Cybersecurity solutions firm Sophos has revealed that the education sector—once a prime target for cybercriminals—has made significant strides in strengthening its defenses against ever-rising ransomware attacks.

In its fifth annual State of Ransomware in Education report, released yesterday, Sophos said its global study of 441 IT and cybersecurity leaders showed measurable progress in defending against ransomware, including fewer ransom payments, reduced recovery costs, and faster restoration of systems.

Despite these improvements, the report highlighted mounting pressures on IT teams, with many reporting stress, burnout, and career disruptions following attacks. Nearly 40 percent of respondents admitted to dealing with anxiety after incidents.

Over the past five years, ransomware has become one of the most urgent threats to schools, with primary and secondary institutions often viewed by criminals as “soft targets”—underfunded, understaffed, yet holding highly sensitive data. The consequences include disrupted learning, strained budgets, and heightened fears over student and staff privacy.

The Sophos study showed that education providers are now better at reacting and responding to ransomware, which in turn is forcing cybercriminals to evolve their tactics. One emerging trend is attacks where adversaries extort money without encrypting data.

The report noted that while “paying the ransom remains part of the solution for about half of all victims,” the amounts demanded are dropping significantly. Encouragingly, among those who experienced data encryption, 97 percent were able to recover their information in some way.

Key indicators of progress included improved attack prevention, a stronger focus on following the money trail, and a dramatic reduction in recovery costs. The study found that outside of ransom payments, average recovery costs dropped 77 percent in higher education and 39 percent in lower education. However, lower education institutions still reported the highest recovery bill across all industries surveyed.

Yet, serious gaps remain. According to the report, 64 percent of victims cited missing or ineffective security solutions, 66 percent highlighted insufficient staff capacity or expertise, and 67 percent admitted to security gaps that leave them vulnerable. These risks underscore the urgent need for schools to focus more on prevention as cybercriminals turn to advanced techniques, including AI-powered attacks.

Commenting on the findings, Alexandra Rose, Director of CTU Threat Research at Sophos, said, “Ransomware attacks on schools are among the most disruptive and brazen crimes. It’s encouraging to see schools getting better at responding and recovering, but the real opportunity is to stop attacks before they start. Prevention, backed by strong incident response planning and collaboration with trusted public and private partners, is essential as adversaries adopt new tactics, including AI-driven threats.