This article is based on research by Marcelo Rivero, Malwarebytes' ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, "known attacks" are those where the victim didn't pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher. For regular ransomware gang updates, check out our monthly ransomware reviews.
Ransomware gangs have made the past year a hard one for the education sector.
Between June 2022 and May 2023, there were 190 known ransomware attacks against educational institutions, and many more that went unreported and unrecorded. Between the first and second six months of that period, education experienced an 84% increase in attacks.
Known ransomware attacks against education, June 2022-May 2023
Although the attacks were carried out by a large number of different ransomware gangs, one in particular was responsible for the lion's share (23%). Vice Society is a gang that specializes in attacking education, and almost half of its activity (43%) is directed against the sector.
Distribution of Vice Society attacks vs other ransomware gangs, June 2022-May 2023
Further findings from the data show that, while ransomware attacks against education are a global phenomenon, the USA (with 56% of known attacks) and the UK (with 15%) were hit the most frequently attacked countries between June 2022 and May 2023.
We’ll spend the rest of this blog breaking down attacks on education by gangs, countries, and which gangs attack which countries the most.
The Threat Landscape
The leading gangs that targeted the education sector between June 2022 and May 2023 include Vice Society with 43 attacks, LockBit with 33, BianLian (18), Royal (16), and AvosLocker (15).
A few of the educational institutions attacked in the last year include De Montfort School, Cincinnati State, and one that made national headlines in September: Los Angeles Unified, the second largest school district in the US. The stakes are no joke: schools and colleges have suffered an estimated 1,600 days of downtime due to ransomware attacks, and the average cost of a ransomware breach was $4.54 million in 2022.
Top ten ransomware used in attacks against education, June 2022-May 2023
In total, 26 separate ransomware-as-a-service gangs contributed to the onslaught on education.
When we break down education sector attacks by country, it becomes clear that no region is safe from ransomware. The USA bore the brunt, with 107 reported attacks.
Known attacks on education by country, June 2022-May 2023
The United Kingdom followed distantly with 28 known attacks, while other countries like Canada, Germany, Brazil, and others also fell prey to these cybercriminals.
Comparatively speaking, however, the education sector in the UK suffered far more than in other countries. Education was the target in 15% of known attacks in the UK from June 2022 to May 2023, compared to only 3% in France, 4% in Germany, and 8% in the USA.
The Gang-Country Dynamics
In general, the ransomware activity of the top gangs seems to adhere to a common trend: Most of them spread their attacks across multiple countries, displaying a diverse geographical targeting.
However, we do find an intriguing outlier that challenges the established patterns: Vice Society’s strong focus on the United Kingdom. Vice Society was responsible for 66% of known attacks on UK education institutions May 2022 to April 2023.
UK education ransomware attacks by gang, June 2022-May 2023
It is worth remembering that our numbers only reflect attacks where a ransom wasn't paid, and the true number of attacks is far larger.
This activity is distinct from the typical spread of ransomware attacks seen among other top gangs, which generally have a more balanced distribution across several countries, including the United States, Canada, and various European countries, charted below.
USA education ransomware attacks by gang, June 2022-May 2023
Global education ransomware attacks by gang, June 2022-May 2023
To recap, our key findings include:
- A significant increase in attacks: The education sector experienced a steep rise in ransomware attacks, with a 84% increase observed over a 6-month period. This was the third highest increase among all monitored sectors.
- Leading ransomware gangs: Vice Society was the most active ransomware gang in the education sector, responsible for 23% of all attacks. LockBit and BianLian also targeted the sector heavily, alongside a host of other groups.
- Geographic distribution: The USA bore the brunt of the attacks, accounting for more than 50% of the total, while the UK accounted for 15%. However, relative to the total number of attacks in each country, the education sector in the UK was targeted more frequently.
- Vice Society’s unusual UK focus: Vice Society focused heavily on the UK education sector, responsible for 64% of all known ransomware attacks on this sector. This contrasts with the typical distribution of ransomware gangs in a given country, which is usually spread more or less proportionally.
Looking ahead, it is anticipated the trend of ransomware gangs targeting the education sector will persist or even intensify. The reality is that tight budgets of many educational institutions force them to struggle with outdated equipment and limited staff, making them an easy target for ransomware gangs.
But with knowledge comes power. The more the education sector knows about ransomware threats like Vice Society, the better prepared they are to defend against them.
How to avoid ransomware
- Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
- Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
- Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
- Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
- Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
- Don’t get attacked twice. Once you've isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.