For ransomware, universities are paying more
The British cybersecurity firm Sophos on Thursday published annual survey results showing that a majority of higher education institutions hit by ransomware attacks wind up paying their attackers more than was originally demanded.
The survey, which included responses from 600 higher education institutions and K-12 school districts across 14 countries, found that the median ransom payment for universities and colleges over the past year was $4.4 million. Two-thirds of higher education institutions that paid ransoms ended up paying more than the initial demand, researchers wrote.
The survey shows a link between payment amounts and the level of damage inflicted to institutions’ data and digital infrastructure.
Ninety-five percent of education respondents said cybercriminals attempted to compromise their backups, and 71% of those attempts were successful, the highest rate of any industry. Ransomware attackers are also getting better at encrypting their victims’ data — 77% of cyberattacks against higher education resulted in data encryption, compared to 73% the previous year.
Fewer institutions are being hit by ransomware — only 66% reported being attacked by ransomware actors last year, compared to 79% the prior year — but recovery is taking longer when attacks do occur. Only 30% of all respondents reported they were able to recover within a week of being attacked, compared to 40% in higher education and 33% of K-12 the prior year.
Researchers attributed the slower recovery times to limited staffing.
“Unfortunately, schools, universities and other educational institutions are targets that are beholden to municipalities, communities and the students themselves, which inherently creates high pressure situations if they are hit and destabilized by ransomware,” Chester Wisniewski, Sophos’ field chief technology officer, said in a press release. “Educational institutions feel a sense of responsibility to remain open and continue providing their services to their communities. These two factors could be contributing to why victims feel so much pressure to pay.”