In 2021, 67 individual ransomware attacks affected 954 schools and colleges, potentially impacting 950,129 students. We estimate that these attacks cost education institutions $3.56 billion in downtime alone. Most schools will have also faced astronomical recovery costs as they tried to restore computers, recover data, and shore up their systems to prevent future attacks.

Over the last few years, ransomware attacks have become an increasing concern for schools and colleges worldwide. They take down key systems, shut schools for days on end, and prevent teachers from accessing lesson plans and student data. However, as our latest data shows, ransomware attacks on US educational institutions are reducing and the length of downtime is also lower.

While promising, the devastating impact ransomware attacks can have on schools and colleges became only too apparent last month. Having been attacked in December 2021, Lincoln College announced in May 2022 that it was shutting its doors permanently. The attack and the impact it had on their systems led to a significant shortfall in enrollments, meaning the college was unable to sustain itself. Worse still, the college had paid the hackers a ransom fee.

So, what is the true cost of these ransomware attacks across the education sector in the US, how has the ransomware threat changed over the last few years, and what has happened so far in 2022?

To find out, our team of researchers gathered information on all of the ransomware attacks affecting schools and colleges since 2018. However, many entities are reluctant to disclose ransomware attacks, especially when ransom amounts have been paid. It is often only when the school has to acknowledge the breach due to disrupted systems or lost student data that information about the attack is released to the public. If the latter is the case, these reports will have been included in our study.

Our team sifted through several different education resources—specialist IT news, data breach reports, and state reporting tools—to collate as much data as possible on ransomware attacks on US education providers. We then applied data from studies on the cost of downtime to estimate a range for the likely cost of ransomware attacks to schools and colleges. Due to the limitations with uncovering these types of breaches, we believe the figures only scratch the surface of the problem.

Key findings

In 2021:

  • 67 individual ransomware attacks on schools and colleges–a 19 percent decrease from 2020 (83)
  • 954 separate schools and colleges were potentially affected–a 46 percent decrease from 2020 (1,753)
  • 950,129 individual students could have been impacted–a 31 percent decrease from 2020
  • Ransomware amounts varied from $100,000 to a whopping $40 million
  • Downtime varied from minimal disruption (thanks to frequent data backups) to months upon months of recovery time
  • On average, schools lose over four days to downtime and spend almost a month (30 days) recovering from the attack
  • Hackers demanded up to $52.3 million across just six attacks and received payment in two out of 18 cases where the school/college disclosed whether or not it paid the ransom (however, they are more likely to disclose that they haven’t paid the ransom than if they have). In one case, hackers received $547,000
  • The overall cost of these attacks is estimated at around $3.56 billion

Recently, many schools have been subject to double-extortion attempts where hackers not only lock them out of critical systems but steal data and threaten to post it online if the ransom isn’t paid. Recent examples include Broward County Public Schools, Clover Park School District, Somerset Independent School District, Union Community School District, and Affton School District.

Which state had the most ransomware attacks on schools and colleges in 2021?

As we can see from the above map, New York had the most ransomware attacks (7), accounting for just over 10 percent of the attacks in 2021. But as the state with the fourth-highest population, this isn’t too much of a surprise. Texas, the second-most populated state was a close second with six reported ransomware attacks in 2021.

Based on the number of students potentially impacted by the ransomware attacks on these schools and colleges, the most heavily affected state changes accordingly.

Florida had the highest number of impacted students in 2021 with 269,469 students affected in just two attacks. The majority of those affected were from Broward County Public Schools, which is one of the largest school districts in the US with 331 individual schools. The hackers (Conti) demanded $40 million from the district. The district made a counter offer of $500,000 but this wasn’t enough for the hackers who reduced the ransom to $10 million before dumping data online.

Arizona had the second-highest number of impacted students with 196,000 impacted in one attack on Maricopa County Community Colleges District (MCCCD). While the district identified and potentially blocked the ransomware before it infiltrated the system, classes were canceled for a week while systems were restored. This wasn’t the first time MCCCD had suffered such a devastating attack, either, as a breach in November 2013 resulted in recovery costs of almost $26 million.

How much did these ransomware attacks cost schools and colleges in 2021?

As mentioned previously, ransom demands varied dramatically from hundreds to millions of dollars. Plus, only a handful of providers publicly release the figures involved (we could only find ransom demand figures for six out of the 67 attacks). Understandably, organizations don’t want to discuss ransom amounts or whether they have paid these as it may incentivize further attacks.

What we do know, however, is the following:

  • Hackers began emailing students, employees, and even parents of Allen Independent School District after it didn’t pay the ransom. Hackers threatened to increase the ransom demand to $10 million if the original ransom amount (which wasn’t disclosed) wasn’t paid.
  • As we’ve previously seen, hackers demanded an extortionate ransom of $40 million from Broward County Public School. An offer of $500,000 wasn’t enough for the hackers who reduced the ransom to $10 million before posting 25,971 files online.
  • Buffalo Public Schools were subject to a ransom of $100,000 to $300,000 in March 2021. They didn’t pay the ransom but recovery costs were estimated to have been around $10 million. This demonstrates how the cost of restoring systems and recovering data/providing data protection services are often significantly higher than ransom amounts.
  • A month after it was attacked, Judson Independent School District paid a ransom of $547,000 to try and prevent sensitive data from being published online and to get its phone and email systems back.
  • In May 2021, hackers demanded $350,000 in monero from Clover Park School District after encrypting its systems. When the district failed to pay, the attackers (Grief) started to dump data online. In total, 1,583 records were affected in the breach.
  • Hackers demand 13 Bitcoin ($777,000 – at the time) for a decryption tool after they hacked into Logansport Schools’ systems. The data was later dumped by Pysa after the school failed to pay.

Adding in downtime

While few schools and colleges reveal whether or not they paid the ransoms and how much was involved, the downtime and recovery periods that arise because of these attacks are often reported. This is due to schools often shutting to students for several days and/or systems being down for long periods of time.

As we have already seen, servers may be taken offline for hours, weeks, and even months. And in some cases, data and/or computers are unrecoverable.

According to the figures we did find (for 19 of the attacks), schools suffered an average downtime of just over four days in 2021. But the recovery process lasted nearly 30 days. Downtime relates to schools being shut and/or services being largely unavailable, while the recovery period may mean schools are open but certain servers, devices, and services are unavailable.

Based on these figures, ransomware attacks may have caused 285 days of downtime and 1,992 days of recovery time in 2021.

So how much could this have cost education providers?

A 2017 estimate places the average cost per minute of downtime at $8,662 (across 20 different industries). This would mean the cost of downtime to education organizations in 2021 was around $3.56 billion. This is half 2020’s figure of $7.2 billion but nearly 6 times 2018’s figure of $623.7 million.

Even though these figures may seem extremely high, they are in line (and perhaps conservative estimates) with publicly revealed figures from schools. For example, as we have already seen, Buffalo Public Schools saw recovery costs of around $10 million. Baltimore County Public Schools reported recovery costs of around $8.1 million after its November 2020 attack. And Michigan State University’s recovery from its May 2020 attack is estimated at around $3 million.

Key findings from January 2018 to mid-May 2022:

Our team has logged all of the ransomware attacks from January 2018 to mid-May 2022. During this time:

  • 270 separate individual ransomware attacks have been carried out on schools and colleges
  • 4,278 individual schools and colleges have been potentially impacted and over 3.38 million students
  • Schools and colleges have suffered an estimated 1,600 days of downtime due to ransomware attacks with around 10,987 days spent on recovery efforts
  • 20 schools/colleges revealed the amount involved in their recovery efforts with nearly $30.6 million spent by these entities in total. This is an average of nearly $1.53 million
  • Ransom requests varied from $5,000 to $40 million
  • Hackers have received at least $2.64 million in ransom payments with the average payment being $239,733
  • Hackers have requested at least $59.4 million in ransom payments with the average request being $2.47 million
  • We estimate that downtime has cost schools and colleges nearly $20 billion with potential recovery costs adding millions (if not billions) to the total

How does 2021 compare to previous years?

Ransomware really started to take hold in the education sector in 2019. With just 10 attacks reported in 2018 but 96 reported in 2019, this was an 860 percent year-on-year increase. However, these figures fell in 2020 to 83 and even further to 67 in 2021. But, with the astronomical ransom demanded from Broward County Public Schools and some of the other larger, more targeted attacks on bigger school districts with higher budgets and a larger numbers of students, hackers are perhaps becoming more tactical in their approach.

  • Number of attacks:
  • 2021 – 67
  • 2020 – 83
  • 2019 – 96
  • 2018 – 10
  • Number of students potentially impacted:
  • 2021 – 950,129
  • 2020 – 1,378,073
  • 2019 – 814,496
  • 2018 – 41,627
  • Average downtime:
  • 2021 – 4.26 days
  • 2020 – 6.96 days
  • 2019 – 6.85 days
  • 2018 – 5 days
  • Average recovery time:
  • 2021 – 29.73 days
  • 2020 – 55.4 days
  • 2019 – 41.7 days
  • 2018 – 25 days
  • Downtime caused (known cases):
  • 2021 – 81 days (19 cases)
  • 2020 – 216 days (35 cases)
  • 2019 – 267 days (39 cases)
  • 2018 – 15 days (3 cases)
  • Estimated downtime caused (based on known cases and average in unknown):
  • 2021 – 285.48 days
  • 2020 – 577.85 days
  • 2019 – 657.45 days
  • 2018 – 50 days
  • Estimated cost of downtime:
  • 2021 – $3.56bn
  • 2020 – $7.2bn
  • 2019 – $8.2bn
  • 2018 – $623.7m

How is 2022 looking for ransomware attacks on schools and colleges?

As we can see from the above table, ransomware attacks across schools have been low through the first five months of this year. But with many attacks often only being revealed after they’ve happened, these figures may rise over the coming months.

  • 2021 – 67

  • 2020 – 83

  • 2019 – 96

  • 2018 – 10

  • 2021 – 950,129

  • 2020 – 1,378,073

  • 2019 – 814,496

  • 2018 – 41,627

  • 2021 – 4.26 days

  • 2020 – 6.96 days

  • 2019 – 6.85 days

  • 2018 – 5 days

  • 2021 – 29.73 days

  • 2020 – 55.4 days

  • 2019 – 41.7 days

  • 2018 – 25 days

  • 2021 – 81 days (19 cases)

  • 2020 – 216 days (35 cases)

  • 2019 – 267 days (39 cases)

  • 2018 – 15 days (3 cases)

  • 2021 – 285.48 days

  • 2020 – 577.85 days

  • 2019 – 657.45 days

  • 2018 – 50 days

  • 2021 – $3.56bn

  • 2020 – $7.2bn

  • 2019 – $8.2bn

  • 2018 – $623.7m

Based on what has been reported already for the year, the downtime and recovery times are significantly lower than in previous years (just over two days and 22 days respectively). However, with the impact of attacks often not being felt/reported on accurately until months later, downtime figures may rise but it’s likely they will still be lower than previous years.

We are seeing a promising trend of reduced downtime and attacks. While hackers may be becoming more targeted in their approach, the lower downtime figures suggest schools are more prepared for these attacks and are better able to restore their systems from backups or mitigate the effects of the attacks.

2022 has, so far, been a quieter year when it comes to US-based ransomware attacks as a whole, as our map of US ransomware attacks (updated daily) shows. The same is also true worldwide.

Methodology

Our research found 270 ransomware attacks in total affecting 4,278 schools and colleges. From this, we were able to ascertain how much ransom had been demanded, how much had been paid, and how much downtime had been caused as a result of the attacks. We then used the figures we were able to find to create estimates (an average per year) for the amount of downtime caused by a ransomware attack and applied this to the schools where no downtime figures were available. Using an average cost per minute of downtime ($8,662) from a recent report, we were then able to create estimates for how much school closures and severe disruptions may have cost. This only took into consideration the amount of downtime schools suffered due to ransomware attacks–it does not cover the recovery period and expenses that follow.

We have only included ransomware attacks that have specifically targeted an education facility–not a ransomware attack that has affected a third-party used by the schools or colleges, e.g. Blackbaud.

Where possible, we have assigned the attack to the month in which it happened. However, in some cases, the attack may have been assigned to the month in which it was reported due to a lack of data.

Data researchers: George Moody, Rebecca Moody

Sources

For a list of sources, please request access here.