$3.56 billion: That’s what ransomware attacks cost U.S. schools and colleges in downtime alone in 2021. Administrators also faced additional recovery costs to restore computers, recover data and fortify their systems against future attacks, according to a report from Comparitech.

In 2021, 67 individual ransomware attacks — that essentially take a computer network hostage and can bring operations to a screeching halt for days — hit 954 schools and colleges that served more than 950,000 students. The good news: the attacks and the downtime they cause declined in 2021.

Still, these attacks are deeply disruptive. For example, some districts faced “double-extortion” attempts where hackers locked down computer systems and stole data that they threatened to post online. Hackers demanded $40 million from Broward County Public Schools, which offered to pay $500,000. The hackers reduced their ransom to $10 million before posting 25,971 of the Florida district’s files online. Hackers also posted thousands of files online when Clover Park School District in Washington and the Logansport Community School Corporation in Indiana did not pay ransoms in separate attacks, the report says.

Sometimes, the recovery costs far exceeded the ransom demand. Buffalo Public Schools in New York refused to pay a $100,000 to $300,000 ransom but spent an estimated $10 million on recovery costs. Judson Independent School District in Texas, however, paid $547,000 to prevent the release of sensitive data and regain control of its phone and email systems, according to the report.

Measuring the full impact of these cyber-crimes on education is difficult because some schools and colleges do not report the attacks publicly, particularly when a ransom has been paid. Administrators are forced to disclose the incidents when student data is compromised or systems are significantly disrupted. Administrators are also more likely to publicize an attack when a ransom isn’t paid.

Here are some of the report’s key figures:

  • 19% decrease: In the number of attacks on schools and colleges in 2021 compared to 2020.
  • 46% decrease: In the number of schools and colleges targeted in 2021 compared to 2020.
  • $100,000 to $40 million: The range of ransoms demanded.
  • 4 days: The average downtime caused by cyberattacks.
  • 1 month: The average time it takes to recover from an attack.
  • $547,000:The ransom hackers were paid in one attack.
  • 6: The number of incidents reported in New York, the state with the most attacks.

So far this year, ransomware attacks and downtimes have been lower across K-12. However, districts often don’t disclose the attacks until after they’ve happened. “We are seeing a promising trend of reduced downtime and attacks,” the report says. “While hackers may be becoming more targeted in their approach, the lower downtime figures suggest schools are more prepared for these attacks and are better able to restore their systems from backups or mitigate the effects of the attacks.”