Universities and higher education institutions were some of the most popular targets in 2021. According to Microsoft, education is the most targeted industry by malware, with 83% of malware encounters in the last 30 days affecting this industry. 

In March 2021, the UK’s National Cyber Security Center published an alert outlining an increase in ransomware attempts against the UK education sector.

Then, at the end of 2021, researchers observed an advanced persistent threat group, Aquatic Panda, specifically targeting universities with Log4J exploits

So why is the education sector such a hot target, and what else can we learn from 2021? 

Remote Learning Increases Attack Surface for Higher Education

Universities hold useful data and intellectual property, yet they rarely have the resources to defend their networks that other companies do.

Furthermore, their attack surfaces have increased rapidly over the past two years. Most businesses have been increasingly adopting new cloud and digital platforms, enabling them to be far more effective than in the past. Education institutions are no exception to this trend; many have had to quickly respond to challenging remote working conditions to add new capabilities to engage learners and store files.

Ransomware risks heightened

In May and June 2021 the UK education sector experienced a wave of ransomware attacks. NSCS, who published an alert on the surge, reported that these attacks led to “the loss of student coursework, school financial records, as well as data relating to COVID-19 testing”.

As we have discussed at length before, a common technique for ransomware operatives is to add pressure to the victims by publishing stolen data online. According to Digital Shadows (now ReliaQuest)’ Intelligence, there were 86 victims of “double-extortion” ransomware in 2021. 

Ransomware victims in the education sector in 2021

Supporting the successful ransomware efforts were Initial Access Brokers, who offered access to 28 education institutions in 2021. Previous research by Photon, An Excess of Access, found access to education was offered for an average of $4,118.

Lack of availability

On some occasions, the intended motivation of the threat actor isn’t clear. In May 2021, a DDoS attack impacted over 200 Belgian websites, which included those owned by universities and research institutes. 

By targeting Belnet, and ISP, the attacks overwhelmed the websites with traffic, rendering their public-facing sites unusable for visitors, cutting off internal systems from the internet. Attackers reportedly used a diverse arrange of techniques, which were consistently altered throughout the attack. 

Gain industry-specific intelligence with SearchLight

Data exposure on ransomware dump sites and initial access brokers have merged as some of the top dark web monitoring use cases. SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) users can subscribe to all of this intelligence while making it specific to their industry and geography.

Filtering by target sector in SearchLight 


You can explore a large selection of our intelligence within Test Drive, which you can sign up for for free for seven days.