Ransomware Hit 64% of Higher Ed Institutions Globally in 2021, Sophos Survey Finds

Higher Ed Was Slowest of all Sectors to Recover, State of Ransomware Report Says

  • By Kristal Kuykendall
  • 04/27/22
data recovery methods used

Cybersecurity firm Sophos today released its annual State of Ransomware report showing ransomware attacks nearly doubled in 2021 from the year before, according to results of a survey of 5,600 IT professionals across many sectors.

Across all sectors surveyed, 66% of respondents said their organizations were hit with ransomware in 2021, up from 37% in 2020. Among higher ed institutions included in the survey, 64% of higher ed IT professionals responding, representing 410 institutions, said they were a victim of ransomware last year.

Higher ed institutions hit by ransomware were the slowest to recover of the sectors surveyed, as well, the Sophos survey found. Two in five respondents among higher ed institutions said recovery took more than a month.

The average ransom payout of $812,360 across all sectors occurred in attacks where the threat actors encrypted the victims’ data; that average ransom amount was nearly five times higher than the average in 2020, with a 300% increase in the proportion of organizations paying ransoms of $1 million or more, Sophos said.

Key Findings among Higher Ed Respondents:

  • 64% of higher ed respondents, equaling 410 higher education institutions, were hit by ransomware in 2021.
  • 50% of higher ed institutions hit by ransomware paid a ransom.
    • Among higher ed institutions that paid a ransom, paying the ransom resulted in restoration of about 61% of their data, they reported.
  • 70% of higher ed institutions hit by ransomware used backups to restore at least some of their data.
  • 100% of higher ed institutions hit by ransomware reported that cyberinsurance covered at least some of the resulting costs.
    • 87% of higher ed institutions hit by ransomware reported that cyberinsurance paid the clean-up costs.
    • 36% of higher ed institutions hit by ransomware reported that cyberinsurance paid the ransom.
    • 20% of higher ed institutions hit by ransomware reported that cyberinsurance paid other costs associated with recovery.

The survey, conducted by research agency Vanson Bourne, was conducted during January and February 2022, according to Sophos.

“As ransomware has become more prevalent, organizations have got better at getting at dealing with the aftermath of an attack,” Sophos’ report said. “Almost all organizations hit by ransomware in the last year (99%) now get some encrypted data back, up slightly from 96% last year.”

Key Findings about Restoring Data

  • The No. 1 method used to restore data is backups, used by 73% of respondents whose data was encrypted.
  • 46% reported that they paid the ransom to restore data.
  • Almost half (44%) of the respondents whose organization’s data had been encrypted used multiple methods to restore data.
  • Organizations that paid got back only 61% of their data on average.
  • Only 4% of those that paid the ransom got all their data back in 2021, down from 8% in 2020.

A Warning for Relying on Backups & CyberInsurance

Of the respondents who said they weren’t hit by ransomware in 2021 and they don’t expect to be hit in the future, 72% are relying on measures that will not prevent a ransomware attack, Sophos noted: 57% of these respondents cited backups and 37% cited cyberinsurance, with some selecting both options. “While these elements help you recover from an attack, they don’t prevent it in the first place,” the report said.

Almost all the respondents, or 94%, said the process for securing cyberinsurance had become more laborious over the last year.

“As the cyber insurance market hardens and it becomes more challenging to secure cover, 97% of organizations that have cyber insurance have made changes to their cyber defense to improve their cyber insurance position,” the report said.

ConvergeOne, a nationwide provider of cybersecurity services and digital infrastructure, told Campus Technology in January that education organizations renewing or shopping for cyberinsurance this year can expect potential insurers to conduct an in-depth analysis of the organization’s network security before a policy can be purchased.

ConvergeOne Senior Director of Cybersecurity Chris Ripkey said education institutions without mature security systems in place will no longer be able to use their cyberinsurance policies as a “get of jail free card” when cyberattacks occur.

Education organizations shopping for or renewing their cyberinsurance, he said, can expect to be asked to demonstrate that they have the following protections, at a minimum, in place:

  • Multi-factor authentication
  • Antivirus and malware protection
  • A mature data privacy program to protect student and staff information
  • A robust patch management system
  • A managed endpoint detection and response services
  • Immutable backups separate from the rest of the infrastructure

“The cyberinsurance brokers will ask for all this information in a self-assessment, and if you don’t meet the minimum requirements, they are not going to insure your district, or your premiums are going to be a lot higher,” Ripkey emphasized. “Our advice is to do your own full assessment before shopping for insurance — take stock of your security practices and where you stand.”

Read the full cyberinsurance report to learn more about changes in the cyberinsurance landscape.

The State of Ransomware survey results can be downloaded at the Sophos website.

Featured

  • abstract pattern of cybersecurity, ai and cloud imagery

    OpenAI Report Identifies Malicious Use of AI in Cloud-Based Cyber Threats

    A report from OpenAI identifies the misuse of artificial intelligence in cybercrime, social engineering, and influence operations, particularly those targeting or operating through cloud infrastructure. In "Disrupting Malicious Uses of AI: June 2025," the company outlines how threat actors are weaponizing large language models for malicious ends — and how OpenAI is pushing back.

  • AI microchip under cybersecurity attack, surrounded by symbols of threats like a skull, spider, lock, and warning shield

    Report: Agentic AI Protocol Is Vulnerable to Cyber Attacks

    A new report has identified significant security vulnerabilities in the Model Context Protocol (MCP), technology introduced by Anthropic in November 2024 to facilitate communication between AI agents and external tools.

  • glowing digital brain above a chessboard with data charts and flowcharts

    Why AI Strategy Matters (and Why Not Having One Is Risky)

    If your institution hasn't started developing an AI strategy, you are likely putting yourself and your stakeholders at risk, particularly when it comes to ethical use, responsible pedagogical and data practices, and innovative exploration.

  • college student using a laptop alongside an AI robot and academic icons like a graduation cap, lightbulb, and upward arrow

    Nonprofit to Pilot Agentic AI Tool for Student Success Work

    Student success nonprofit InsideTrack has joined Salesforce Accelerator – Agents for Impact, a Salesforce initiative providing technology, funding, and expertise to help nonprofits build and customize AI agents and AI-powered tools to support and scale their missions.