K–12 Ransomware Attacks Rose 43% in 2022, Encryption Used More Often, Survey Shows

Schools Report 99% Data Recovery, Heavy Reliance on Backups, More Ransoms Paid; Average Recovery Cost was $1.59M

Eight out of 10 K–12 school districts surveyed for Sophos’ 2023 State of Ransomware Report said they were hit by ransomware last year — a 43% increase from the previous year’s results — making the K–12 education sector the most-popular ransomware target in 2022.

Across all sectors, 66% of the organizations surveyed were attacked by ransomware in 2022, the same percentage as the previous year.

Cybersecurity-as-a-service provider Sophos commissioned the vendor-agnostic survey of 3,000 IT and cybersecurity leaders from the Americas, Asia Pacific, and EMEA, including 200 K– 12 IT practitioners; the survey was conducted January through March of this year, according to the report.

The survey found that 80% of K–12 organizations were impacted by ransomware in 2022, with 81% of those attacks including data encryption, which represents a 13% increase in encryption tactics. The overall percentage of ransomware attacks that included data encryption was 76%, “the highest rate of data encryption from ransomware since Sophos started issuing the report in 2020,” the company said.

Of the K–12 respondents whose data was encrypted, attackers also stole data in 27% of cases.

The average ransomware recovery cost for K–12, excluding any ransom payment, stayed about the same, at $1.59 million, Sophos said. The all-sector average recovery cost for 2022 ransomware attacks rose by 30% over the previous year, to $1.82 million.

K–12 organizations reported 99% data recovery post-attack; the average data-recovery rate across all sectors rose to 97%, Sophos said.

To achieve 99% recovery, 73% of K–12 organizations surveyed used backups to restore data, and 47% paid a ransom to get data back, the report said. These figures reveal that K–12 ransomware victims are relying on backups slightly more than other sectors (70%) and paying a ransom at about the same frequency (overall, 46% reported paying a ransom).

K–12 schools paid a ransom more often (47%) in 2022 than the year before (45%). Backups were used to restore data in 73% of 2022 K–12 ransomware attacks, slightly less than the year prior, when 76% of K–12 respondents said they’d relied on backups, Sophos’ report said.

The survey also shows that when organizations across all sectors paid a ransom to get their data decrypted, they ended up doubling their recovery costs ($750,000 in recovery costs versus $375,000 for organizations that used backups to get data back), and their recovery time ran longer.

Only a handful of K–12 respondents shared the exact ransom amount paid in 2022, rendering the results statistically insignificant, Sophos said; anecdotally, the average ransom payment from K–12 respondents who did share this detail was just over $1.2 million. Among all respondents, the average ransom payment almost doubled to $1,542,333 last year. The 2022 median ransom payment reported was $400,000.

“Rates of encryption have returned to very high levels after a temporary dip during the pandemic, which is certainly concerning. Ransomware crews have been refining their methodologies of attack and accelerating their attacks to reduce the time for defenders to disrupt their schemes," said Chester Wisniewski, field CTO, Sophos.

“Incident costs rise significantly when ransoms are paid. Most victims will not be able to recover all their files by simply buying the encryption keys; they must rebuild and recover from backups as well. Paying ransoms not only enriches criminals, but it also slows incident response and adds cost to an already devastatingly expensive situation,” Wisniewski said.

The most commonly reported root cause of ransomware attacks across all sectors was an exploited vulnerability (in 36% of cases), followed by compromised credentials (involved in 29% of cases). Among K–12 respondents, 29% of attacks were attributed to a vulnerability; 36% compromised credentials; 19% malicious emails; and 11% phishing — suggesting that school districts still face a challenge of implementing multi-factor authentication and training staff to recognize and avoid suspicious emails.

“Sophos’ latest report is a clarion reminder that ransomware remains a major threat, both in scope and scale. This is particularly true for ‘target-rich, resource-poor’ organizations that don’t necessarily have their own in-house resources for ransomware prevention, response and recovery,” said Megan Stifel, executive director of the Ransomware Task Force and chief strategy officer, Institute for Security and Technology.

Stifel urged organizations to implement the Ransomware Task Force’s Blueprint for Ransomware Defense, which includes 48 safeguards based on the CIS IG1 Controls.

Read the State of Ransomware 2023 report or learn more at

About the Author

Kristal Kuykendall is editor, 1105 Media Education Group. She can be reached at [email protected].