here.

Related Articles

Leave a Comment

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

Privacy & Cookies Policy