​​Ransomware attacks on US schools and colleges cost $9.45bn in 2022

In 2022, 65 individual ransomware attacks affected 1,436 schools and colleges, potentially impacting 1,074,926 students. We estimate that these attacks cost education institutions nearly $9.45 billion in downtime alone. Most schools also faced astronomical recovery costs as they tried to restore computers, recover data, and shore up their systems to prevent future attacks.

Over the last few years, ransomware attacks have become an increasing concern for schools and colleges worldwide. They take down key systems, shut schools for days on end, and prevent teachers from accessing lesson plans and student data. Our latest data shows ransomware attacks on US educational institutions reached similar numbers over the last two years, but downtime is increasing.

Despite a dip in attacks in 2021 and 2022, 2023’s figures appear to indicate that attacks are on the up. There have already been 37 confirmed attacks so far this year, compared to just 26 in the same period in 2022. Furthermore, downtime in educational institutions is high with 11.65 days lost to attacks on average in 2022.

So, what is the true cost of these ransomware attacks across the education sector in the US, how has the ransomware threat changed over the last few years, and what has happened so far in 2023?

To find out, our team of researchers gathered information on all of the ransomware attacks affecting schools and colleges since 2018. Many entities are reluctant to disclose ransomware attacks, especially when ransom amounts have been paid. Information might only be released to the public when the school must acknowledge the breach due to disrupted systems or when student data is compromised. If the latter is the case, these reports will have been included in our study.

Our team sifted through several different education resources—specialist IT news, data breach reports, and state reporting tools—to collate as much data as possible on ransomware attacks on US education providers. We then applied data from studies on the cost of downtime to estimate a range for the likely cost of ransomware attacks to schools and colleges. Due to the limitations with uncovering these types of breaches, we believe the figures only scratch the surface of the problem.

Key findings

In 2022:

  • 65 individual ransomware attacks on schools and colleges–a similar figure to 2021 (68)
  • 1,436 separate schools and colleges were potentially affected–a 50 percent increase from 2021 (958)
  • 1,074,926 individual students could have been impacted–a 13 percent increase from 2021
  • Only three schools disclosed ransom demands, varying from $250,000 to $950,000
  • Downtime varied from minimal disruption (thanks to frequent data backups) to months upon months of recovery time
  • On average, schools lose 11.65 days to downtime and spend more than a month (42 days) recovering from the attack
  • Hackers demanded up to $1.6 million across just three attacks and received payment in four out of 16 cases where the school/college disclosed whether or not it paid the ransom (however, they are more likely to disclose that they haven’t paid the ransom than if they have). In one case, hackers received $400,000
  • The overall cost of these attacks is estimated at around $9.45 billion

Recently, many schools have been subject to double-extortion attempts where hackers not only lock them out of critical systems but steal data and threaten to post it online if the ransom isn’t paid. Recent examples include Cincinnati State Technical and Community College and Linn-Mar Community School District. But hackers went one step further in their attack against Bluefield University in April 2023. Using the university’s RamAlert system, the attackers sent a series of messages to students, warning them their data would soon appear on the dark web if the university didn’t pay the ransom.

Which state had the most ransomware attacks on schools and colleges in 2022?

As we can see from the above map, California had the most ransomware attacks (9), accounting for just under 14 percent of the attacks in 2022. But as the state with the highest population, this isn’t too much of a surprise. New York, the fourth-highest populated state was a close second with seven reported ransomware attacks in 2022.

Based on the number of students potentially impacted by the ransomware attacks on these schools and colleges, the most heavily affected state remains the same.

California records the highest number of impacted students in 2022 with 597,463. It’s the only state to record more than 100,000 students impacted across 9 attacks. The majority of those affected were from Los Angeles Unified School District, the second-largest school district in the US with 780 individual schools. The Vice Society group claimed responsibility for the hack and leaked 500GB of data stolen.

New Mexico had the second-highest number of impacted students with 83,340 in the two attacks on Albuquerque Public Schools and Fort Sumner Municipal Schools. While Albuquerque Public Schools didn’t disclose many details about the attack, it did have to close its doors to all students for two days while it worked to restore systems.

How much did these ransomware attacks cost schools and colleges in 2022?

As mentioned previously, ransom demands varied by hundreds of thousands of dollars. Plus, only a handful of providers publicly release the figures involved (we could only find ransom demand figures for three out of the 65 attacks in 2022). Understandably, organizations don’t want to discuss ransom amounts or whether they have paid these as it may incentivize further attacks.

What we do know, however, is the following:

  • The Little Rock School District voted in a board meeting to pay a $250,000 ransom in hopes of retrieving their data back. It was stated by the district that all of the data was returned to them with assurances made by hackers that the information had not been used.
  • Glenn County School District was met with an initial demand from Quantum hackers for $1 million. The district entered a chat with the hackers and negotiated the ransom down to $400,000 which would pay for a decryption key and certain other assurances that would restore the single network that covered all of the schools in the district of Glenn county.
  • Norman Public Schools did not engage with Hive ransomware hackers who demanded a whopping $950,000 after they breached the schools’ systems via a phishing attack. Hive hackers then began leaking the schools data on the dark web.

Adding in downtime

While few schools and colleges reveal whether or not they paid the ransoms and how much was involved, the downtime and recovery periods that arise because of these attacks are often reported. This is due to schools often shutting down for several days and/or systems being down for long periods of time.

As we have already seen, servers may be taken offline for hours, weeks, and even months. And in some cases, data and/or computers are unrecoverable.

According to the figures we did find (for 33 of the attacks), schools suffered average downtime of 11.65 days in 2022. This is a huge increase from just over 4 days in 2021. Downtime relates to schools being shut and/or services being largely unavailable. As well as system downtime, schools will often face even longer recovery periods, whereby schools are open and largely in operation but certain servers, devices, and services remain unavailable.

Based on our estimates, ransomware attacks may have caused over 757 days of downtime where systems are largely unavailable. This is based on the downtime recorded per attack or average downtime for each attack per year.

So how much could this have cost education providers?

A 2017 estimate places the average cost per minute of downtime at $8,662 (across 20 different industries). This would mean the cost of downtime to education organizations in 2022 was around $9.45 billion. This is more than double the figures seen in 2021–$3.48 billion.

Even though these figures may seem extremely high, they are in line (and perhaps conservative estimates) with publicly revealed figures from schools. A report by EdScoop found that the education sector experiences higher recovery costs than any other sector. They claim that, on average, education institutions pay around $2.73 million to remediate the impact of a ransomware attack which is 48 percent higher than the global average across all sectors.

This is a fraction of the figures some schools have publicly reported. For example, Buffalo Public Schools saw recovery costs of around $10 million after its March 2021 attack, Baltimore County Public Schools reported recovery costs of around $8.1 million after its November 2020 attack, and Michigan State University’s recovery from its May 2020 attack is estimated to cost around $3 million.

Key findings from January 2018 to mid-2023:

  • 361 separate individual ransomware attacks have been carried out on schools and colleges
  • 6,023 individual schools and colleges have been potentially impacted and over 4.65 million students
  • Schools and colleges have suffered an estimated 2,800 days of downtime due to ransomware attacks
  • Ransom requests varied from $5,000 to $40 million
  • Hackers have received at least $2.43 million in ransom payments with the average payment being $173,504
  • Hackers have requested at least $52.8 million in ransom payments with the average request being $1.7 million
  • We estimate that downtime has cost schools and colleges nearly $34.9 billion with potential recovery costs adding millions (if not billions) to the total

How does 2022 compare to previous years?

Ransomware really started to take hold in the education sector in 2019. With just 10 attacks reported in 2018 but 98 reported in 2019, this was an 880 percent year-on-year increase. However, these figures fell in 2020 to 83 and even further to 68 in 2021 before stabilizing in 2022 (65). But, with the high levels of downtime caused by these attacks and the vast amount of data being stolen, it is clear hackers have become more tactical in their approach, going after bigger school districts with higher budgets and a larger number of students.

  • Number of attacks:
    • 2023 – 37
    • 2022 – 65
    • 2021 – 68
    • 2020 – 83
    • 2019 – 98
    • 2018 – 10
  • Number of students potentially impacted:
    • 2023 – 389,623
    • 2022 – 1,074,926
    • 2021 – 952,824
    • 2020 – 1,375,843
    • 2019 – 822,122
    • 2018 – 41,627
  • Average downtime:
    • 2023 – 8.94 days
    • 2022 – 11.65 days
    • 2021 – 4.1 days
    • 2020 – 8.77 days
    • 2019 – 6.68 days
    • 2018 – 5 days
  • Downtime caused (known cases):
    • 2023 – 242 days (27 cases)
    • 2022 – 385 days (33 cases)
    • 2021 – 82 days (20 cases)
    • 2020 – 272 days (31 cases)
    • 2019 – 267 days (40 cases)
    • 2018 – 15 days (3 cases)
  • Estimated downtime caused (based on known cases and average in unknown):
    • 2023 – 330.9 days
    • 2022 – 757.3 days
    • 2021 – 278.8 days
    • 2020 – 728.04 days
    • 2019 – 654.52 days
    • 2018 – 50 days
  • Estimated cost of downtime:
    • 2023 – $4.1bn
    • 2022 – $9.45bn
    • 2021 – $3.48bn
    • 2020 – $9.08bn
    • 2019 – $8.16bn
    • 2018 – $623.7m

How is 2023 looking for ransomware attacks on schools and colleges?

As we can see from the above table, ransomware attacks across schools have been quite high through the first six months of this year. Hackers often target schools around August and September, when schools are due back after the summer break. It’s likely 2023 will see a large uptick in ransomware attacks on educational institutions.

Furthermore, downtime figures remain high with nearly nine days lost on average. But with the impact of attacks often not being felt/reported on accurately until months later, downtime figures could rise even further.

North Carolina and Florida have introduced laws to prevent state agencies (including schools) from paying a ransom, with several states considering similar laws (including Arizona, Pennsylvania, New York, and Texas).

Have these laws worked?

It’s hard to tell just yet, but North Carolina and Florida both saw two attacks each in 2022. Florida saw the same number in 2021, and North Carolina only saw one in 2021. North Carolina has also seen one attack in 2023. This was the March 2023 attack on Gaston College caused by Snatch ransomware. While the college confirmed it hadn’t paid the ransom as per the legislation, it did have to resort to alternative systems for two months while it recovered from the attack.

Paying ransoms should be discouraged, but legislation banning these payments is only part of the overall solution. It doesn’t prevent the astronomical recovery costs educational facilities face after being targeted with such attacks, nor does it prevent the risk of students’ personal data being posted on the dark web. In fact, refusing to pay ransoms can increase those risks. Focusing on educating schools on the risk of ransomware and how best to prevent these attacks should be a key focus.

With 2023 seeing a rise in ransomware attacks across the US and worldwide (across all industries), it’s never been more important to ensure employees are clued up, systems are updated, and frequent backups are being carried out.

Methodology

Our research found 361 ransomware attacks in total affecting 6,023 schools and colleges. From this, we were able to ascertain how much ransom had been demanded, how much had been paid, and how much downtime had been caused as a result of the attacks. We then used the figures we were able to find to create estimates (an average per year) for the amount of downtime caused by a ransomware attack and applied this to the schools where no downtime figures were available. Using an average cost per minute of downtime ($8,662) from a recent report, we were then able to create estimates for how much school closures and severe disruptions may have cost. This only took into consideration the amount of downtime schools suffered due to ransomware attacks–it does not cover the recovery period and expenses that follow.

We have only included ransomware attacks that have specifically targeted an education facility–not a ransomware attack that has affected a third-party used by the schools or colleges, e.g. Blackbaud or MOVEit.

Where possible, we have assigned the attack to the month in which it happened. However, in some cases, the attack may have been assigned to the month in which it was reported due to a lack of data.

Data researchers: Charlotte Bond and Rebecca Moody

Sources

For a list of sources, please see our US ransomware tracker.