School ransomware attacks are hitting districts where it hurts—right in the purse.
The financial toll of these cyberattacks, which often lock down critical digital systems and hold them hostage until a ransom is paid, is bringing entire school systems to a standstill and putting immense pressure on school budgets.
Attacks are increasing quickly, and the costs aren’t limited to just the ransom; they often include the expenses of recovering data, repairing damaged systems, and dealing with extended downtime — not to mention the hit to the brand.
From ransom demands to the expenses associated with recovery, the impact on school budgets is staggering. This issue is growing, and cyber criminals have a huge opportunity as the school year begins and new members join the community without the training or experience to spot potential cyber threats.
Fortunately, understanding the scale and nature of these attacks can help schools and districts better prepare and protect their resources.
The Growing Financial Toll of Ransomware Attacks
The impact of these attacks can vary widely, but the cost is always significant. According to a report by Comparitech, 491 ransomware attacks targeted educational institutions between 2018 and July 2024, breaching over 6.7 million individual records and leading to billions of dollars in downtime costs. However, the true scale of the problem is likely higher because not all incidents are even reported.
For example, one Ohio district lost $1.7 million to a cyberattack, and altough the attack didn’t compromise student records, it did allow attackers to divert electronic payments to unauthorized accounts.
Demands from these types of attacks can range from $5,000 to a staggering $40 million. However, these totals don't include the financial burdens that schools face after an attack. Even if a ransom isn’t paid, the costs of recovery and the risk of sensitive data being exposed are still significant price tags.
Keep Reading: Here's Why Schools Are Perfect Targets for Hackers
(1/3) Due to the recent ransomware attack, Baltimore County Public Schools will be closed for students on Monday, November 30, and Tuesday, December 1. BCPS offices will be open and staff will receive additional information about Monday and Tuesday.
— Baltimore County Public Schools (@BaltCoPS) November 28, 2020
Some schools, like Buffalo Public Schools and Baltimore County Public Schools, which faced ransom demands estimated between $100,000 and $300,000, chose not to pay, but they weren’t necessarily spared a financial burden. Even without paying the ransom, their recovery efforts cost $10 million and $9.7 million, respectively.
"The district is presently in the process of rebuilding and redesigning its instructional technology infrastructure and security with leading industry experts," said Nathaniel Kuzma, Buffalo School District's general counsel. "Though progress has been made since the time of the cyberattack, the extent of the information lost/recovered remains undetermined until that project is complete."
The Cost of Downtime: More Than Just Money
When a ransomware attack occurs, it's not just the ransom amount that creates problems for schools. The downtime, or the period when computer systems are offline and inaccessible, can be just as costly, if not more. Comparitech’s report found that schools typically suffer an average of 10.7 days of downtime per attack.
Even "smaller-scale" attacks can lead to large expenses due to prolonged downtime and recovery efforts. When school systems are down, teachers can’t access lesson plans, administrators can’t reach parents, and essential services are disrupted, amplifying the overall cost.
For example, Kentucky’s Morehead State University was hit by a ransomware attack in July 2023, and although only 20 or so people's data was breached, the university had more than a month of recovery time, and the total cost reached about $4 million.
The financial strain caused by downtime isn’t just about direct costs, though. There are also hidden costs, like the impact on students' learning, staff morale, and the blow to the school's mission. With the impacts on productivity, canceled classes, and the resources needed to get systems back online, downtime has cost schools an estimated $53 billion between 2018 and 2023.
Keep Reading: The Real Cost of an Open-Source Website Hack
Last May, staff at Rockford Public Schools discovered a note that read, "Your data is stolen and encrypted. If you don't pay the ransom, the data will be published on our TOR darknet sites. The sooner you pay the ransom, the sooner your company will be safe."
Can Budgets Offer Protection from Ransomware Attacks?
One report found that the average school spends less than 8% of its IT budget on cybersecurity, while one in five schools spends less than 1%. That’s a surprising number, given that a recent survey by the Consortium for School Networking (CoSN) reported that cybersecurity continues to be the top priority for district ed tech leaders, with nearly all 981 respondents saying they're working to increase their cyber defenses.
There is good news, however. CoSN reported that the use of two-factor authentication jumped from 40% in 2022 to 72% in 2024, and 53% of districts now have incident response plans, an increase from just 34% two years ago.
Today, 59% of districts face higher premiums for cyber insurance, with 24% paying increased deductibles. Furthermore, only 18% of districts noted creating a line item in their budget as a practice to improve cybersecurity.
Given the rising costs and ongoing risks, schools need to take proactive steps to protect themselves against ransomware. This means,
- Implementing comprehensive cybersecurity measures (like two-factor authorization)
- Regularly updating software and passwords
- Conducting frequent data backups
- Partnering with vendors that prioritize security
- Educating all staff to recognize phishing emails and other common threats
An important (but often overlooked) part of a strong cybersecurity plan is also about preparing for the aftermath. Schools should establish clear protocols for responding to cyber incidents, including how to communicate with parents, staff, and the media.
They should also make sure they have the resources and contacts to recover as quickly as possible, like access to cybersecurity experts who can guide and mediate the damage. The time invested now can help reduce the full impact of an attack later.
K-12 Cybersecurity: New Federal Support & Legislative Action
There might be help on the way...as ransomware attacks on schools continue to rise, federal agencies have recognized the need for additional support and resources. The Federal Communications Commission (FCC) has launched a $200 million, three-year cybersecurity pilot program designed specifically to help schools bolster their defenses and reduce their vulnerability to ransomware and other types of cyber threats.
New laws and initiatives are also being enacted to provide a clearer picture of the scope of ransomware attacks in schools and help policymakers better understand and address the threat.
For example, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which will go into effect by October 2025, requires many schools and colleges to report cyberattacks to federal authorities within 72 hours, and if a ransom is paid, the report must be made within 24 hours.
Several states are also taking steps to discourage the payment of ransoms. New York has even moved to penalize governmental entities up to $10,000 dollars for making a ransom payment. North Carolina and Florida have passed similar laws prohibiting state agencies (including schools) from paying ransoms. New York, Pennsylvania, and Texas are pushing back and don’t want to use taxpayer funds to pay cyberattack ransoms.
Key Takeaway
With cyberattacks becoming more frequent and recovery costs continuing to soar, schools must prioritize cybersecurity to protect their budgets and mission. By understanding the financial and operational impacts of these attacks and taking proactive steps to mitigate the risks, K-12 schools can better prepare for the future and safeguard their communities against the growing threat.
ABOUT THE AUTHOR
Connor has spent the last decade within the field of marketing and communications, working with independent schools and colleges throughout New England. As Finalsite’s Senior Content Marketing Manager, Connor plans and executes marketing strategies and digital content across the web. A former photojournalist, he has a passion for digital media, storytelling, coffee, and creating content that connects.