More IHEs Paid Ransoms in 2022, Even As Average Recovery Cost Fell, Sophos Research Finds

Institutions Report 100% Data Recovery Following Ransomware Attacks Last Year

• By Kristal Kuykendall
• 06/08/23

Nearly eight out of 10 higher ed organizations surveyed for Sophos’ 2023 State of Ransomware Report said they were hit by ransomware last year — a 23% increase from the previous year’s results — making education the most-attacked sector in 2022.

Across all sectors, 66% of the organizations surveyed were attacked by ransomware in 2022, the same percentage as the previous year.

Cybersecurity-as-a-service provider Sophos commissioned the vendor-agnostic survey of 3,000 IT and cybersecurity leaders from the Americas, Asia Pacific, and EMEA, including 200 higher education IT practitioners; the survey was conducted January through March of this year, according to the report.

The survey found that 79% of institutions of higher education were impacted by ransomware in 2022, with about three-quarters of those attacks including data encryption, Sophos said. The all-industry percentage of ransomware attacks that included data encryption was 76%, “the highest rate of data encryption from ransomware since Sophos started issuing the report in 2020,” the company said.

Of the IHEs whose data was encrypted, attackers also stole data in 35% of cases.

Some good news out of the report is that the average ransomware recovery cost for IHEs, excluding any ransom payment, dropped in 2022 to $1.06 million from the previous year’s average of $1.42 million, Sophos said. The all-sector average recovery cost for 2022 ransomware attacks rose by 30% over the previous year, to $1.82 million.

IHEs also reported 100% data recovery post-attack; the average data-recovery rate across all sectors rose to 97%, Sophos said.

To achieve 100% recovery, 64% of IHEs surveyed used backups to restore data, and 56% paid a ransom to get data back, the report said. These figures reveal that higher ed is relying on backups less frequently than the cross-sector average (overall, 70% used backups) and paying a ransom more frequently than other sectors (overall, 46% reported paying a ransom).

Additionally, IHEs reported paying a ransom more often in 2022 than in 2021, when half of respondents said they paid the ransom to get their data back. Backups were used to restore data less often in 2022 than the year prior, when 70% of respondents relied on backups, Sophos’ report said.

The survey also shows that when organizations across all sectors paid a ransom to get their data decrypted, they ended up doubling their recovery costs ($750,000 in recovery costs versus $375,000 for organizations that used backups to get data back), and their recovery time ran longer.

Only a handful of higher ed respondents shared the exact ransom amount paid in 2022, rendering the results statistically insignificant, Sophos said; anecdotally, the average ransom payment from higher ed respondents who did share this detail was just under $600,000. Among all respondents, the average ransom payment almost doubled to $1,542,333 last year. The 2022 median ransom payment reported was $400,000.

“Rates of encryption have returned to very high levels after a temporary dip during the pandemic, which is certainly concerning. Ransomware crews have been refining their methodologies of attack and accelerating their attacks to reduce the time for defenders to disrupt their schemes," said Chester Wisniewski, field CTO, Sophos.

“Incident costs rise significantly when ransoms are paid. Most victims will not be able to recover all their files by simply buying the encryption keys; they must rebuild and recover from backups as well. Paying ransoms not only enriches criminals, but it also slows incident response and adds cost to an already devastatingly expensive situation,” Wisniewski said.

The most commonly reported root cause of ransomware attacks across all sectors was an exploited vulnerability (in 36% of cases), followed by compromised credentials (involved in 29% of cases). Among higher ed respondents, 40% of attacks were attributed to a vulnerability; 37% compromised credentials; 12% malicious emails; and 7% phishing.

“Sophos’ latest report is a clarion reminder that ransomware remains a major threat, both in scope and scale. This is particularly true for ‘target-rich, resource-poor’ organizations that don’t necessarily have their own in-house resources for ransomware prevention, response and recovery,” said Megan Stifel, executive director of the Ransomware Task Force and chief strategy officer, Institute for Security and Technology.

Stifel urged organizations to implement the Ransomware Task Force’s Blueprint for Ransomware Defense, which includes 48 safeguards based on the CIS IG1 Controls.

Read the State of Ransomware 2023 report or learn more at Sophos.com.