Education sector improves against ransomware but IT staff suffer

A new report from Sophos shows education institutions are improving their defences against ransomware but IT staff continue to face significant mental health challenges as a result of attacks.

The fifth annual State of Ransomware in Education report, based on a survey of 441 IT and cybersecurity leaders worldwide, reveals a sector that is experiencing faster recovery and lower costs in dealing with ransomware. However, the personal toll on IT teams remains high, with nearly 40% of respondents reporting anxiety and others facing burnout and career disruptions following cyber incidents.

Sector resilience

The report identifies an increase in the education sector's capacity to block ransomware before files become encrypted. Lower education institutions managed to prevent 67% of attacks from encrypting files - their highest rate in four years - while higher education institutions achieved a 38% block rate. Nonetheless, educational organisations remain attractive targets for ransomware, due to the presence of valuable personally identifiable information (PII) and, in the case of universities, AI research and language model datasets.

Primary and secondary institutions are often considered vulnerable due to limited resources and smaller cybersecurity teams. The report points out, "Primary and secondary institutions are seen by cybercriminals as 'soft targets' - often underfunded, understaffed, and holding highly sensitive data. The consequences are severe: disrupted learning, strained budgets, and growing fears over student and staff privacy."

Financial impact drops

The requirement to pay ransoms persists, but the frequency and size of payments have decreased. Ransom demands fell 73% over the past year, according to the survey, with average requested payments dropping by USD $2.83 million. Lower education institutions reported a decline in average ransom paid, from USD $6 million to USD $800,000. In higher education, the average fell from USD $4 million to USD $463,000. Recovery costs, excluding ransom payments, also decreased by 77% in higher education and 39% in lower education, though lower education institutions still faced the highest recovery expenses compared to other sectors.

For cases where data encryption occurred, 97% of education sector victims were able to recover their information through various means. Despite these improvements, the human and operational costs remain prominent for the sector.

Causes and vulnerabilities

The report identifies phishing as the top root cause of ransomware attacks for lower education institutions, with 23% of respondents citing it as the primary entry point. In higher education, 35% reported that exploited vulnerabilities were the leading cause. Another significant finding is that 67% of surveyed victims acknowledged ongoing security gaps, while 66% referred to insufficient staff numbers or expertise as a barrier to preventing attacks.

Ongoing challenges for IT teams

Despite the sector's defensive improvements, IT teams continue to suffer personally from the consequences of incidents. At lower education institutions, 26% of IT staff took leave after an attack, with higher education reporting a figure of 31%. Nearly 40% of respondents disclosed increased anxiety, and more than one-third experienced guilt over being unable to prevent breaches.

"Ransomware attacks in education don't just disrupt classrooms, they disrupt communities of students, families, and educators," said Alexandra Rose, Director, CTU Threat Research, Sophos. "While it's encouraging to see schools strengthening their ability to respond, the real priority must be preventing these attacks in the first place. That requires strong planning and close collaboration with trusted partners, especially as adversaries adopt new tactics, including AI-driven threats."

Rise of AI-driven threats

One emerging challenge is the use of AI by attackers to create more convincing phishing emails, voice scams, and deepfake materials. The report notes that lower education institutions now face more advanced phishing attempts, with AI enabling more sophisticated lures. In higher education, attackers are exploiting unseen vulnerabilities - 45% of respondents pointed to unknown security gaps that adversaries had exploited.

Recommendations from Sophos

Sophos recommends several measures for the sector to maintain recent gains and address ongoing risks, highlighting prevention as a vital strategy. The findings on lower education's relative success in preventing attacks before encryption are seen as a potential model for other parts of the public sector. Coordinated strategies across diverse IT environments and increased reliance on managed detection and response (MDR) are advised to fill expertise gaps and ease pressure on IT staff. The firm also points to new public funding sources, such as the UK National Cyber Security Centre initiatives and US E-Rate subsidies, to improve cyber defences in schools.

The report concludes by emphasising incident readiness: institutions should prepare robust incident response plans, conduct realistic simulations, and have access to 24/7 expertise to adapt to evolving cyber threats.

The State of Ransomware in Education 2025 report is informed by organisations ranging in size from 100 to 5,000 employees across 17 countries. Respondents were surveyed between January and March 2025 regarding ransomware experiences over the previous 12 months.