The education sector is showing measurable progress in fighting ransomware, with fewer institutions paying attackers and more recovering their data faster, according to a new international study.
The survey of 441 IT and cybersecurity leaders across 17 countries found that 97 percent of education providers hit by ransomware in the past year were able to recover their encrypted data. Average ransom payments also dropped sharply, with lower education institutions reporting a decline from $6 million to $800,000, and higher education from $4 million to $463,000.
The findings were contained in the State of Ransomware in Education 2025 report commissioned by global cybersecurity company Sophos.
“Ransomware attacks in education don’t just disrupt classrooms, they disrupt communities of students, families, and educators,” said Alexandra Rose, director of Sophos’ Threat Research Unit.
The study, conducted between January and March this year, focused on primary, secondary, and higher education institutions that had suffered ransomware attacks.
“While it’s encouraging to see schools strengthening their ability to respond, the real priority must be preventing these attacks in the first place,” Rose said.
Schools are also becoming more effective at stopping attacks before damage occurs. Lower education institutions reported blocking 67 percent of ransomware attempts before files could be encrypted, the highest success rate across all industries surveyed.
Despite these gains, the report underscored ongoing vulnerabilities. Sixty-four percent of respondents admitted they had missing or ineffective protection tools, 66 percent cited a lack of expertise or staff capacity to respond, and 67 percent acknowledged security gaps that left them exposed.
Moreover, the study noted that attackers are adapting, with more incidents involving data theft and extortion rather than encryption. It flagged AI-powered threats such as phishing, voice scams, and deepfakes as emerging risks for schools worldwide.
Locally, cybersecurity burnout is compounding those risks. In a separate interview, Gavin Struthers, Senior Vice President for Asia Pacific & Japan at Sophos, said nearly nine in 10 Philippine firms are experiencing cybersecurity burnout, citing alert overload, unclear strategies, and lack of resources as top causes.
Struthers warned that such stress often translates into lost productivity, mental health strain, and even leadership turnover during crises.
To address these risks, Sophos urged education providers to build on recent improvements by focusing on prevention, strengthening incident response plans, and working with trusted partners to sustain resilience against evolving ransomware tactics.
