Sophos’ latest annual study of the real-world ransomware experiences of educational organizations explores how ransomware’s impact has evolved in the last four years. It focuses on the full victim journey, from attack rate and root cause to operational impact and business outcomes.
This year’s report explores new areas of study for the sector, including an exploration of ransom demands vs. ransom payments and how often educational organizations receive support from law enforcement bodies to remediate the attack.
Download the report to get the full findings.
Attack rates have declined, but recovery costs have more than doubled
63% of lower education and 66% of higher education organizations were hit by ransomware in the last year, a considerable decrease from the 80% and 79% reported in 2023, respectively. However, the attack rates in education remain higher than the global cross-sector average of 59%.
95% of educational organizations hit by ransomware in the past year said that the cybercriminals attempted to compromise their backups during the attack. Of them, 71% were successful, which is the second highest rate of successful backup compromise across all sectors after the energy, oil/gas and utilities sector.
85% of ransomware attacks on lower education and 77% on higher education organizations resulted in data encryption in the last year, slightly higher than 81% and 73%, respectively, reported in the previous year. For lower education, this is the second consecutive year of an increase in encryption rate, with only state/local government (98%) more likely to have data encrypted in an attack.
The mean cost in 2024 for lower education organizations to recover from a ransomware attack was $3.76M, more than double the $1.59M reported in 2023. Higher education organizations reported a mean cost of $4.02M, almost four times higher than the $1.06M reported in 2023.
Devices impacted in a ransomware attack
On average, 52% of computers in lower education and 50% in higher education are impacted by a ransomware attack, slightly above the cross-sector average of 49%. Having a full environment encrypted is extremely rare. Only 2% of lower education organizations and 1% of higher education organizations reported that 91% or more of their devices were impacted.
The propensity to pay the ransom has increased
62% in lower education paid the ransom to get encrypted data back, while 75% restored encrypted data using backups. At the same time, 67% of higher education organizations paid the ransom to restore data, whereas 78% used backups.
Higher education reported the second-highest propensity to use backups for data restoration along with state/local government organizations. It also ranks second highest in the propensity to pay the ransom to restore encrypted data, whereas lower education organizations rank third.
The three-year view of the education sector reveals an increase in backup use. In 2023, higher education was among the bottom three sectors globally for backup use, jumping to second place in 2024, alongside state/local government. Unfortunately, the propensity to pay the ransom has progressively increased for both lower and higher education organizations in the last three years.
A notable change over the last year is the increase in the propensity for victims to use multiple approaches to recover encrypted data (e.g., paying the ransom and using backups). This time, 65% of lower education and 69% of higher education organizations that had data encrypted reported using more than one method, almost three times the rates reported in 2023 (23% in lower education and 22% in higher education organizations.)
Victims rarely pay the initial ransom sum demanded
99 lower education and 92 higher education respondents whose organizations paid the ransom shared the actual sum paid, revealing that the average (median) payment in lower education was $6.6M last year. For higher education, the average (median) payment was $4.4M.
Only 13% of education victims said their payment matched the original request. 32% of lower education and 20% of higher education respondents paid less than the original demand, while 55% of lower education and 67% of higher education organizations paid more. Globally, higher education is the sector most likely to pay more than the original demand.
Download the full report for more insights into ransom payments and many other areas.
Generate demand for your business
Make the most of Sophos partner marketing resources to run a successful partner marketing campaign to educate your audiences and generate demand for your business. The ready-to-run campaign kit includes the pdf report, a complete PowerPoint deck, and co-brandable email templates.
Access partner marketing campaign assets
About the survey
The report is based on the findings of an independent, vendor-agnostic survey commissioned by Sophos of 5,000 IT/cybersecurity leaders across 14 countries in the Americas, EMEA, and Asia Pacific. 600 respondents were from educational organizations, split into 300 from lower education (catering to students up to 18 years) and 300 from higher education (for students over 18 years). All respondents represent organizations with between 100 and 5,000 employees. The survey was conducted by research specialist Vanson Bourne between January and February 2024, and participants were asked to respond based on their experiences over the previous year.