Terry KS Sophos’ latest report shows education institutions are making progress against ransomware with reduced costs and better recovery, but warns of rising AI-powered threats and persistent security gaps.
MALAYSIA, 19 SEPTEMBER 2025 – Sophos has released its fifth annual State of Ransomware in Education 2025 report, showing schools and universities are making measurable progress in defending against ransomware, with lower ransom payments, reduced recovery costs, and faster recovery rates. However, the study warns that gaps in resources and the rise of AI-powered threats could undermine these gains if not addressed.
The global survey of 441 IT and cybersecurity leaders found that lower and higher education institutions achieved their highest success rates in blocking attacks before file encryption in four years. Average ransom payments dropped significantly, with higher education seeing costs fall from US$4 million to US$463,000, while lower education dropped from US$6 million to US$800,000. Recovery costs outside ransom also plummeted, down 77% in higher education and 39% in lower education.
Despite these advances, challenges remain. Two-thirds of respondents cited insufficient staff or expertise to stop attacks, while 67% admitted to having security gaps. Lower education institutions reported that phishing—amplified by AI—was behind 22% of ransomware incidents. Higher education institutions, often holding sensitive AI research and datasets, remain high-value targets with vulnerabilities frequently exploited.
“Ransomware attacks in education don’t just disrupt classrooms, they disrupt communities,” said Alexandra Rose, Director, CTU Threat Research at Sophos. “While schools are becoming stronger at responding, the priority must be prevention, particularly as adversaries adopt AI-driven tactics.”
Sophos recommends that schools focus on prevention, unify cybersecurity strategies, ease the burden on IT staff by partnering with providers for managed detection and response (MDR), and strengthen incident response preparedness.
The report is based on data collected from January to March 2025 across 17 countries, surveying institutions with between 100 and 5,000 employees that experienced ransomware in the past year.
Download the full report at Sophos.com.