Ransomware demands and payments have plummeted in the education sector in the past year amid improved resilience and recovery capabilities, according to a new Sophos study.
The average ransom demand issued by attackers to lower education providers fell by 74% compared to 2024, from $3.85m to $1.02m.
The fall was even more significant in higher education, from $3.55m to $697,000, an 80% decline.
This compares to a cross-sector average fall in ransom demands of 34%, Sophos found.
The researchers noted that the fall in education is largely driven by a considerable reduction in high value demands. Lower education providers saw an 86% decrease in demands of $5m or more while higher education providers saw a 34% decrease in demands of $1m or more.
“This suggests that attackers may be shifting to chase smaller, quicker payouts rather than targeting large sums,” the researchers said.
In line with falling ransom demands, the average ransom payments made by both higher and lower education providers dropped substantially over the past year.
The median ransom paid by lower education plummeted 88% from $6.60m in 2024 to $800,000 in 2025, while payments made by higher education providers fell from $4.41m in 2024 to just $463,000.
This means education has gone from having one of the highest average ransom payments in 2024 to among the lowest in 2025.
This indicates education providers are pushing back more effectively against inflated demands, the researchers noted.
The education sector has been heavily targeted by ransomware actors in recent years, with institutions a lucrative target due to the impact of closures and the sensitive nature of data held about parents and pupils.
Of the providers who admitted paying a ransom demand, 41% paid less than was initially asked, often as a result of negotiating a lower amount with the attackers.
The new Sophos report, published on September 10, comes as pupils return to school following the Summer holidays in countries like the US and UK.
Recovery Time and Costs Plummet in Education
The declining demands and payments following ransomware attacks in education corresponded with improved resiliency in the sector.
The average recovery costs following ransomware attacks in higher education plummeted 77% in 2025, from $4.02m to $900,000.
There was a more modest fall in lower education, from $3.76m to $2.28m.
Education providers were also found to be recovering faster from ransomware attacks. Half of lower education and 59% of higher education providers fully recovered within a week, compared to 30% recorded by both in 2024.
In addition, 97% of education providers who had data encrypted were able to recover it.
Education Improving at Detecting and Blocking Attacks
In lower education, just 29% of ransomware attacks led to data encryption. This was a four-year low and the lowest rate across all industries analyzed, according to Sophos data.
The rate of attacks successfully stopped before encryption also soared from 14% to 67% in 2025 in lower education.
“This indicates that lower education providers are now more effective than ever at detecting and blocking ransomware attacks before they can do damage,” the researchers noted.
A more modest drop in attacks that led to encryption was recorded for higher education, with rates dropping to a four-year low of 58%, down from 77% in 2024.
The proportion of attacks stopped before encryption rose from 21% to 38% in higher education.
The most common reported technical root cause of ransomware attacks on lower education was phishing, used in 22% of incidents.
For higher education, exploited vulnerabilities was the most prominent root cause of ransomware incidents, used in 35% of attacks.
The Sophos report surveyed 441 IT and cybersecurity leaders from education institutions hit by ransomware in the past 12 months.
