Report: Schools and governments slammed by ransomware attacks, but root causes vary by industry

No industry is invulnerable to ransomware, but some sectors are much more equipped than others when it comes to foiling ransomware attacks and recovering during the aftermath. 

A 2023 report provided by cybersecurity vendor Sophos frames ransomware as a crisis that has flourished by exploiting the particular weaknesses and limitations that are unique to each industry. The report, which is based on a survey of 3,000 IT and cybersecurity leaders between January and March 2023, unveils the most common root causes of ransomware and their prevalence across different industries and revenue brackets.  

Let’s break down what the study found.

Leading root causes of ransomware

Among the organizations who documented one or more ransomware attacks in the last year, 36% of those attacks were carried out via exploited vulnerabilities found in devices – the leading root cause for the second year running. Most of these attacks likely could have been prevented if organizations had practiced diligent patching. In over half of the investigations in which an exploited vulnerability was the root cause, the ProxyShell or Log4Shell vulnerabilities were present in the affected assets (each of which should have been patched back in May 2021 and December 2021 when they became publicly available).

These findings align with an August 2023 advisory issued by the Five Eyes intelligence community, which found that the vulnerabilities most frequently leveraged by ransomware actors weren’t vulnerabilities that surfaced in the past year, but were actually discovered, disclosed and patched back in 2020 and 2021. "Exploiting a vulnerability is once again the leading root cause this year, which means we're still not properly patching our environments,” says John Shier, Senior Security Advisor at Sophos. "I think there's been partly a collective failure across the entire industry. We've got to get better at producing more secure software."

Compromised credentials were another leading root cause, contributing to 29% of ransomware cases. Earlier this year, the Sophos Incident Response team engaged two clients who were separately hit by the Akira ransomware family, in which attackers dumped LSASS process memory to gain credentials to their victims’ network – an increasingly common tactic in the ransomware-as-a-service toolkit. Ransomware attacks also frequently leveraged email to bypass company defenses — 18% of attempts started with a malicious email, 13% with phishing, 3% with a brute force attack, and 1% with a download. Emotet, Mimikatz, and Agent Tesla are the most egregious offenders when it comes to weaponizing credentials and passwords to gain entry.

Root causes: By industry

The entertainment and news industry might dominate the spotlight, but they’re no match for ransomware. Media, leisure, and entertainment-based companies are the most likely to suffer ransomware attacks resulting from exploited vulnerabilities found in devices and software (55%).

Federal agencies in the public sector, meanwhile, reported the highest percentage of attacks originating with compromised credentials (41%). Whether this is due to a higher rate of credential theft in the sector or just a weakened ability to prevent exploitation of stolen credentials – it’s clear that criminals see enormous value in gaining the credentials of government users who could possess access to secret intelligence, critical infrastructure and other assets connected to national security.  

IT, technology, and telecoms reported the lowest rates for both exploited vulnerabilities (22%) and compromised credentials (22%), which likely reflects strong levels of cybersecurity defenses in this sector. At the same time, it also reported the highest rates of email-based attacks, with over half (51%) starting in users’ inboxes. 

Root causes: By revenue size

Interestingly, companies in both the highest annual revenue bracket ($5 billion plus) and lowest revenue bracket ($10 million or less) were the most likely to suffer a ransomware attack via exploited vulnerabilities – at 45% and 50%, respectively.

On the other hand, compromised credentials were the most likely root cause among businesses within the middle revenue brackets (at 33%). Compromised credentials were only recorded in 23% of cases in the lowest revenue cohort and 26% of cases in the highest revenue cohort.

The most (and least) vulnerable industries

When it comes to the hardest-hit industries, one sector is a clear frontrunner. Both lower education (80%) and higher education (79%) reported suffering at least one or more ransomware attacks within the last year – 8 percentage points higher than the next most vulnerable industry (construction/property at 71%). This might be due to the fact that educational institutions do not ordinarily receive the same resources in terms of technology and personnel that other industries do — and attackers have begun using this to their advantage. In 2023 alone, multiple school districts have come under heavy fire from ransomware groups – Des Moines Public Schools in January, New Hampshire’s Nashua School District in April, and  Colorado Department of Higher Education in June, to name just a few.

“Schools are notoriously short on resources,” says Chester Wisniewski, Field CTO of Applied Research at Sophos. “They usually don't have a big security team and, unfortunately, they also have more adversaries than any other sector in the world because every student could be considered an adversary in addition to all the criminals that are trying to get in.” 

Perhaps less surprisingly, the IT, technology, and telecoms industry reported the lowest level of attack (50%) across all industries, which might simply reflect a greater propensity to invest in and deploy various security products. The tech and telecoms industry was also the only sector where ransomware actors were able to encrypt data in fewer than half (47%) of attacks. For all other sectors, two-thirds of attacks resulted in data encryption. 

To learn more, access the entire Sophos report.

Daniel Thomas

Daniel Thomas is a technology writer, researcher, and content producer for CyberRisk Alliance. He has over a decade of experience writing on the most critical topics of interest for the cybersecurity community, including cloud computing, artificial intelligence and machine learning, data analytics, threat hunting, automation, IAM, and digital security policies. He previously served as a senior editor for Defense News, and as the director of research for GovExec News in Washington, D.C.. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.