Ransomware Cost US Schools $3.56 Billion in 2021, Study Says

The attacks affected nearly 1 million students at schools and colleges across the country.

Bree Fowler Senior Writer
Bree Fowler writes about cybersecurity and digital privacy. Before joining CNET she reported for The Associated Press and Consumer Reports. A Michigan native, she's a long-suffering Detroit sports fan, world traveler, wannabe runner and champion baker of over-the-top birthday cakes and all-things sourdough.
Expertise cybersecurity, digital privacy, IoT, consumer tech, smartphones, wearables
Bree Fowler
2 min read
An image of a malware warning on a computer screen.

Ransomware attacks cost US schools and colleges more than an estimated $3.5 billion in downtime alone last year, according to a study released Thursday.

Researchers at Comparitech documented 67 individual ransomware attacks in 2021 that affected 954 schools and colleges and nearly 1 million students. While those figures may seem high, they all mark double-digit percentage declines from 2020 levels, including a nearly 50% drop in the number of students affected.

Schools districts have become a popular target for cyberattacks, particularly ransomware, in recent years due to the fact that many are running outdated computer systems and don't have the same financial or staffing resources for cybersecurity that many private companies do.

At the same time, like hospitals and critical infrastructure, schools can't afford to be shut down for long, making it more likely that they will pay ransoms to get their systems unlocked. The pandemic and shift toward online learning have only boosted the stakes.

For the study, researchers gathered information on all of the documented ransomware attacks affecting schools since 2018. But the study notes that many attacks still go unreported, especially when ransoms are paid. It's often only when classes are disrupted or student information is compromised that schools make the attacks public.

The researchers were only able to find ransomware payment amounts for six of the 67 attacks they looked at. As a result, the $3.56 billion in costs figure stems from estimated downtime and recovery costs related to the attacks, rather than actual ransoms paid.

Based on data gathered from 19 of the attacks, the average downtime related to an attack, meaning the amount of time that schools were closed or services were largely unavailable, was four days. Recovery periods, where schools were open but certain devices or services were unavailable, lasted an average of nearly one month.

A handful of ransomware attacks against schools grabbed headlines in 2021. In March, cybercriminals successfully locked up the computer systems of Broward Country Schools, one of the largest districts in the US, demanding a whopping $40 million in ransom. After the district declined to pay, they dumped the data online.

Also in March, an attack against the Maricopa County Community Colleges District in Arizona affected nearly 200,000 students. In that case, the district was able to spot and block the ransomware before it ravaged its systems, but it still had to cancel classes for a week while it got back up and running.

So far this year, the researchers say 2022 has been a quieter year for ransomware attacks against schools. The number of documented attacks is down from year ago levels while researchers have also noticed drops in downtime and recovery periods.

"While hackers may be becoming more targeted in their approach, the lower downtime figures suggest schools are more prepared for these attacks and are better able to restore their systems from backups or mitigate the effects of the attacks," the researchers wrote.