Ransomware attacks on education declined in 2024, report shows
Ransomware attacks on the education sector, one of the 16 critical infrastructure sectors in the United States, decreased last year, according to a report published Thursday by the software review company Comparitech.
The report found that educational institutions, such as schools and universities, suffered 116 confirmed ransomware attacks in 2024, down from 188 attacks in 2023. The report estimates those ransomware attacks impacted 1.8 million records, with cybercriminals demanding an average of $847,000 in ransom payments.
School districts have in recent years faced a large volume of ransomware attacks and data breaches, which often expose sensitive health, financial and educational data on students, families and staff. In response, the U.S. Department of Education last year launched the Government Coordinating Council for the Education Facilities Subsector to share best practices and improve cybersecurity at K-12 schools.
The Comparitech report shows that RansomHub, LockBit, Medusa and Play were the most active ransomware groups in 2024, responsible for 291 confirmed attacks globally on the education, government, health care and business sectors.
The total number of attacks is believed to be even higher. Ransomware groups claimed responsibility for 5,461 successful ransomware attacks on organizations worldwide, but only 1,204 of these attacks were confirmed by the targeted organizations, according to the report.
“An attack might be unconfirmed because the ransomware group making the claim is lying, or because the targeted organization chose not to disclose the attack to the public,” the report reads. “Ransomware groups post their attack claims on their respective websites, where the data is auctioned or released when organizations don’t meet their ransom demands.”
Last July, RansomHub claimed to have published 100 gigabytes of data stolen from the Florida Department of Health after the department declined to pay a ransom. A month earlier, the FBI obtained 7,000 LockBit ransomware decryption keys after the bureau took down the group’s infrastructure through “Operation Cronos,” an international operation designed to disrupt LockBit’s business model and expose members of the ransomware gang.
The Cybersecurity and Infrastructure Security Agency has published advisories on all four groups, which include observed tactics and indicators of compromise to help organizations better protect themselves against ransomware attacks.
“Since its inception in February 2024, RansomHub has encrypted and exfiltrated data from at least 210 victims,” according to a CISA advisory published last August. “The affiliates leverage a double-extortion model by encrypting systems and exfiltrating data to extort victims.”
To prepare for ransomware attacks, CISA recommends organizations implement recovery plans, require multifactor authentication, regularly audit user accounts and disable hyperlinks in emails.
