Recovery times improve and ransom payments fall, but mounting staff stress and burnout reveal the hidden toll of cyberattacks
The education sector is making strides in the fight against ransomware, according to Sophos’ State of Ransomware in Education 2025 report. The global study of 441 IT and cybersecurity leaders highlights encouraging progress: schools are blocking more attacks, ransom payments are down sharply, and recovery times are improving. Yet, behind these gains lies a troubling reality—IT teams are under immense personal and professional strain. Nearly 40% of respondents reported experiencing anxiety, while over a quarter took leave following an attack.
For years, cybercriminals have viewed education as a “soft target”—underfunded, understaffed, and in possession of highly sensitive data. Ransomware attacks have led to disrupted classes, financial burdens, and growing fears about privacy. But according to Sophos, the sector’s resilience is increasing.
“Ransomware attacks in education don’t just disrupt classrooms, they disrupt communities of students, families, and educators.”
– Alexandra Rose, Director, CTU Threat Research, Sophos
Signs of Progress
- Stopping more attacks: Primary and secondary institutions blocked 67% of ransomware attempts before file encryption, their highest success rate in four years.
- Falling ransom costs: Average payments dropped from $6M to $800K in lower education, and from $4M to $463K in higher education.
- Faster recovery: 97% of institutions that had data encrypted were able to recover it, with recovery costs also dropping significantly.
However, Sophos also noted worrying shifts in attacker tactics, with extortion without encryption becoming more common.
Gaps That Remain
Despite improvements, significant vulnerabilities persist. Two-thirds of respondents cited a lack of expertise or capacity to stop attacks, while 67% admitted to ongoing security gaps. The rise of AI-driven threats, including sophisticated phishing and deepfake attacks, poses fresh risks, particularly for institutions with limited cyber defenses.
“While it’s encouraging to see schools strengthening their ability to respond, the real priority must be preventing these attacks in the first place,” said Alexandra Rose, Director, CTU Threat Research, Sophos. “That requires strong planning and close collaboration with trusted partners, especially as adversaries adopt new tactics, including AI-driven threats.”
Looking Ahead
Sophos recommends that educational institutions double down on prevention, unify cybersecurity strategies across IT estates, secure sustainable funding, and relieve staff burden through partnerships such as Managed Detection and Response (MDR).
As ransomware continues to evolve, the report makes clear that while education is winning some battles, the war will demand both technological resilience and support for the people on the frontlines.
