The global education sector is showing progress in its fight against ransomware, with institutions reporting shorter recovery times, fewer ransom payouts, and lower overall costs, according to cybersecurity firm Sophos’ State of Ransomware in Education 2025 report.
The study, based on responses from 441 IT and cybersecurity leaders across 17 countries, highlights a shift in how schools and universities are managing ransomware incidents.
Nearly all victims of data encryption (97%) were able to recover their files, while average ransom payments dropped sharply—from millions of dollars to hundreds of thousands in both lower and higher education.
The report found that primary and secondary schools managed to stop 67% of attacks before data could be encrypted, the highest success rate in four years. In higher education, 38% of attacks were blocked at the same stage.
Financial impact is also easing. Ransom demands fell 73% in the past year, while average recovery costs declined 77% for higher education institutions and 39% for lower education. Still, lower education reported the highest recovery bills among all industries surveyed.
Despite the gains, schools remain vulnerable. Two-thirds of respondents cited gaps in staffing, expertise, or security coverage, and 64% reported ineffective protection tools.
Phishing accounted for 22% of ransomware incidents in lower education, while higher education institutions faced threats tied to unpatched vulnerabilities and high-value research data.
The toll on people remains significant. The study noted that every institution experiencing encrypted data saw an impact on IT staff, with some reporting stress, extended leave, and feelings of guilt following attacks.
“Ransomware attacks in education don’t just disrupt classrooms, they disrupt communities,” said Alexandra Rose, director of Sophos’ CTU Threat Research.
“Schools are improving recovery, but the real priority must be prevention, especially as attackers adopt AI-driven tactics.”
Sophos urged educational institutions to continue strengthening defenses by focusing on prevention, unifying IT strategies, and easing the burden on IT teams through managed detection and response (MDR) services.
The firm also recommended preparing comprehensive incident response plans and running simulations to improve readiness.
The findings are based on a vendor-agnostic survey conducted between January and March 2025, covering institutions with 100 to 5,000 employees that had experienced ransomware attacks in the previous year.
