44% of education institutions targeted by ransomware in 2020, survey finds

Education also incurs higher costs following attacks than other sectors, according to a survey by the cybersecurity firm Sophos.
a ransomware skull
(Getty Images)

A recent survey of education IT professionals found that nearly half of all education institutions globally were targeted by ransomware in 2020, with 58% of those saying that cybercriminals succeeded in encrypting their data.

The survey, published this month by the cybersecurity firm Sophos, queried 499 education IT professionals about their organizations’ exposure to ransomware, with 44% of respondents saying they had been hit last year. The survey was part of a broader canvas of 5,400 IT professionals across multiple sectors, with education tying with retail as the industry most-frequently targeted by ransomware actors.

Sophos also found that 33% of the education officials it interviewed said that while they weren’t hit by ransomware last year, they expected to be in the crosshairs in the future; 22% said they weren’t hit in 2020 and don’t expect to fall victim.

Sophos’ analysis attributed the striking trends in ransomware against education institutions to several familiar factors, including limited budgets and broad user bases that can lack for cyber hygiene.


“Budgets for both IT and cybersecurity are often very tight, with stretched IT teams battling to secure an outdated infrastructure with limited tools and resources,” the report reads. “Risky online student behavior, such as downloading pirated software, also increases exposure to attack.”

The survey also found those trends were exacerbated in the pandemic year, as schools emptied out and physical classrooms were replaced with virtual learning environments with many more endpoints, with 74% of respondents saying the rise of online learning increased their cybersecurity workloads. (Only government reported a bigger sectorwide increase, with 79%.)


Meanwhile, ransomware was found to be more expensive to the education sector than most others, according to Sophos. While schools that coughed up ransom payments paid less than the global average — $112,435, compared to $170,404 across all industries — attacks against education had the highest cost of recovery after factoring in downtime, repairs and lost opportunities. On average, educational institutions lost $2.73 million in an average ransomware incident, nearly $300,000 more than distributors and transportation companies, the next-highest sector.

The Sophos survey included 142 IT professionals from the Americas, 138 from Europe, 85 from the Middle East and Africa and 134 from Asia and Pacific nations. Several U.S. institutions paid steep ransoms last year to obtain decryption keys from criminal gangs, including the University of Utah, which paid $457,000 last August, while the University of California, San Francisco, last summer forked over $1 million.


But the Sophos report also found that paying ransoms was not the most reliable way to unlock frozen systems. Schools that paid only got back 68% of their data on average, while the 55% of institutions that said they had strong backups were more successful at retrieving their data.


While Sophos collected responses from around the world, its report tracked with other recent analyses of ransomware against the education sector. A March survey from the K-12 Cybersecurity Resource Center found that cybersecurity incidents affecting K-12 school systems rose by 18% in 2020. And a February study from the cybersecurity vendor BlueVoyant reported that ransomware attacks against U.S. colleges and universities doubled between 2019 and 2020, with the rise attributed in part to hackers’ ability to exploit weak passwords used to access virtual learning services.

Yet even with education taking more blows than other industries, the Sophos survey found the sector is better-prepared than most to repel ransomware attacks. Eighty-six percent of respondents said they had the tools and knowledge to investigate suspicious network activity, a figure Sophos called “encouraging,” and only one percentage point behind the leading sector, business and professional services.

But possessing tools is only one part of the defense, the report says. “While advanced and automated technologies are essential elements of an effective anti-ransomware defense, stopping hands-on attackers also requires human monitoring and intervention by skilled professionals,” it read, going on to urge “all organizations” to hire more cybersecurity professionals.


The Sophos survey also had a warning for the 22% of education IT practitioners who said they don’t expect to be hit by ransomware in the future: “Sadly, this is not true. No organization is safe.”

Benjamin Freed

Written by Benjamin Freed

Benjamin Freed is the managing editor of StateScoop and EdScoop, covering cybersecurity issues affecting state and local governments across the country. He has written extensively about ransomware, election security, and the federal government's role in assisting states, localities and higher education institutions with information security.

Latest Podcasts