Scores of ransomware attacks on US schools and colleges last year may have cost them over $6bn, according to a new report published today.
Security testing site Comparitech analyzed the 77 attacks reported by educational institutions nationwide in 2020 and calculated the cost to these victims from estimated downtime and recovery time.
Rransom costs are difficult to gauge given most schools kept their payments secret. However, the research team was able to work out average downtime (seven days) and recovery time (55.4 days) from roughly half of all incidents.
It then applied a third-party 2017 estimate for the cost of downtime averaged across 20 sectors.
While the eventual figure of $6.6bn for total downtime cost in 2020 is speculative, it can be used to provide interesting comparisons with 2019 ($8.2bn) and 2018 ($623.7m).
Comparitech claimed that 2020 saw 1,740 schools and colleges and potentially 1.4m students affected, an increase of 39% and 67% respectively on 2019 figures. This is despite the actual number of attacks in 2020 coming in 20% lower than the figure for the previous year.
“This suggests hackers targeted larger school districts with bigger annual budgets, hoping to cause greater disruption and increase their ransom payment demands,” Comparitech argued.
“This trend looks as though it has continued in 2021, too, exemplified by the bizarre $40 million ransom request made to Broward County Public Schools in April.”
Ransom demands in 2020 varied dramatically from just $10,000 to over $1m, although the researchers were only able to find mention of these for nine out of the 77 attacks it analyzed.
From January 2018 to June 2021, Comparitech logged 222 separate ransomware attacks on US schools and colleges, impacting 3,880 schools and nearly three million students.
Downtime alone is estimated to have cost these victim organizations over $17.3bn, with recovery costs adding millions, if not billions, to the total, it said.