By Ian Thomas on April 29, 2022

The State of Ransomware Attacks in the Higher Education Industry

Higher education institutions are prime targets for ransomware attacks. Universities and colleges handle large amounts of sensitive personal data, facilitate a campus-wide intranet, and manage research data. These factors combine to make targeting the higher education sector a potentially lucrative operation for threat actors. The more sensitive the data, the more valuable it becomes in the wrong hands. 

This article looks at the state of ransomware in higher education. You’ll get the lowdown on relevant statistics, notable recent ransomware attacks, and some guidance for managing this threat. 

Ransomware in Higher Education: Overview

The tenets of higher education, encompassing openness, trust, and information exchange, add to the ransomware risks in this sector. These tenets contrast with the necessary rules, controls, and best practices for securing networks and data. 

Ransomware is malicious software that blocks access to networks, systems, and/or files in an attempt to extort a ransom payment from its victims. Typically, access to valuable resources is blocked through encryption methods with a message indicating a return of those resources upon payment of the ransom. 

Security experts have confirmed that at least seven US-based universities have been hit by ransomware attacks already in 2022,  including Ohlone College, Savannah State University, University of Detroit Mercy, Centralia College, Phillips Community College of the University of Arkansas, National University College and North Carolina A&T.

Recent Ransomware Attacks on Higher Education Institutions

Kellogg Community College: May 2022

Kellogg Community College, a regional school system with five campuses in Michigan, was forced to cancel classes at the beginning of the final full week of the spring semester after being hit by a successful ransomware attack in early May 2022.  The school system's IT systems, including online classes, campus emails, and other online resources, were adversely impacted for two days while their team investigated and remediated the attack. The IT team also initiated a forced password reset for all staff and students as a precautionary measure. No details have been provided as to who was responsible for the attack or if a ransom was ever demanded or paid.

Florida International University: April 2022

Florida International University reported that they were the victims of a ransomware attack in April 2022.  The ransomware group known as ALPHV/Black Cat claimed responsibility for the attack and said they stole 1.2 TB of data, including social security numbers of both staff and students, email databases, and accounting/contract details.  Administration officials claim that no sensitive student or staff personal data was stolen.  As of June 2022, no details have been provided to the public about what exactly was stolen or if a ransom was ever demanded or paid.

North Carolina A&T: March 2022

North Carolina A&T reported that they were attacked during the week of Mar 7-11, 2022, while students were on spring break.  The attack affected a number of security and educational tools, including single sign-on, VPN, and their document management system.

The ransomware group known as ALPHV/Black Cat claimed responsibility for the attack and said they stole personal information about students and staff as well as contracts and other financial data.  School officials acknowledge that the attack happened but dispute the statement that any data was stolen.  As of April 2022, recovery efforts continue but not all impacted systems have been restored yet.

Des Moines Area Community College (DMACC): June 2021

The most recent ransomware incident focuses on a community college in central Iowa. In early June 2021, an attack wreaked havoc on the DMACC IT network and led to the cancellation of all online courses followed by in-person classes the next day. The ramifications were such that online classes remained canceled for a full two weeks while the college attempted to restore its IT network. 

It was interesting to see that the college’s decision-makers opted not to pay the ransom demanded by the group behind this attack. It is not exactly clear what ransomware group was behind the attack or what the demanded ransom was. Federal organizations don’t recommend paying ransoms because doing so can incentivize more attacks. Furthermore, paying up doesn’t necessarily result in getting full access back to compromised systems, files, or other resources. 

Sierra College: May 2021

The scourge of ransomware struck a Northern Californian college at one of the worst times possible—during finals week. Like the previous incident, details on the type of ransomware or the perpetrators behind this attack also weren’t revealed. What is known is that valuable learning resources for students were taken offline and required workarounds to get access to them. 

According to a statement in the immediate aftermath of the attack, the college was “working with law enforcement and third-party cybersecurity experts to investigate this incident, assess its impact, and bring our systems back online”. The college’s registration service wasn’t available as a consequence of the attack, which potentially affected prospective students. An update two weeks after the initial incident disclosure revealed the restoration of most IT services at Sierra College.  

Multiple Universities: March 2021

 Multiple high-profile universities became victims of a ransomware attack conducted by the Eastern European Clop gang in March 2021. Clop ransomware uses phishing emails with malicious attachments to get into networks, lateral movement to spread quickly, and evasive techniques to avoid detection by security solutions. Data exfiltration is also a feature of Clop; the ransom demand comes with a threat to disclose stolen data to the dark web if the payment isn’t made. 

In this incident, universities such as the University of Colorado, the University of Miami, and the University of California had sensitive data stolen when Clop ransomware compromised the Accellion file transfer service. The stolen data included grades and other personal information. This incident highlighted the cyber risks that can come from third-party software vendors. 

South and City College Birmingham (UK): March 2021

Across the Atlantic in England’s second city, Birmingham, a local college with eight campuses distributed throughout the city had to close all campuses following a major ransomware attack

On-campus servers and workstations were impacted, which resulted in students having to return to online learning only a week after they resumed in-person classes after a national lockdown to curb Covid-19. An official college Tweet stated that the ransomware attack disabled many of the core IT systems at the college. It also appears that this was a double extortion attack because, according to quotes, “a volume of data has been extracted from our servers”.  

Managing The Ransomware Threat in Higher Education

Thankfully, many educational institutions recognize the pervasive threat of this ever-increasing form of cyber attack. Most colleges and universities have IT teams with cybersecurity knowledge. Here are some tips to manage the threat of ransomware:

  • Use Backups: Having backups of important data and systems is always a useful strategy for minimizing the impact of ransomware attacks. A properly executed backup strategy provides the most comprehensive and effective way of getting compromised files and/or systems back. It’s worth noting that organizations across all sectors that pay ransoms to perpetrators rarely get all of their affected data or systems back. 
  • Segment the Campus Network: Ransomware and other forms of malware often proliferate through a network to inflict maximum damage. Good network segmentation splits a campus network into logical segments, which can isolate the harm from ransomware to one particular segment rather than across the whole network.
  • Have an Incident Response Plan: Organizations that contain and minimize the damage from in-progress ransomware attacks are invariably those with a solid incident response plan in place. This plan establishes instructions for responding to and recovering from detected cybersecurity incidents. A solid incident response plan needs to clearly and logically identify key roles, actions, and responsibilities during a cybersecurity incident. 
  • Implement a Cybersecurity Framework: A cybersecurity framework provides a set of standards and guidelines for protecting against modern cybersecurity threats. Implementing these frameworks can prove to be an invaluable way to increase protection against ransomware and a whole host of other attack vectors. Cybersecurity frameworks are created by groups of cybersecurity experts. Example frameworks include the Nist Cybersecurity Framework and the CIS Controls.
  • Combat Phishing Threats: In an information-sharing space like a college or university intranet, trust and openness are encouraged. Unfortunately, this trust is exploitable by hackers who commonly use phishing techniques to gain an initial foothold into a network. By spoofing emails, the perpetrators can get victims to click malicious links or download email attachments that install malware. Email security tools can filter out or flag phishing emails before they get the chance to deceive people. A modern solution equipped for sophisticated threats should ideally be a self-learning AI-driven solution that continuously improves its effectiveness over time as it scans, filters, and flags deceptive emails. 


The principles behind higher education, the complexity of IT environments in this sector, and the sensitivity of the data all combine to create somewhat of a perfect storm for ransomware attacks to occur. Colleges and universities must remain vigilant and assume that the worst will happen. Preparation is key to minimizing the possible consequences of ransomware in higher education.  

To learn more about IRONSCALES’ award-winning anti-phishing solution, please sign up for a demo today.

This blog was updated in June 2022

Published by Ian Thomas April 29, 2022

Join thousands of your peers! Subscribe to our blog.

Ironscales needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, please review our Privacy Policy.