Corrected: A previous version of this article should have said that schools and universities around the world continue to be one of the top target of ransomware gangs.
Schools and universities around the world continue to be one of the top targets of ransomware gangs, analyses by cybersecurity companies show.
Ransomware attacks against schools, colleges, and universities globally increased 23% year over year in the first half of 2025, finds a July 2 analysis from Comparitech, a website that reviews cybersecurity products.
Additionally, a survey of 1,500 IT and security professionals across multiple industries found that 61% of those in the education sector reported that their organization was targeted by ransomware in the past 12 months, according to cybersecurity company Semperis’ annual global study.
Education was the fourth-most targeted sector during the first half of 2025, based on Comparitech’s analysis, with an estimated 130 ransomware attacks and an average ransom demand of $556,000. The business, government, and health care sectors were the top three targets for ransomware attacks, according to Comparitech.
A separate report from cybersecurity company Lumu Technologies actually found that the education sector is the most affected by ransomware attacks, accounting for nearly 40% of the incidents detected by its products.
Schools are tempting targets for hackers because they have tons of sensitive data and have become more reliant than ever on digital tools.
District technology leaders are aware of this “persistent” concern, said Amy McLaughlin, the project director for the Consortium for School Networking’s cybersecurity initiatives. CoSN’s annual “State of EdTech District Leadership” report shows that cybersecurity continues to be the top concern for district technology leaders.
“The challenge is, not only are [cyberattacks] ongoing, but the complexity—the sophistication—continues to increase, and that’s getting fueled by AI,” McLaughlin said. Many of the red flags that experts used to tell people to look for in phishing attacks, such as weird grammar or tone, can be solved with generative AI now, she added.
Another challenge for districts is “they don’t have a lot of funding and staff who are trained” on cybersecurity, McLaughlin said. “They’re in this Catch-22 of trying to defend against highly sophisticated attackers with very limited budgets and very limited staffing.”
How schools can protect against ransomware attacks
In a ransomware attack, cybercriminals break into a district or school’s network and take data and encrypt it, essentially preventing the district from accessing the data. The hackers agree to decrypt and return the data if the district or its cybersecurity insurance company pays a ransom. Attackers may also threaten to release student and employee data to the public if they aren’t paid.
In some cases in the past, districts have paid the ransom. But guidance from the FBI and the Cybersecurity and Infrastructure Security Agency discourages paying the ransom because it doesn’t guarantee that the data will be decrypted or that the systems will no longer be compromised. Paying the cyber criminals also encourages hackers to target more victims.
But the question of whether to pay ransom does not always have a simple answer, especially for districts that have to ensure continuity of operations, according to experts. As a result of insufficient cybersecurity resources, districts sometimes have to pay ransom fees to get their systems back because starting from scratch would be more expensive.
Here are tips from experts on how K-12 schools can stay vigilant against ransomware attacks:
- Have a point person for cybersecurity. This person should be coordinating across the whole district to ensure cybersecurity best practices are being followed.
- Build a culture of cyber safety. Cybersecurity is the whole district’s responsibility. There should be regular training for everyone who accesses district networks.
- Make sure to have basic cybersecurity protections, such as employing spam filters and anti-phishing tools, turning on multifactor authentication, backing up data regularly, and storing the information on a different network.
- Establish an incident-response plan in the event of a hack and practice it like a fire drill.
