This creates a predicament for schools because the data may contain extremely sensitive information. Schools store staff and student addresses as well as other personally identifiable information that they have a responsibility to protect. The release of this information could put students at risk and potentially expose districts to lawsuits and penalties.
Should School Districts Pay the Ransom in a Ransomware Attack?
Unfortunately, there’s no simple answer to whether schools should pay up in response to a ransomware attack.
The decision to pay is usually determined by a district’s cybersecurity insurance and legal counsel. When a district is hit with an attack, the insurance company will often provide legal support and coaches who work with the school as they make any required breach notifications. Then, the insurer will determine whether the district should pay the ransom. This calculus depends on the nature of the data exfiltrated and encrypted, whether the threat actor is a sanctioned entity, and more.
There is no guarantee for schools that the data will be released even if they pay. Threat actors differ in how they handle the return of data after a breach. However, ransomware is a trust-based economy. If a district pays and the criminals don’t decrypt the files, they’re less likely to be paid by the next target.
Schools should be aware that returned or decrypted files may be corrupted. So, even if a district gets its files back, there may be missing or inaccessible information.
Click the banner to explore incident response resources from the experts at CDW.