AI at the Front Lines of Cybersecurity Defense
September 16, 2025
CrowdStrike Stops GenAI Data Leaks with Unified Data Protection
September 21, 2025The State of Ransomware in Education 2025
441 IT and cybersecurity share their ransomware experiences, revealing the realities facing lower and higher education providers today.
As many students across parts of the world return to class, ransomware remains a pressing threat to the education sector. Sophos’ latest annual study, based on the real-world experiences of 441 institutions hit by ransomware in the past year, reveals how lower education (students up to age 18) and higher education providers (over 18) are being impacted.
The report explores how the causes of attacks are evolving, the impact on data and recovery, and sheds new light on the lasting human impact on IT and cybersecurity teams.
Download the report to explore the full findings.
Root causes of attacks – a split picture
In lower education, phishing was the most reported technical root cause, cited in 22% of cases. However, the methods of attack were broadly distributed, with malicious emails, exploited vulnerabilities, and compromised credentials also reported at similar levels. By contrast, higher education providers were more likely to experience attacks through exploited vulnerabilities (35%) — aligning with most industries surveyed.
Organizational factors also varied. Nearly half (49%) of higher education providers identified unknown security gaps as the most common root cause. In lower education, the most frequently cited issues were a lack of expertise and limited capacity to respond to incidents (42% each). Overall, the results suggest higher education faces greater technology challenges, while lower education providers struggle more with staff-related pressures.
Root causes of attacks – a split picture
In lower education, phishing was the most reported technical root cause, cited in 22% of cases. However, the methods of attack were broadly distributed, with malicious emails, exploited vulnerabilities, and compromised credentials also reported at similar levels. By contrast, higher education providers were more likely to experience attacks through exploited vulnerabilities (35%) — aligning with most industries surveyed.
Organizational factors also varied. Nearly half (49%) of higher education providers identified unknown security gaps as the most common root cause. In lower education, the most frequently cited issues were a lack of expertise and limited capacity to respond to incidents (42% each). Overall, the results suggest higher education faces greater technology challenges, while lower education providers struggle more with staff-related pressures.
Use of backups to recover data falls to four-year low
The use of backups to restore data among education providers has dropped to its lowest point in four years. Among those that had data encrypted, only 59% of lower education institutions and 47% of higher education providers restored data using backups (down from 75% and 78%, respectively). This decline highlights ongoing challenges with maintaining consistent and reliable backup practices across the sector. The rate of education providers paying the ransom to get data back showed a similar trend suggesting a greater reliance on multiple/alternative recovery methods.
Ransom demands and payments plummet
Ransom economics in education shifted dramatically in 2025. Median ransom demands fell sharply, dropping from $3.85M to $1.02M in lower education and from $3.55M to $697K in higher education, placing the latter among the lowest demands recorded across all industries. This suggests that attackers have potentially shifted their focus to alternative targets with larger financial profiles.
Payments followed the same downward trend. In lower education, the median payment fell from $6.60M to just $800K, while higher education saw an even steeper drop from $4.41M to $463K. Both sectors moved from being among the highest payers in 2024 to among the lowest in 2025 suggesting that education institutions are becoming more resilient to ransom pressure.
Recovery costs fall sharply in education, but lower education still bears the highest burden
Average (mean) recovery costs (excluding ransom payments) also declined year over year, dropping from $3.76M to $2.20M in lower education and from $4.02M to just $0.90M in higher education — the joint lowest across all industries surveyed. While this is encouraging, lower education still recorded the highest recovery cost of any sector, likely reflecting the limited IT resources and outdated, fragmented systems typical of the sector.
Ransomware attacks place significant pressure on IT/cybersecurity teams from senior leadership
The survey makes clear that having data encrypted in a ransomware attack has significant repercussions for IT/cybersecurity teams in the education sector, with increased pressure from senior leaders cited as the most common consequence by both lower and higher education providers.
