With companies willing to shell out millions to bring their companies back online after a ransomware attack, it has become obvious that threat actors are starting to branch out and attack different types of organizations, including the education sector. Analysis released on August 31, 2021 shows that in 2020, 77 ransomware attacks impacted over 1,740 schools and universities. Potentially 1.36 million students were impacted during these attacks, which is a 67% increase compared to 2019. Security testing site Comparitech estimates that these ransomware attacks cost these institutions $6.62 billion in downtime alone.
“This suggests hackers targeted larger school districts with bigger annual budgets, hoping to cause greater disruption and increase their ransom payment demands,” Paul Bischoff from Comparitech said.
In April 2021, a $40 million ransom request was made to Broward County Public Schools which suggests that this trend of attacking education is going to continue. Somerset Independent
School District, Community School District, and Affton School District know the feeling all too well as they have been subject to double-extortion attempts where threat actors locked them out of their systems and also stole data and threatened to post it online if the ransom wasn’t paid.
Data shows that for 39 out of the 77 attacks in 2020, schools suffered an average downtime of just under 7 days, but the recovery process lasted roughly 55.4 days. This has obviously led to students having to miss out on class time as schools have had to shut down for several days, weeks, or even months to get their servers back up. In some cases, data and/or computers were unrecoverable due to these attacks.
While ransomware is common, it almost never happens without technical indicators. Ransomware operations usually take a few days after the initial intrusion to complete reconnaissance of the network, seek out administrator credentials, and expand their span of control. This time between initial intrusion and further attack is a crucial time to recognize that an attack has taken place and take the proper steps to evict threat actors from the network before widespread damage. Monitoring detections closely with a 24/7 Security Operations Center, such as Security Operations Task Force by Binary Defense, can mean the difference between handling a minor incident and recovery costing downtime and millions of dollars.