K–12 Ransomware Attacks Rose 43% in 2022, Encryption Used More Often, Survey Shows

Schools Report 99% Data Recovery, Heavy Reliance on Backups, More Ransoms Paid; Average Recovery Cost was $1.59M

Eight out of 10 K–12 school districts surveyed for Sophos’ 2023 State of Ransomware Report said they were hit by ransomware last year — a 43% increase from the previous year’s results — making the K–12 education sector the most-popular ransomware target in 2022.

Across all sectors, 66% of the organizations surveyed were attacked by ransomware in 2022, the same percentage as the previous year.

Cybersecurity-as-a-service provider Sophos commissioned the vendor-agnostic survey of 3,000 IT and cybersecurity leaders from the Americas, Asia Pacific, and EMEA, including 200 K– 12 IT practitioners; the survey was conducted January through March of this year, according to the report.

The survey found that 80% of K–12 organizations were impacted by ransomware in 2022, with 81% of those attacks including data encryption, which represents a 13% increase in encryption tactics. The overall percentage of ransomware attacks that included data encryption was 76%, “the highest rate of data encryption from ransomware since Sophos started issuing the report in 2020,” the company said.

Of the K–12 respondents whose data was encrypted, attackers also stole data in 27% of cases.

The average ransomware recovery cost for K–12, excluding any ransom payment, stayed about the same, at $1.59 million, Sophos said. The all-sector average recovery cost for 2022 ransomware attacks rose by 30% over the previous year, to $1.82 million.

K–12 organizations reported 99% data recovery post-attack; the average data-recovery rate across all sectors rose to 97%, Sophos said.

To achieve 99% recovery, 73% of K–12 organizations surveyed used backups to restore data, and 47% paid a ransom to get data back, the report said. These figures reveal that K–12 ransomware victims are relying on backups slightly more than other sectors (70%) and paying a ransom at about the same frequency (overall, 46% reported paying a ransom).

K–12 schools paid a ransom more often (47%) in 2022 than the year before (45%). Backups were used to restore data in 73% of 2022 K–12 ransomware attacks, slightly less than the year prior, when 76% of K–12 respondents said they’d relied on backups, Sophos’ report said.

The survey also shows that when organizations across all sectors paid a ransom to get their data decrypted, they ended up doubling their recovery costs ($750,000 in recovery costs versus $375,000 for organizations that used backups to get data back), and their recovery time ran longer.

Only a handful of K–12 respondents shared the exact ransom amount paid in 2022, rendering the results statistically insignificant, Sophos said; anecdotally, the average ransom payment from K–12 respondents who did share this detail was just over $1.2 million. Among all respondents, the average ransom payment almost doubled to $1,542,333 last year. The 2022 median ransom payment reported was $400,000.

“Rates of encryption have returned to very high levels after a temporary dip during the pandemic, which is certainly concerning. Ransomware crews have been refining their methodologies of attack and accelerating their attacks to reduce the time for defenders to disrupt their schemes," said Chester Wisniewski, field CTO, Sophos.

“Incident costs rise significantly when ransoms are paid. Most victims will not be able to recover all their files by simply buying the encryption keys; they must rebuild and recover from backups as well. Paying ransoms not only enriches criminals, but it also slows incident response and adds cost to an already devastatingly expensive situation,” Wisniewski said.

The most commonly reported root cause of ransomware attacks across all sectors was an exploited vulnerability (in 36% of cases), followed by compromised credentials (involved in 29% of cases). Among K–12 respondents, 29% of attacks were attributed to a vulnerability; 36% compromised credentials; 19% malicious emails; and 11% phishing — suggesting that school districts still face a challenge of implementing multi-factor authentication and training staff to recognize and avoid suspicious emails.

“Sophos’ latest report is a clarion reminder that ransomware remains a major threat, both in scope and scale. This is particularly true for ‘target-rich, resource-poor’ organizations that don’t necessarily have their own in-house resources for ransomware prevention, response and recovery,” said Megan Stifel, executive director of the Ransomware Task Force and chief strategy officer, Institute for Security and Technology.

Stifel urged organizations to implement the Ransomware Task Force’s Blueprint for Ransomware Defense, which includes 48 safeguards based on the CIS IG1 Controls.

Read the State of Ransomware 2023 report or learn more at Sophos.com.

About the Author

Kristal Kuykendall is editor, 1105 Media Education Group. She can be reached at [email protected].


Featured

  • Neon blue security locks with a single red highlight

    With AI, Cybersecurity Focus Shifts from Finding Flaws to Fixing Them

    For decades, one of cybersecurity's biggest challenges has been finding vulnerabilities before attackers do. A growing number of security professionals now say artificial intelligence is changing that equation, shifting the focus from discovering flaws to fixing them quickly enough to prevent exploitation.

  • abstract glowing cube outlines

    Microsoft Positions Windows as a Platform for AI Agents

    The recent Microsoft Build 2026 developer conference highlighted a significant shift in the company's Windows strategy. Rather than presenting artificial intelligence as a collection of standalone features, Microsoft is increasingly positioning Windows as an operating environment for AI agents.

  • interconnected nodes with currency symbols

    Report: Half of Gen AI Projects Could Exceed Budget by 2028

    Organizations may be underestimating the cost of generative AI as they move from experimentation to production, according to Gartner's "10 Best Practices for Optimizing Generative and Agentic AI Costs" report.

  • Teacher meeting parents discussing student progress in classroom

    Michigan's Flint Community Schools Adopts Human-Centered Approach to Fight Chronic Absenteeism

    In an effort to boost enrollment and combat chronic absenteeism, Michigan's Flint Community Schools has partnered with Concentric Educational Solutions to help address the academic, social, emotional, and environmental factors that prevent students from enrolling, re-enrolling, or attending school.