Ransomware’s Threat to Education

Last updated on May 8th, 2024 at 11:46 pm

A postit note with the text "Ransomware attack Are you at risk? No Yes" with two markers next to it.
Photo ID: 705543756 © olanstock/DepositPhotos.com

Educational organizations are often at the top of a cybercriminal’s list of potential targets. That’s because they hold a lot of valuable data but rarely have much budget for cybersecurity. Ransomware gangs, in particular, have been aggressively targeting the sector. 

In this post, I’ll dive into ransomware and the threat it poses to educational institutions, their staff and students. As part of this, I’ll present some sobering statistics from threat intelligence service ecrime.ch. Then I’ll look at what’s being done to defend educational institutions against this threat.

You can also check out the infographic accompanying this post below or download a higher quality version of it here.

# Ransomware in Education.
## What is ransomware
Ransomware is a form of malware that encrypts files and/or steals data from an infected device. Cybercriminals then demand the victim pay a ransom to unlock their files and/or prevent the criminals from publishing the stolen data on the dark web.

## Consequences of an attack in the education sector
Learning disruptions, data loss, financial loss, publication of data

## A growing threat
Data from ecrime.ch
A bar chart comparing the number of educational organizations listed on ransomware leak sites from 2022 and through July 2023. Every month of 2023 so far has surpassed the corresponding month of 2022.

## Most prolific ransomware gangs
Data from ecrime.ch

1. Vice society
2. Lockbit 2.0
3. Lockbit 3.0
4. HiveLeaks
5. AvosLocker

1. Lockbit 3.0
2. Cl0p
3. Vice Society
4. Royal
%. Rhysida
Infographic made in Venngage using data from ecrime.ch.

What is ransomware?

Traditional ransomware is malware that encrypts files on an infected device, making it impossible for the victim to open or use them. The cybercriminals responsible for the malware would then demand the victim pay a ransom to decrypt their files and make them usable again.

As the threat of ransomware became more well known, however, companies began backing up their data so they could restore their files without paying a ransom. Groups of cybercriminals responsible for the malware, known as ransomware gangs, saw their profits dwindling and so adopted a new strategy. 

Instead of just encrypting files, the criminal gangs started stealing a copy of them, too. They then threatened to release the stolen data onto the dark web unless the ransom was paid. Some gangs have since completely stopped encrypting files, focusing instead on data theft in a “pure extortion” approach.

A rising threat to educational organizations

Data from ecrime.ch
A bar chart comparing the number of educational organizations listed on ransomware leak sites from 2022 and through July 2023. Every month of 2023 so far has surpassed the corresponding month of 2022.
So far this year, ransomware gangs have listed more educational organizations on their leak sites each month than the corresponding month last year. Data from ecrime.ch.

According to data from ecrime.ch, ransomware gangs listed 125 educational organizations on their data leak sites in 2022. Between January and July 2023, cybercriminals had already surpassed that number, claiming 150 institutions. 

As the organizations listed on dark web leak sites only include those that did not pay the ransom, at least initially, the total number of educational institutions breached by ransomware is likely much higher.

A variety of different ransomware gangs are behind these attacks. Some, such as Vice Society, specifically target educational organizations. Others, such as Cl0p, attack a wide range of industries but still hit the educational sector heavily. Some, like Royal, have attacked schools only to claim later they had a change of heart. Any such claims should be viewed with suspicion, however.

Most prolific ransomware gangs in education in 2022:
1. Vice Society
2. LockBit 2.0
3. Lockbit 3.0
4. HiveLeaks
5. AvosLocker
Vice Society targeted the most educational institutions in 2022. Data from ecrime.ch.

Last year, Vice Society was the most prolific criminal gang targeting educational institutions. LockBit 2.0, LockBit 3.0, HiveLeaks and AvosLocker rounded out the top five. These five gangs named 82 out of 125 educational institutions listed on leak sites in 2022.

Most prolific ransomware gangs in education Jan-July 2023
1. Lockbit 3.0
2. Cl0p
3. Vice Society
4. Royal
5. Rhysida.

LockBit 3.0 targeted the most educational institutions Jan-July 2023. Data from ecrime.ch.

The five most prolific ransomware gangs targeting educational institutions this year are LockBit 3.0, Cl0p, Vice Society, Royal and Rhysida. Combined, they listed 85 out of the 150 educational institutions that were named on ransomware data leak sites.

The impact of ransomware on educational organizations

Consequence of an attack in the education sector:
Learning disruptions, data loss, financial loss, publication of data
The consequences of a ransomware attack on an educational institution can be severe. Image made in Venngage.

Ransomware attacks can cause significant harm to educational institutions and those served by them. A typical attack can disrupt education, cause data loss, financially harm the victim organization and make sensitive information public. Let’s look at each of these in turn.

Disrupting education

Schools affected by ransomware often have to cancel classes while they deal with the aftermath of the attack, disrupting students’ education. According to Comparitech, schools had an average of 11.65 days of ransomware-induced downtime in 2022.

Data loss

An educational organization attacked by ransomware may find it cannot restore all its crucial files, even if it paid the ransom. Fortunately, a recent report from Sophos found 100% of higher, and 99% of lower, educational institutions successfully recovered their data, either by using backups or paying the ransom.

However, in a different survey, Sophos found that 1 in 10 organizations (not just educational institutions) from the UK and France retrieved none of their data after paying the ransom. This is something educational institutions should keep in mind if they are considering paying a ransom.

Financial harm

Educational organizations face high costs after a ransomware attack, regardless of whether they pay the ransom. That’s because they still need to pay for labor and new devices, for example. Downtime can also cause them to incur costs by preventing them from recruiting students or wooing donors.

A report by Sophos found it cost lower educational institutions $1.59 million and higher educational institutions $1 million to recover from an attack in 2022.

Sometimes, the financial strain caused by ransomware is too much for an educational institution to bear. For example, Lincoln College was forced to close in 2022, after being unable to recover financially when ransomware brought down its systems.

Making private information public

Ransomware gangs can steal and publish sensitive data from educational institutions, putting the personal information of students and staff at risk. Unfortunately, this can have devastating consequences.

For example, the Medusa ransomware gang leaked highly sensitive information from the Minneapolis School District on both the dark and clear web earlier this year. The leaked data included reports of rape, abuse and mental health issues, as well as students’ addresses, dates of birth, and social security numbers. This has deeply violated the students’ privacy and made them vulnerable to identity theft.

Future plans

Businessman on blurred background using digital padlock with data protection 3D rendering
Photo ID: 180865048 © sdecoret/DepositPhotos.com

The government fortunately recognizes the threat posed by ransomware and has recently taken steps to help educational institutions defend themselves. 

Last month, Jessica Rosenworcel, Chairwoman of the Federal Communications Commission, proposed a pilot program to invest $200 million over three years to help schools beef up their cyber defenses. While this is a start, experts say schools need considerably more investment to defend themselves from ransomware attacks.

More help is hopefully on the way after the White House held the very first summit on strengthening cybersecurity in K-12 schools this month.

As part of its plan to help protect schools from cyberattacks, the Biden administration announced the creation of a Government Coordinating Council to foster collaboration between the government and the education sector.

The administration also announced that a number of technology companies, including Amazon Web Services, Cloudflare and Google, were offering free or low cost services to schools to help them defend themselves.

The takeaway

Ransomware gangs are ruthlessly attacking educational institutions, harming both students and educators. The government has recently taken some much needed first steps to protect schools from this threat. However, we’ll have to wait and see if it’s enough to make a difference.

Leave a Comment

Your email address will not be published. Required fields are marked *