Sophos, the cybersecurity firm, has released its fifth annual State of Ransomware in Education report, revealing both progress and persistent challenges in the sector’s fight against cyberattacks.

The global survey of 441 IT and cybersecurity leaders shows schools and universities are making measurable strides in defending against ransomware, with fewer ransom payments, reduced recovery costs, and faster restoration times. However, these improvements come at a personal cost for IT teams, who report high levels of stress, burnout, and even career disruption following attacks. Nearly 40% of respondents admitted to experiencing anxiety.

Over the past five years, ransomware has become one of the most severe threats facing education. Primary and secondary schools are often underfunded and understaffed, making them attractive “soft targets” for cybercriminals. The consequences of attacks extend beyond disrupted learning and strained budgets to fears over student and staff privacy.

The Sophos report highlights notable progress. Both lower and higher education institutions reported their highest success rates in blocking ransomware before data encryption in four years. Ransom demands and payments are falling dramatically—average payments dropped from $6 million to $800,000 in lower education, and from $4 million to $463,000 in higher education. Recovery costs are also dropping, with higher education institutions reporting a 77% decrease and lower education a 39% decrease.

Yet, significant gaps remain. Sixty-four percent of surveyed victims admitted to missing or ineffective protection solutions, while two-thirds pointed to a lack of expertise or capacity to stop attacks. Security weaknesses—such as exploited vulnerabilities and overlooked protection gaps—continue to leave schools exposed.

Emerging technologies are also fueling new threats. Lower education institutions reported that nearly a quarter of ransomware incidents originated from phishing, with AI-powered emails, voice scams, and deepfakes making attacks harder to detect. Meanwhile, higher education institutions remain prime targets due to their role as custodians of AI research and large datasets, making them especially vulnerable to sophisticated exploits.

The toll on human staff is another pressing concern. Every institution that reported data encryption also noted impacts on IT personnel. More than one in four staff members took leave after an attack, nearly 40% reported elevated stress, and over a third felt personal guilt for not preventing breaches.

“Ransomware attacks in education don’t just disrupt classrooms, they disrupt communities of students, families, and educators,” said Alexandra Rose, Director of CTU Threat Research at Sophos. “While it’s encouraging to see schools strengthening their ability to respond, the real priority must be preventing these attacks in the first place. That requires strong planning and close collaboration with trusted partners, especially as adversaries adopt new tactics, including AI-driven threats.”

Sophos experts recommend schools maintain momentum by focusing on prevention, securing funding through programs such as the U.S. FCC’s E-Rate subsidies and the UK’s NCSC initiatives, and unifying cybersecurity strategies across sprawling IT systems. To ease the burden on staff, schools are encouraged to partner with managed security providers for around-the-clock monitoring, detection, and response. Robust incident response planning and regular simulations are also emphasized as critical to recovery.

The State of Ransomware in Education 2025 report is based on a vendor-agnostic survey conducted between January and March 2025 across 17 countries. Respondents came from both lower education (243 participants) and higher education (198 participants) institutions with staff sizes ranging from 100 to 5,000 employees.