Dive Brief:
- Ransomware attacks targeted the education sector more than any other industry in the last year, with 79% of surveyed higher education institutions across the world reporting being hit, according to an annual report from Sophos, a U.K.-based cybersecurity firm.
- Of the higher ed institutions that reported ransomware attacks, 59% said it resulted in them losing “a lot of” business and revenue. Around one-fourth, 28%, reported smaller losses.
- Hackers exploited system vulnerabilities in 4 in 10 higher education ransomware attacks, making them the sector's most common root issue. Compromised credentials caused another 37% of attacks, while malicious emails led to 12% of reported incidents.
Dive Insight:
Sophos’ latest survey suggests that ransomware is increasingly targeting colleges and universities. In 2022’s report, only 64% of higher education institutions said they had been hit by ransomware in the past year — 15 percentage points lower than the share who reported incidents in the latest survey.
In some cases, hackers are ramping up their efforts to get colleges to pay for the return of their data.
Knox College, a private liberal arts institution in Illinois, made headlines late last year when a hacker group broke into its computer system and accessed student data. The group that took credit for the breach, known as Hive, emailed students saying they had retrieved “personal information, medical records, psychological assessments, and many other sensitive data,” and threatened to sell their social security numbers.
The attack spurred multiple lawsuits from students, who allege that Knox failed to follow the latest security practices to shield sensitive data.
“Sophos’ latest report is a clarion reminder that ransomware remains a major threat, both in scope and scale,” said Megan Stifel, chief strategy officer at the Institute for Security and Technology. “This is particularly true for ‘target-rich, resource-poor’ organizations that don’t necessarily have their own in-house resources for ransomware prevention, response and recovery.”
Many cash-strapped colleges fit this description, as they don’t have the resources to invest in bolstering their defenses. Cybersecurity also isn’t a revenue generator, so it is often a lower spending priority than other campus initiatives.
More recent ransomware attacks have cropped up in the spring term.
Gaston College, a community college in North Carolina, was hit by a ransomware attack in February. Law enforcement is investigating the incident, and the college offered employees free credit monitoring services.
And in March, ransomware targeted Shoreline Community College, in Washington, gaining access to student and employee information such as Social Security numbers, financial accounts and dates of birth.
Sophos recommended that organizations and colleges strengthen their defenses by securing desktops, mobile phones and tablets from threats. It also recommended they prepare for attacks by regularly backing up data.