Graphic that demonstrates the rise in cyberattacks on education institutions in 2023.

Why Education is the New Cybercrime Epicenter

Exclusive SonicWall threat data shows cyberattacks on schools increased significantly in the first half of 2023.


As large enterprises continue to strengthen their security posture, we’ve seen a sustained shift toward attacks on so-called “soft targets.” These organizations are essential to the functioning of our society, but they also tend to be comparatively less secure and resilient due to inadequate staffing and resources. Unfortunately, this has made them highly attractive targets for cybercriminals.

While state and local governments once bore the brunt of these attacks, the huge increase in technology used by K-12 schools and universities during the pandemic has brought a corresponding rise in attacks on education customers.

SonicWall Data Shows an Industry Under Attack

And this trend shows up in our data time and again. In our Mid-Year Update to the 2023 SonicWall Cyber Threat Report, SonicWall identified 2% decrease in malware overall—but a 179% increase in malware targeting education customers.

While this stat included a 42% decrease in malware attacks on higher education and an 80% decrease in attacks on other education customers, such as driving schools and exam and test prep, those gains were more than offset by a 466% increase in malware targeting K-12 schools.

Encrypted attacks on education also increased significantly, up 2,580% compared with this time in 2022. And while schools have scarcely been on the radar of cryptojackers in the past, the first six months of 2023 brought a staggering 320 times as many cryptojacking hits as in the first half of 2022.

This is a bigger danger to education customers than it may initially appear. Cryptojacking can decrease the speed of your network by nearly 70%, making it significantly harder for instructors to teach and for students to research, take exams and collaborate. The demands of illicit mining have also been known to tax devices to the point of overheating and even catching fire.

But even in cases where cryptojacking causes no immediately discernible catastrophic effect, that doesn’t mean it’s harmless. If an attacker has accessed your network, they could be exfiltrating customer data, stealing intellectual property or doing any number of other things that you aren’t seeing.

A Wider Trend

This uptick isn’t exclusive to SonicWall customers, however. According to CISA, the number of attacks on K-12 schools more than quadrupled between 2018 and 2021, from about 400 in 2018 to more than 1,300 in 2021. The Center for Internet Security found that by the end of 2021, nearly 1 in 3 U.S. school districts had been breached — while this is the most recent data currently available, this total is certainly much higher by now.

A report from the U.S. Government Accountability Office highlights the effects of such attacks. Its research found that cyberattacks on K-12 institutions resulted in a loss of learning ranging from 3 days to 3 weeks, with recovery time stretching from 2 to 9 months.

And while the U.S. may see the most cyberattacks on schools, these sorts of attacks are rising everywhere. A recent National Cyber Security Centre report found that nearly 80% of UK schools have experienced at least one type of cyber incident.

Schools generally don’t pay ransom demands, so why are so many researchers showing an uptick in these attacks compared with other “soft targets”? A lot of it has to do with data. While easily accessible staff and administrator PII data is attractive, it’s only part of the picture.

Many adults monitor their credit and quickly notice if a new account or large transaction under their name has appeared. But few check the credit of their children, allowing criminals and other bad actors to act with impunity years or even decades before a person will have occasion to have their credit checked.

A particularly egregious example followed the 2020 attack on Toledo Public Schools: Parents there reported that they had begun receiving mail indicating someone was trying to open car loans and credit card in students’ names.

Who’s Behind These Attacks?

The most well-known group attacking education right now is Vice Society. In September 2022, the group attacked the Los Angeles Unified School district, the second-biggest public school system in the U.S. When the district refused to pay the ransom demand, the group posted 500 GB of data on its dark web leak site.

That same month, CISA issued a Joint Cybersecurity Advisory on the group, warning that it was “disproportionately targeting the education sector with ransomware attacks.” As reported by CBS News, over 40 educational organizations, including 15 in the U.S., were victims of ransomware attacks at the hands of Vice Society in 2022.

While the group appears to be diversifying somewhat in 2023, they’re still actively targeting education, with attacks on Okanagen College in British Columbia, Canada; Lewis and Clark College in Portland, Oregon; Tanbridge House School in West Sussex, U.K.; Guildford County School in London; and countless others.

But while Vice Society may be the most prominent group targeting schools, they’re far from alone. In February, the ALPHV/BlackCat ransomware group released more than 6 GB of data from Ireland’s Munster Technological University, including payroll information and employee records. They were also responsible for 2022 attacks on North Carolina A&T University and Plainedge Public Schools in the U.S.

That same month, the Medusa ransomware group attacked Minneapolis Public School District. The district refused to pay a $1 million ransom, and was able to use backups to successfully restore its systems. But the group had stolen more than 100 GB of data — including intelligence test results, psychological reports and details of sexual abuse allegations — all of which was later leaked to the public.

And in January, the Royal Ransomware Group — perhaps best known for their attack on the city of Dallas, Texas—attacked the Tucson Unified School District, the second-largest district in Arizona, U.S., impacting nearly 30 thousand individuals.

Other high profile attacks in 2023 have included Western Michigan University, Des Moines Public Schools, and Bluefield University in Virginia. In the latter case, the Avoslocker ransomware group used the school’s mass alert system to send a message to the entire campus encouraging students to pressure the university to pay the ransom, lest 1.2 TB of their personal data be leaked.

A Brighter Future?

But despite the increase in attacks, there’s cause to be optimistic. In addition to efforts at the state level, such as those in Texas and Minnesota, there has been a lot of progress at the federal level as well.

In October 2021, U.S. President Biden signed the K-12 Cybersecurity Act, which “requires the Cybersecurity and Infrastructure Security Agency (CISA) to study the cybersecurity risks facing elementary and secondary schools and develop recommendations that include voluntary guidelines designed to assist schools in facing those risks.”

In August 2023, CISA released a trove of guidance, including “K-12 Digital Infrastructure Brief: Defensible and Resilient,”  “Adequate and Futureproof,” and “Privacy-Enhancing, Interoperable and Useful.”

In July 2023, Federal Communications Commission Chair Jessica Rosenworcel proposed a pilot program that would provide up to $200 million in competitive grants aimed at increasing security against cyberthreats among schools and libraries.

And just this month, the U.S. Biden Administration announced the launch of an initiative aimed at strengthening K-12 cybersecurity.  This “government coordinating council” will help ensure that schools are able to respond to and recover from cyberattacks and other cyber incidents.

“Just as we expect everyone in a school system to plan and prepare for physical risks, we must now also ensure everyone helps plan and prepare for digital risks in our schools and classrooms,” Education Secretary Miguel Cardona said in a release. “The Department of Education has listened to the field about the importance of K-12 cybersecurity, and today we are coming together to recognize this and indicate our next steps.”

Download our Mid-Year Update to the 2023 SonicWall Cyber Threat Report for the rest of our education data, as well as a look at how cybercrime affected government, finance, retail, and healthcare customers.

Amber Wolff
Senior Digital Copywriter | SonicWall
Amber Wolff is the Senior Digital Copywriter for SonicWall. Prior to joining the SonicWall team, Amber was a cybersecurity blogger and content creator, covering a wide variety of products and topics surrounding enterprise security. She spent the earlier part of her career in advertising, where she wrote and edited for a number of national clients.