K–12 Ransomware Attacks Rose 43% in 2022, Encryption Used More Often, Survey Shows

Schools Report 99% Data Recovery, Heavy Reliance on Backups, More Ransoms Paid; Average Recovery Cost was $1.59M

  • By Kristal Kuykendall
  • 06/08/23

Eight out of 10 K–12 school districts surveyed for Sophos’ 2023 State of Ransomware Report said they were hit by ransomware last year — a 43% increase from the previous year’s results — making the K–12 education sector the most-popular ransomware target in 2022.

Across all sectors, 66% of the organizations surveyed were attacked by ransomware in 2022, the same percentage as the previous year.

Cybersecurity-as-a-service provider Sophos commissioned the vendor-agnostic survey of 3,000 IT and cybersecurity leaders from the Americas, Asia Pacific, and EMEA, including 200 K– 12 IT practitioners; the survey was conducted January through March of this year, according to the report.

The survey found that 80% of K–12 organizations were impacted by ransomware in 2022, with 81% of those attacks including data encryption, which represents a 13% increase in encryption tactics. The overall percentage of ransomware attacks that included data encryption was 76%, “the highest rate of data encryption from ransomware since Sophos started issuing the report in 2020,” the company said.

Of the K–12 respondents whose data was encrypted, attackers also stole data in 27% of cases.

The average ransomware recovery cost for K–12, excluding any ransom payment, stayed about the same, at $1.59 million, Sophos said. The all-sector average recovery cost for 2022 ransomware attacks rose by 30% over the previous year, to $1.82 million.

K–12 organizations reported 99% data recovery post-attack; the average data-recovery rate across all sectors rose to 97%, Sophos said.

To achieve 99% recovery, 73% of K–12 organizations surveyed used backups to restore data, and 47% paid a ransom to get data back, the report said. These figures reveal that K–12 ransomware victims are relying on backups slightly more than other sectors (70%) and paying a ransom at about the same frequency (overall, 46% reported paying a ransom).

K–12 schools paid a ransom more often (47%) in 2022 than the year before (45%). Backups were used to restore data in 73% of 2022 K–12 ransomware attacks, slightly less than the year prior, when 76% of K–12 respondents said they’d relied on backups, Sophos’ report said.

The survey also shows that when organizations across all sectors paid a ransom to get their data decrypted, they ended up doubling their recovery costs ($750,000 in recovery costs versus $375,000 for organizations that used backups to get data back), and their recovery time ran longer.

Only a handful of K–12 respondents shared the exact ransom amount paid in 2022, rendering the results statistically insignificant, Sophos said; anecdotally, the average ransom payment from K–12 respondents who did share this detail was just over $1.2 million. Among all respondents, the average ransom payment almost doubled to $1,542,333 last year. The 2022 median ransom payment reported was $400,000.

“Rates of encryption have returned to very high levels after a temporary dip during the pandemic, which is certainly concerning. Ransomware crews have been refining their methodologies of attack and accelerating their attacks to reduce the time for defenders to disrupt their schemes," said Chester Wisniewski, field CTO, Sophos.

“Incident costs rise significantly when ransoms are paid. Most victims will not be able to recover all their files by simply buying the encryption keys; they must rebuild and recover from backups as well. Paying ransoms not only enriches criminals, but it also slows incident response and adds cost to an already devastatingly expensive situation,” Wisniewski said.

The most commonly reported root cause of ransomware attacks across all sectors was an exploited vulnerability (in 36% of cases), followed by compromised credentials (involved in 29% of cases). Among K–12 respondents, 29% of attacks were attributed to a vulnerability; 36% compromised credentials; 19% malicious emails; and 11% phishing — suggesting that school districts still face a challenge of implementing multi-factor authentication and training staff to recognize and avoid suspicious emails.

“Sophos’ latest report is a clarion reminder that ransomware remains a major threat, both in scope and scale. This is particularly true for ‘target-rich, resource-poor’ organizations that don’t necessarily have their own in-house resources for ransomware prevention, response and recovery,” said Megan Stifel, executive director of the Ransomware Task Force and chief strategy officer, Institute for Security and Technology.

Stifel urged organizations to implement the Ransomware Task Force’s Blueprint for Ransomware Defense, which includes 48 safeguards based on the CIS IG1 Controls.

Read the State of Ransomware 2023 report or learn more at Sophos.com.

About the Author

Kristal Kuykendall is editor, 1105 Media Education Group. She can be reached at [email protected].


Featured

  • stylized illustration of a desktop, laptop, tablet, and smartphone all displaying an orange AI icon

    Survey: AI Shifting from Cloud to PCs

    A recent Intel-commissioned report identifies a significant shift in AI adoption, moving away from the cloud and closer to the user. Businesses are increasingly turning to the specialized hardware of AI PCs, the survey found, recognizing their potential not just for productivity gains, but for revolutionizing IT efficiency, fortifying data security, and delivering a compelling return on investment by bringing AI capabilities directly to the edge.

  • interlocking blue and orange blocks merge at the center against a beige background decorated with subtle technology and education-themed icons

    Cambium Learning Group to Combine ExploreLearning and Learning A-Z Brands

    Ed tech company Cambium Learning Group has announced plans to combine its ExploreLearning and Learning A-Z brands, with a new name and brand identity to be introduced in early 2026.

  • Digital clouds with data points and network connections

    Microsoft's Windows 365 Cloud Apps Available in Public Preview

    Microsoft has announced that its Windows 365 Cloud Apps are now available in public preview. This allows IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.

  • magnifying glass highlighting a human profile silhouette, set over a collage of framed icons including landscapes, charts, and education symbols

    New AI Detector Identifies AI-Generated Multimedia Content

    Amazon Web Services and DeepBrain AI have launched AI Detector, an enterprise-grade solution designed to identify and manage AI-generated content across multiple media types. The collaboration targets organizations in government, finance, media, law, and education sectors that need to validate content authenticity at scale.