Ransomware attacks targeting schools showed a slight numerical decline in 2025, but the overall threat to student and institutional data remained significant. According to the “Education Ransomware Roundup” report released by Comparitech, cybercriminals launched more than 251 ransomware attacks against educational institutions in 2025. While this figure represents only a modest change compared to the 240 attacks recorded in 2024, researchers emphasize that the scale of data exposure increased, making the impact more severe despite the relatively stable attack volume.
One notable trend highlighted in the study is that K-12 schools bore the brunt of these incidents. Although higher education institutions have historically been attractive targets due to their vast data repositories, primary and secondary schools were disproportionately affected in 2025. These institutions often lack the cybersecurity infrastructure and dedicated IT security teams available to universities, making them easier entry points for attackers. As a result, sensitive data—including student records, staff information, and financial details—was more frequently exposed.
The report also links several major breaches to vulnerabilities in Oracle E-Business Suite, particularly a flaw discovered in August. This vulnerability was exploited by the CLOP ransomware gang through a zero-day attack, leading to data breaches at more than five educational institutions. The incident underscores how unpatched software and supply-chain weaknesses continue to create systemic risks across the education sector.
Interestingly, while data exposure increased, the average ransom demand declined. Researchers observed that the minimum average ransom demand in 2025 was approximately $464,000, compared to $694,000 in 2024. This drop may suggest a strategic shift by attackers. Education and healthcare institutions typically operate on tight budgets, so lower ransom demands may increase the likelihood of payment. By asking for less, cybercriminals may be improving their success rates and securing quicker payouts.
Another concerning factor is the role of third-party mediators in ransom negotiations. These intermediaries are often brought in to facilitate discussions between victims and attackers. However, because some mediators receive a percentage of the ransom paid, critics argue that this arrangement may unintentionally incentivize payment rather than resistance, perpetuating the ransomware cycle.
Rebecca Moody, Head of Research at Comparitech, notes that many schools remain reluctant to openly discuss ransomware incidents. The stigma surrounding file-encrypting malware attacks often discourages transparency. Yet greater openness could help institutions learn from one another, strengthen defenses, and adopt proactive risk-mitigation strategies. In an environment where cyber threats continue to evolve, collaboration and transparency may be just as critical as technological safeguards.
