From the perspective of ransomware attackers, you couldn’t ask for a better target than schools and universities. On the one hand, these institutions often host highly sensitive data, which attackers can encrypt and hold for ransom. At the same time, IT departments in the education sector have a tendency to be under-resourced, making it extra challenging for schools and universities to implement robust defenses against ransomware.
The good news is that educational institutions can definitely protect themselves against ransomware. Doing so requires an understanding of the unique challenges that ransomware presents in this sector, as well as deployment of tools and practices capable of safeguarding the sensitive information schools and universities store on digital systems.
What is ransomware?
Ransomware is a type of cyberattack in which threat actors typically encrypt an organization’s data, then demand payment – in other words, a “ransom” – to decrypt it. In some cases, ransomware attacks may also include threats to release private information publicly if the targeted organization doesn’t pay a ransom. Even when organizations pay, however, there is no guarantee that they won’t suffer harm. About fifty percent of the time, ransomware attackers don’t decrpt data despite receiving ransoms.
The goal behind most ransomware attacks is to exfiltrate money from an organization by convincing it that paying the ransom is the only way to avoid a harmful outcome. Unless the organization has a disaster recovery plan in place that allows it to restore information without paying the ransom, it may well decide that paying off attackers is its only option.
Although ransomware attacks date back to the 1980s, they have become especially prevalent over the past decade. As of 2024, about 59 percent of organizations reported having experienced ransomware attacks.
The state of ransomware in education
Ransomware can affect organizations of all types and sizes, across all industries. However, the education sector has become a main target for ransomware attacks.
In 2023, Forbes reported that K-12 schools in the U.S. topped the list of the types of organizations most frequently impacted by ransomware. In the same year, research from Sophos shows that 80 percent of IT staff who work at schools reported that their organizations were impacted by ransomware in the past year, and that the prevalence of ransomware in education was only growing worse.
As for universities, while they’re not at the very top of the list of organizations most frequently hit by ransomware. they haven’t fared much better than K-12 schools. Ransomware attacks targeting higher education institutions surged 70 percent in 2023 compared to the previous year.
Why schools and universities are attractive ransomware targets
Why are schools and universities such a frequent target of ransomware attacks? The answer is two-fold.
First, these types of institutions often store highly sensitive information. This includes not just standard personal information associated with students, such as names and addresses, but also data such as mental health records, which were exposed in a ransomware attack against Los Angeles public schools, and information about sexual assault cases, which were also compromised in a ransomware attack.
Most organizations store important or sensitive information that ransomware threat actors might target, of course. But in education, the information at risk of attack tends to be especially high-stakes. In this sense, the education sector is on par with industries like finance and healthcare in possessing information that can be especially lucrative when threat actors hold it for ransom.
The second factor that makes educational institutions compelling targets is that they sometimes lack extensive IT and cybersecurity resources. Budgeting constraints can make it challenging for organizations in this sector to hire enough IT staff. And even when they are able to create sufficient roles, attracting and retaining top talent can be hard because schools and universities tend to offer less compelling salaries than private industry. This is why, as NPR put it, “schools don’t have great cybersecurity, and attackers have caught on.”
The impact of ransomware attacks on education
Ransomware attacks in the education sector have a variety of consequences – including but not limited to financial fallout.
Financial costs
From a financial perspective, the costs can be quite steep. According to Sophos research, K-12 schools targeted by ransomware pay an average of $3.76 million to recover, while in higher education the sum is $4.02 million. And those are just the direct costs associated with recovery. An additional cost is system downtime caused by ransomware, which can increase operating expenses because it requires schools and universities to reschedule events or pay staff for longer hours. Downtime costs caused by ransomware in education amounted to $53 billion between 2018 and 2023.
Disruption to learning
In addition to financial costs, ransomware attacks against schools and universities also significantly disrupt learning. They can lead to canceled classes, make it impossible to submit grades or look up student records and even cause issues like locking students out of buildings due to disruption of the digital systems that control entry.
Reputational harm and loss of prestige
Reputational harm is another consequence of ransomware. In the education sector especially – and above all, in higher education – institutional prestige carries a great deal of weight and is often a key factor in determining where students enroll. When universities experience major ransomware breaches, their ability to recruit and retain students might suffer.
Compliance violations
Last but not least, ransomware attacks may trigger compliance violations for schools and universities. Some of the data that these institutions host is protected by regulations like FERPA, which governs student records. Failure to protect that data adequately from ransomware attacks may lead to allegations that educational institutions fell short of meeting compliance obligations.
Strategies for preventing ransomware at schools and universities
With the right protections in place, educational institutions can protect themselves against ransomware. In general, the measures they should take are the same as those that any type of organization should adopt to mitigate ransomware risks – but there are some special considerations for ransomware prevention strategies that apply to the education sector.
Implementing strong cybersecurity measures
Ransomware defense starts with implementing strong protections. The endpoints, networks, and data resources that exist within the IT estates of schools and universities should be protected with antivirus software and kept up-to-date to help prevent security vulnerabilities.
That said, a particular challenge that schools and universities face is that they often do not directly control all of the devices connected to their networks. For example, college students might log in using personal laptops. For this reason, educational institutions should recognize that their ability to prevent ransomware by strengthening cyber defenses is limited.
Investing in user training
Training users to recognize and avoid ransomware attack techniques, such as phishing, can also help. Here again, however, schools and universities face a special challenge in that many of their end-users are students who may be challenging to train in ransomware prevention best practices. It’s unreasonable to expect fifth graders to become experts in identifying social engineering attacks, for example. So, while user training is another effective step toward preventing ransomware in schools, it’s hardly a foolproof solution.
Email filtering and spam detection
Scanning institutional email systems for phishing emails and other malicious content is another way to help mitigate ransomware threats. But once again, it’s an imperfect solution, especially in the education sector. Students, and in some cases instructors as well, may sometimes use personal email accounts, limiting the effectiveness of email filtering and spam detection.
Backup and recovery planning
Since other approaches to ransomware prevention can never guarantee that successful attacks won’t occur, backup and recovery planning is another essential element in ransomware mitigation for schools and universities. When all other defenses fail, the ability to recover from backups allows institutions to restore operations without paying a ransom.
Effective backup and recovery planning requires more than simply generating backups on a periodic basis. Educational institutions should also consider strategies like cross-cloud and cross-account backup and recovery, which enable recovery in situations where attackers compromise the primary cloud environment or account that an organization depends on. Immutable backups, which prevent attackers from deleting or encrypting backup data, can also help to maximize the chances of successful recovery. Regular recovery testing and drills, too, are valuable practices for ensuring that the recovery plans an organization has in place will actually prove effective when ransomware strikes.
Mitigating ransomware risks in education with N2WS
When schools and universities choose N2WS as their data backup and disaster recovery solution, they get much more than simple data backup. N2WS offers advanced features like cross-cloud and cross-account recovery, immutable backups and the ability to backup critical configuration settings in addition to data and applications.
With N2WS, educational institutions can operate with the confidence that, should ransomware strike, they’re primed to recover without having to pay costly ransoms, experience extended downtime, disrupt student learning, take a hit to their reputations or run afoul of compliance obligations.
Learn more by requesting an N2WS trial.
Chris Tozzi
Chris, who has worked as a journalist and Linux systems administrator, is a freelance writer specializing in areas such as DevOps, cybersecurity, cloud computing, and AI and machine learning. He is also an adviser for Fixate IO, an adjunct research adviser for IDC, and a professor of IT and society at a polytechnic university in upstate New York.