The education sector is making progress in handling ransomware attacks, according to the latest report from Sophos, a cybersecurity solutions provider. The study, based on responses from 441 IT and cybersecurity leaders, found fewer ransom payments, lower costs, and quicker recovery times compared with previous years.
The findings are part of the fifth annual State of Ransomware in Education report. Ransomware has been a persistent problem for schools and universities, which are often seen as vulnerable because of limited budgets, small IT teams, and access to sensitive personal data.
“Ransomware attacks in education don’t just disrupt classrooms, they disrupt communities of students, families, and educators,” said Alexandra Rose, director of CTU Threat Research at Sophos.
The report shows that while ransomware remains a challenge, schools are becoming more resilient. Both primary and secondary schools reported their highest success rate in four years at stopping attacks before files could be encrypted. Recovery costs also declined, with higher education seeing a 77% drop and lower education a 39% decrease.
Ransom payments, while still common, are also falling. Average demands dropped by 73% over the past year, and average payments in lower education fell from $6 million to $800,000. In higher education, the average fell from $4 million to $463,000. Nearly all institutions that suffered data encryption (97%) were able to recover their data in some way.
At the same time, the study highlighted ongoing weaknesses. About two-thirds of respondents said they lacked effective protection tools or sufficient staff to deal with ransomware. Many also admitted to having security gaps that adversaries could exploit.
In lower education, 22% of attacks began with phishing emails, a threat made harder to detect by artificial intelligence (AI) tools that can generate more convincing messages. In higher education, attackers often exploited software vulnerabilities (35%) or security gaps that institutions were not aware of (45%).
Ransomware also had a significant impact on staff. The report found that over one in four IT staff members took leave following an attack, nearly 40% reported higher stress, and more than one-third said they felt guilty about not stopping the breach.
“While it’s encouraging to see schools strengthening their ability to respond, the real priority must be preventing these attacks in the first place,” Rose said. “That requires strong planning and close collaboration with trusted partners, especially as adversaries adopt new tactics, including AI-driven threats.”