Press ReleaseCyber Crime & ForensicCyber Safety

Sophos Report Finds Education Sector Strengthening Against Ransomware

Recovery Times Improving with 97% of Victims Recovering Encrypted Data as Ransom Payments Fall Sharply

Sophos, a global leader and innovator of advanced security solutions for defeating cyberattacks, has released its fifth annual Sophos State of Ransomware in Education report. The global study of 441 IT and cybersecurity leaders shows the education sector is making measurable progress in defending against ransomware, with fewer ransom payments, dramatically reduced costs, and faster recovery rates.

Over the past five years, ransomware has emerged as one of the most pressing threats to education around the world—with attacks becoming a daily occurrence. Primary and secondary institutions are seen by cybercriminals as “soft targets”—often underfunded, understaffed, and holding highly sensitive data. The consequences are severe: disrupted learning, strained budgets, and growing fears over student and staff privacy. Without stronger defences, schools risk not only losing vital resources but also the trust of the communities they serve.

Indicators of Success Against Ransomware

The new Sophos study demonstrates that the global education sector is getting better at reacting and responding to ransomware, forcing cybercriminals to evolve their approach. Trending data from the Sophos study reveals an increase in attacks where adversaries attempt to extort money without encrypting data. Unfortunately, paying the ransom remains part of the solution for about half of all victims. However, the payment values are dropping significantly, and for those who have experienced data encryption in ransomware attacks, 97% were able to recover data in some way. The study found several key indicators of success against ransomware in education:

  • Stopping more attacks: When it comes to blocking attacks before files can be encrypted, both lower and higher education institutions reported their highest success rate in four years (67% and 38% of attacks, respectively).
  • Following the money: In the last year, ransom demands fell 73% (an average drop of US$2.83M), while average payments dropped from USD $6milion to USD$ 800,000 in lower education and from USD $4 million to USD $463,000 in higher education.
  • Plummeting cost of recovery: Outside of ransom payments, average recovery costs dropped 77% in higher education and 39% in lower education. Despite this success, lower education reported the highest recovery bill across all industries surveyed.

Gaps Still Need to Be Addressed

While the education sector has made progress in limiting the impact of ransomware, serious gaps remain. In the Sophos study, 64% of victims reported missing or ineffective protection solutions, 66% cited a lack of people (either expertise or capacity) to stop attacks, and 67% admitted to having security gaps. These risks highlight the critical need for schools to focus on prevention, as cybercriminals develop new techniques, including Artificial Intelligence (AI)-powered attacks.

Highlights from the study that shed light on the gaps that still need to be addressed include:

  • AI-powered threats: Lower education institutions reported that 22% of ransomware attacks had origins in phishing. With AI enabling more convincing emails, voice scams, and even deepfakes, schools risk becoming test grounds for emerging tactics.
  • High-value data: Higher education institutions, custodians of AI research and large language model datasets, remain a prime target, with exploited vulnerabilities (35%) and security gaps the provider was not aware of (45%) as leading weaknesses that were exploited by adversaries.
  • Human toll: Every institution with encrypted data reported impacts on IT staff. Over one in four staff members took leave after an attack, nearly 40% reported heightened stress, and more than one-third felt guiltthey could not prevent the breach.

“Ransomware attacks in education don’t just disrupt classrooms, they disrupt communities of students, families, and educators,” said Alexandra Rose, Director, CTU Threat Research, at Sophos. “While it’s encouraging to see schools strengthening their ability to respond, the real priority must be preventing these attacks in the first place. That requires strong planning and close collaboration with trusted partners, especially as adversaries adopt new tactics, including AI-driven threats.”

Holding On to the Gains

Based on its work protecting thousands of educational institutions, Sophos experts recommend several steps to maintain momentum and prepare for evolving threats:

  • Focus on prevention: The dramatic success of lower education in stopping ransomware attacks before encryption offers a blueprint for broader public sector organis Organisations need to couple their detection and response efforts with preventing attacks before they compromise the organisation.
  • Unify strategies: Educational institutions should adopt coordinated approaches across sprawling IT estates to close visibility gaps and reduce risks before adversaries can exploit them.
  • Relieve staff burden: Ransomware takes a heavy toll on IT teams. Schools can reduce pressure and extend their capabilities by partnering with trusted providers for managed detection and response (MDR) and other around-the-clock expertise.
  • Strengthen response: Even with stronger prevention, schools must be prepared to respond when incidents occur. They can recover more quickly by building robust incident response plans, running simulations to prepare for real-world scenarios, and enhancing readiness with 24/7/365 services like MDR.

Data for the State of Ransomware in Education 2025 report comes from a vendor-agnostic survey of 441 IT and cybersecurity leaders—243 from lower education and 198 from higher education institutions hit by ransomware in the past year. The organisations surveyed ranged from 100—5,000 employees and across 17 countries. The survey was conducted between January and March 2025, and respondents were asked about their experience of ransomware over the previous 12 months.

Download a copy of the 2025 Sophos State of Ransomware in Education report on Sophos.com.

CSA Editorial

Launched in Jan 2018, in partnership with Cyber Security Malaysia (an agency under MOSTI). CSA is a news and content platform focusing on key issues in cybersecurity in the region. CSA is targeted to serve the needs of cybersecurity professionals, IT professionals, Risk professionals and C-Levels who have an obligation to understand the impact of cyber threats.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *