A new global report by cybersecurity firm Sophos has revealed that schools are making major progress in tackling ransomware attacks, but the human cost on IT professionals is becoming a serious concern.

According to the fifth annual State of Ransomware in Education study, 97% of schools that had their data encrypted were able to recover it, showing significant improvements in cybersecurity resilience. The study also reported a 73% drop in ransom payments, with average payments in lower education institutions falling from $6 million to $800,000, and in higher education from $4 million to $463,000.

Recovery costs have also decreased dramatically — down 77% in higher education and 39% in lower education. Schools are also stopping more attacks before they cause damage, with lower education reporting its best success rate in four years (67%).

However, this progress has come at a steep personal cost for IT staff. The report found that 100% of institutions with encrypted data reported negative impacts on their IT teams. Nearly 40% of IT staff reported severe stress and anxiety, over one in four needed time off work, and more than a third felt personal guilt for not preventing the attacks.

Despite improvements, schools remain vulnerable. The report showed that:

64% of victims lacked proper protection solutions

66% cited insufficient staff expertise or capacity

67% admitted to security gaps exploited by attackers

The threat landscape is also shifting. Attackers are increasingly relying on extortion without data encryption, while AI-powered phishing is making scams harder to detect. In fact, 22% of lower education attacks began with phishing, and 45% of higher education attacks exploited unknown security weaknesses.

Commenting on the findings, Alexandra Rose, Director of CTU Threat Research at Sophos, said:

“Ransomware attacks on schools are among the most disruptive and brazen crimes. It’s encouraging to see schools getting better at responding and recovering, but the real opportunity is to stop attacks before they start. Prevention, strong response planning, and collaboration are essential as adversaries adopt new tactics, including AI-driven threats.”

 

The survey covered 441 IT and cybersecurity leaders from schools in 17 countries, conducted between January and March 2025.