In 2020, 77 individual ransomware attacks affected over 1,740 schools and colleges, potentially impacting 1.36 million students. We estimate that these attacks cost education institutions $6.62 billion in downtime alone. Most schools will have also faced astronomical recovery costs as they tried to restore computers, recover data, and shore up their systems to prevent future attacks.
Over the last few years, ransomware attacks have become an increasing concern for schools and colleges worldwide. They take down key systems, shut schools for days on end, and prevent teachers from accessing lesson plans and student data. But what we did notice in 2020 was that while individual attack figures decreased quite significantly, the number of schools and students impacted by the attacks grew exponentially. This suggests hackers targeted larger school districts with bigger annual budgets, hoping to cause greater disruption and increase their ransom payment demands.
This trend looks as though it has continued in 2021, too, exemplified by the “bizarre” $40 million ransom request made to Broward County Public Schools in April.
So, what is the true cost of these ransomware attacks across the education sector in the US, how has the ransomware threat changed over the last few years, and what has happened in the first half of 2021?
To find out, our team of researchers gathered information on all of the ransomware attacks affecting schools and colleges since 2018. However, many entities are reluctant to disclose ransomware attacks, especially when ransom amounts have been paid. It is often only when the school has to acknowledge the breach due to disrupted systems or lost student data that information about the attack is released to the public. If the latter is the case, these reports will have been included in our study.
Our team sifted through several different education resources—specialist IT news, data breach reports, and state reporting tools—to collate as much data as possible on ransomware attacks on US education providers. We then applied data from studies on the cost of downtime to estimate a range for the likely cost of ransomware attacks to schools and colleges. Due to the limitations with uncovering these types of breaches, we believe the figures only scratch the surface of the problem.
- 1 Key findings
- 2 Which state had the most ransomware attacks on schools and colleges in 2020?
- 3 How much did these ransomware attacks cost schools and colleges in 2020?
- 4 Key findings from January 2018 to June 2021:
- 5 How does 2020 compare to previous years?
- 6 How is 2021 looking for ransomware attacks on schools and colleges?
- 7 Methodology
- 8 Sources
- 77 individual ransomware attacks on schools and colleges–a 20 percent decrease from 2019
- Over 1,740 separate schools and colleges were potentially affected–a 39 percent increase from 2019
- 1,358,035 individual students could have been impacted–a 67 percent increase from 2019
- Ransomware amounts varied from $10,000 to over $1 million
- Downtime varied from minimal disruption (thanks to frequent data backups) to months upon months of recovery time
- On average, schools lose nearly 7 days to downtime and spend 55.4 days recovering from the attack
- Hackers received at least $1,909,058 in ransom payments
- The overall cost of these attacks is estimated at around $6.62 billion
Recently, many schools have been subject to double-extortion attempts where hackers not only lock them out of critical systems but steal data and threaten to post it online if the ransom isn’t paid. Recent examples include Somerset Independent School District, Union Community School District, and Affton School District.
Which state had the most ransomware attacks on schools and colleges in 2020?
As we can see from the above map, Texas had the most ransomware attacks, accounting for 13 percent of the attacks in 2020. But as the state with the second-highest population in the US, this isn’t too much of a surprise. The most populated state, California, was a close second with 9 reported ransomware attacks in 2020.
Based on the number of students potentially impacted by the ransomware attacks on these schools and colleges, the most heavily affected state changes accordingly.
Nevada had the highest number of impacted students in 2020 with 328,991 students affected by one single breach. Hackers targeted Clark County School District, which is the fifth-largest school district in the US with 374 individual schools. As the county didn’t pay the requested ransom, the hackers (Maze) dumped student records. The data breach report filed says 44,139 students were thought to have been affected by this aspect of the attack. The county and its staff and students also faced ongoing system disruptions in the month that followed.
Due to its larger number of attacks, Texas also had a high number of students affected–245,460 in total. This was closely followed by Virginia (195,408) and Maryland (115,038).
Nevada saw the highest percentage of students impacted by ransomware attacks in 2020
With such a huge school district being attacked in 2020, it’s no surprise that it’s the state with the highest percentage (54%) of students being impacted by ransomware attacks last year.
After Nevada were Virginia (10.5 percent of students affected) and Maryland (8.8 percent of students affected). Those with the highest number of attacks, Texas and California, saw 3.6 percent and less than a percent of their students being impacted by ransomware attacks respectively.
How much did these ransomware attacks cost schools and colleges in 2020?
As mentioned previously, ransom demands varied dramatically from $10,000 to over $1 million. Plus, only a handful of providers publicly release the figures involved (we could only find ransom demands for 9 out of the 77 attacks). Understandably, organizations don’t want to discuss ransom amounts or whether they have paid these as it may incentivize further attacks.
What we do know, however, is the following:
- The University of California San Francisco paid $1.14 million to NetWalker hackers after they encrypted data within the School of Medicine’s servers
- Imperial Valley College paid Sodinokibi hackers $55,068 after they rendered the college’s servers inaccessible 11 days before the Fall semester was due to start
- Athens Independent School District paid hackers $50,000 to regain access to student grades, class assignments, student schedules, and teacher communications
- Sheldon Independent School District negotiated a payment of $206,931 from $350,000 because a crucial server had been encrypted in the attack
- The University of Utah paid hackers $457,000 to prevent them from releasing data stolen during the attack
Adding in downtime
While few schools and colleges reveal whether or not they paid the ransoms and how much was involved, the downtime and recovery periods that arise because of these attacks are often reported. This is due to schools often shutting to students for several days and/or systems being down for long periods of time.
As we have already seen, servers may be taken offline for hours, weeks, and even months. And in some cases, data and/or computers are unrecoverable.
According to the figures we did find (for 39 out of 77 attacks), schools suffered an average downtime of just under 7 days in 2020. But the recovery process lasted 55.4 days. Downtime relates to schools being shut and/or services being largely unavailable, while the recovery period may mean schools are open but certain servers, devices, and services are unavailable.
Based on these figures, ransomware attacks may have caused 201 days of downtime and 1,108 days of recovery time in 2020.
So how much could this have cost education providers?
A 2017 estimate places the average cost per minute of downtime at $8,662 (across 20 different industries). This would mean the cost of downtime to education organizations in 2020 was around $6.62 billion. This is $1.6 billion less than 2019’s figure ($8.2 billion) but over 10.5 times 2018’s figure of $623.7 million.
Even though these figures may seem extremely high, they are in line (and perhaps conservative estimates) with publicly revealed figures from schools. For example, Baltimore County Public Schools reported recovery costs of around $8.1 million after its November 2020 attack. And Michigan State University’s recovery from its May 2020 attack is estimated at around $3 million.
Key findings from January 2018 to June 2021:
Our team has logged all of the ransomware attacks from January 2018 to June 2021. During this time:
- 222 separate individual ransomware attacks have been carried out on schools and colleges
- 3,880 individual schools and colleges have been potentially impacted and nearly 3.04 million students
- Schools and colleges have suffered an estimated 1,387 days of downtime due to ransomware attacks with around 9,525 days spent on recovery efforts
- 22 schools/colleges revealed the amount involved in their recovery efforts with nearly $19.2 million spent by these entities in total. This is an average of nearly $960,000
- Ransom requests varied from $5,000 to $40 million
- Hackers have received at least $2.95 million in ransom payments with the average payment being $268,000
- Hackers have requested at least $59.1 million in ransom payments with the average request being $2.47 million
- We estimate that downtime has cost schools and colleges over $17.3 billion with potential recovery costs adding millions (if not billions) to the total
|TOTALS||2021 (to June)||2020||2019||2018|
|State||Attacks||Schools Affected||Students Disrupted||Cost of Downtime ($)||Attacks||Schools Affected||Students Disrupted||Cost of Downtime ($)||Attacks||Schools Affected||Students Disrupted||Cost of Downtime ($)||Attacks||Schools Affected||Students Disrupted||Cost of Downtime ($)||Attacks||Schools Affected||Students Disrupted||Cost of Downtime ($)|
How does 2020 compare to previous years?
Ransomware really started to take hold in the education sector in 2019. With just 10 attacks reported in 2018 but 96 reported in 2019, this was an 860 percent year-on-year increase. As we’ve already noted, this figure fell in 2020 to 77. But, as we’ve seen, this appears to have been in favor of larger, more targeted attacks on bigger school districts with higher budgets and larger numbers of students.
It may also have a lot to do with the pandemic and many schools being shut for a long period of time. If we look at attacks by month, we can see that these really ramped up in the latter half of 2019. Attacks remained high at the start of 2020 but dipped again in March (at the start of the pandemic). With many working from home, this potentially removed some of the effectiveness of the malware as teachers and students weren’t connected to school systems.
Things did, however, start to pick up again when schools started back after the summer break. This again suggests the lower figures for 2020 aren’t due to better defenses from schools or fewer attacks from hackers but the homeschooling that many faced for several months.
- Number of attacks:
- 2020 – 77
- 2019 – 96
- 2018 – 10
- Number of students potentially impacted:
- 2020 – 1,358,035
- 2019 – 814,496
- 2018 – 41,627
- Average downtime:
- 2020 – 6.93 days
- 2019 – 6.85 days
- 2018 – 5 days
- Average recovery time:
- 2020 – 55.4 days
- 2019 – 41.7 days
- 2018 – 25 days
- Downtime caused (known cases):
- 2020 – 201 days (29 cases)
- 2019 – 267 days (39 cases)
- 2018 – 15 days (3 cases)
- Estimated downtime caused (based on known cases and average in unknown):
- 2020 – 530.64 days
- 2019 – 657.45 days
- 2018 – 50 days
- Estimated cost of downtime:
- 2020 – $6.6bn
- 2019 – $8.2bn
- 2018 – $623.7m
How is 2021 looking for ransomware attacks on schools and colleges?
As we can see from the above table, ransomware attacks across schools have remained relatively high in the first half of 2021. And with many attacks often only being revealed after they’ve happened, these figures may rise even higher over the coming months.
Based on what has been reported already for the year, the downtime and recovery times are significantly lower than previous years (just less than 4 days and 26 days respectively). However, with the impact of attacks often not being felt/reported on accurately until months later, we anticipate the 2021 downtime figures to be more in line with previous years.
What we can see, however, is that ransom amounts are high. Aside from the astronomical $40 million we’ve already covered (which was reduced to $10 million by the hackers), several other schools have reported ransoms worth hundreds of thousands. Logansport Schools reported a ransom figure of $777,000, Buffalo Public Schools a figure of $100,000-$300,000, Judson Independent School District a figure of $547,000, and Clover Park School District a figure of $350,000. Based on all of these figures, this creates an average ransom request of at least $2.35 million and as much as $8.39 million.
Our research found 222 ransomware attacks in total affecting 3,880 schools and colleges. From this, we were able to ascertain how much ransom had been demanded, how much had been paid, and how much downtime had been caused as a result of the attacks. We then used the figures we were able to find to create estimates (an average per year) for the amount of downtime caused by a ransomware attack and applied this to the schools where no downtime figures were available. Using an average cost per minute of downtime ($8,662) from a recent report, we were then able to create estimates for how much school closures and severe disruptions may have cost. This only took into consideration the amount of downtime schools suffered due to ransomware attacks–it does not cover the recovery period and expenses that follow.
We have only included ransomware attacks that have specifically targeted an education facility–not a ransomware attack that has affected a third-party used by the schools or colleges, e.g. Blackbaud.
Where possible, we have assigned the attack to the month in which it happened. However, in some cases, the attack may have been assigned to the month in which it was reported due to a lack of data.
Data researchers: George Moody, Rebecca Moody
For a list of attacks and sources, please request access here.