A recent report by Sophos, a cybersecurity software company, presents surveyed insights from 441 IT and cybersecurity leaders across 17 countries. It reveals schools and universities are making measurable progress in detecting, preventing and recovering from ransomware attacks — but systemic gaps in staffing, resources and best practices leave schools particularly vulnerable.
The State of Ransomware in Education 2025 report examines the causes, scope and impacts of attacks on schools, and their evolution over time, according to Sophos.
ROOT CAUSES OF ATTACKS
Phishing, scams that trick people into making security mistakes, has become the leading entry point for ransomware in K-12 schools, “used in 22 percent of incidents,” the report said.
In higher education, Sophos said attackers lean more on weaknesses within institutions’ software, exploiting universities’ security infrastructure. Breaches linked to unpatched technology “penetrated establishments in 35 percent of attacks,” the report said.
DATA ENCRYPTION AND EXFILTRATION
Attackers, however, are increasingly stealing information even when they don’t encrypt it, per the report. About one-quarter, or “26 percent of lower education providers and 33 percent of higher education providers that had data encrypted also experienced data exfiltration.” This means data theft is becoming a persistent secondary threat, even when defenses succeed in stopping the most damaging encryption.
RANSOM DEMANDS AND PAYMENTS
The report also indicates that the financial burden of ransomware is shifting, showing the market in education is shrinking.
“Median ransom demands in education fell sharply: From $3.85 million to $1.02 million in lower education, and from $3.55 million to $697,000 in higher education,” per the report.
Actual payments dropped even more steeply, and while costs remain substantial, Sophos’ data shows the overall ransom market in education is shrinking: “In lower education, payments dropped to $800,000 from $6.60 million, while higher education saw a decline from $4.41 million to $463,000.”
RECOVERY COSTS AND TIMELINES
Sophos’ report found improvements in how quickly and cheaply institutions can recuperate following a cyber attack.
"In 2025, average recovery costs in education dropped sharply,” Sophos said. “Higher education costs plummeted 77 percent from $4.02 million in 2024 to $0.90 million ... while lower education, despite a 39 percent drop from $3.76 million last year, reported the highest cost across all sectors at $2.28 million.”
The report also found that recovery timelines are speeding up, marking a noteworthy shift toward cyber resilience. According to Sophos, “half of lower education providers and 59 percent of higher education providers fully recovered within a week (both up from the 30 percent reported in 2024.”
HUMAN IMPACT
Despite signs of progress, Sophos noted that the direct toll on people working in IT and cybersecurity remains high — indicating that, for schools, the human costs of ransomware parallel their financial impacts.
Education sector-based IT and cybersecurity teams reported widespread psychological strain, with 41 percent reporting increased anxiety or stress, 34 percent experiencing “feelings of guilt that the attack was not stopped in time,” and 31 percent of teams facing staff absences due to “mental health issues related to the attack.”
