Ransomware has exploded into a full-blown global crisis, striking across countries and industries indiscriminately. While ransomware attackers have gone after the likes of government agencies, retailers, health systems and infrastructure, they’re increasingly setting their sights on higher education institutions.

In just the last year alone, 44% of schools experienced a ransomware attack, with another 33% saying they expect to fall victim to ransomware some time in the future. Among the schools that were attacked by ransomware last year, 58% said their data was encrypted in the most significant breaches, ultimately leading more than one-third of those victims to paying ransoms to have their data restored.

While sectors like government and healthcare may seem on paper like more “obvious” targets for ransomware, these findings shine a light on education as the number one industry most frequently attacked by ransomware, only tied with retail.

Colleges and universities across the country have already had to work around multiple pressures this year, reopening campuses for the back-to-school season in a way that safely balanced in-person or hybrid learning with public health measures – no easy feat given how many different towns and states a single college's student body may come from. These pressures to reopen have been exacerbated by the looming threat of ransomware attacks.

Consider the case of Howard University, which just this past September had to cancel virtual classes for its first two days of the school year because of a ransomware attack. Or last year, when the University of California, San Francisco paid more than $1 million following an extortion-style ransomware attack on its medical school's servers. That same ransomware gang attacked, and reaped ransoms from, the University of Utah, Michigan State University, Columbia College Chicago and City University of Seattle. And earlier this year, the FBI's Cyber Division released an alert about a new strain of ransomware targeting, among other groups, colleges and universities.

These attacks are likely just the beginning of what will be a longer trend. The unfortunate fact is that while higher education may boast more sophisticated IT infrastructures and expertise than the average public school district, even the most secure Fortune 100 enterprises can fall victim to ransomware, let alone any one college or university. And with higher education systems already proving themselves willing to pay out lucrative ransoms to attackers, ransomware gangs have no incentive to stop.

Paying the ransom doesn't pay off for victims

Ransomware will end when the attacks are no longer profitable, and the attacks stop being profitable when organizations stop paying them. That's, of course, far easier said than done. When you're in the heat of the moment, the temporary financial cost of paying a ransom may be a bitter pill to swallow, but it can feel like the lesser of two evils when the alternative is shutting school doors or losing staff, faculty and student data.

But even putting aside how paying ransoms incentivize ransomware groups to launch more attacks, the fact is, paying the ransom rarely pays off for the victim. Thirty-five percent of schools pay a ransom after an attack, making education one of the most likely industries to pay. Yet, among the schools that pay a ransom, only 11% have all of their data returned to them.

The ransom isn't the only cost that schools will incur. Between downtime, device and network costs, and other expenses for getting back up and running, the total average bill for recovering after a ransomware attack in education is $2.73 million – higher than any other industry.

5 recommendations to bolster your ransomware defenses

Ninety percent of schools have a malware incident recovery plan in place, which is a good start, but that alone is not enough. In order to reduce the overall cost and impact of an attack, education leaders need to prioritize their schools' defenses against ransomware by investing in a modernized IT infrastructure, cybersecurity technologies and expert, human-led threat hunting teams that can stay a step ahead.

Here are five key measures to take that will get you there:

1. Acknowledge that a ransomware attack is inevitable. Ransomware is highly prevalent, and no school, organization, industry, or country is immune from a ransomware attack. Assume you will be hit and plan ahead accordingly.
2. Adopt a “3-2-1” method to backing up your data. Backups are the #1 method that organizations use to successfully restore their data, far more so than paying a ransom. In the aforementioned survey, more than half of schools attacked by ransomware did not pay the ransom and instead restored their data through backups. Follow the 3-2-1 method of backups: three different copies of data, using at least two different backup systems, with at least one copy stored offline and off-site.
3. Complement anti-ransomware technology with human experts. Anti-ransomware software provides the scale and automation needed to thwart attackers, but it can't do the job alone. Shore up the technology side of your ransomware defense with human-led threat hunting teams, which have the expertise to detect the red flags of an attack that your technology might miss. If you don't have those skills in-house, consider partnering with an outside threat hunting team.
4. Protect your network with layered protection. With ransomware attackers ramping up extortion-style attacks, it's more important than ever for business and IT leaders of any industry to ensure their teams are deploying layered protection at as many entry points into their network as possible, in order to keep adversaries out of their environment.
5. Don't pay the ransom. Paying the ransom encourages more ransomware attacks, and offers zero guarantee you will get all of your data back (most likely you will not). And if you've made the right preparations ahead of time – like data backups and malware recovery plans – you won't need to pay a ransom to restore your data, anyway. . 

About Dan Schiappa

Dan Schiappa is the chief product officer at next-generation cybersecurity leader Sophos. He's a transformational and strategic leader who orchestrates the company's technical strategy, playing an instrumental role in architecting technologies; overseeing product management and research and development; and ensuring product quality. With a passion for education and inspiring the next generation of cyber talent, Dan also serves as chair of the University of Central Florida's Dean's Advisory Board, where he oversees various aspects of the school’s elite cybersecurity program.