Ransom demands by cyber criminals in the education sector have fallen to the lowest level than any other sector in 2025 to hit $697K (Sh90m), according to cyber security firm Sophos.
In its latest State of Ransomware in Education report, the education sector is making measurable progress in defending against ransomware, with fewer ransom payments, dramatically reduced costs and faster recovery rates.
However, these gains have come at a steep cost on the IT teams, who report widespread stress, burnout, and career disruptions following attacks, with nearly 40 per cent of respondents reported dealing with anxiety.
“Median ransom demands in education fell sharply, from $3.85M to $1.02M in lower education, and from $3.55M (Sh456.67 million) to $697,000 (Sh90m) in higher education—among the lowest demands across all industries surveyed,” reads the study in part.
The latest trend is a shift from the past five years, where ransomware has emerged as one of the most pressing threats to education – with attacks becoming a daily occurrence.
Sophos Counter Threat Unit Director Alexandra Rose says that ransomware attacks in education don’t just disrupt classrooms; they disrupt communities of students, families, and educators.
“While it’s encouraging to see schools strengthening their ability to respond, the real priority must be preventing these attacks in the first place. That requires strong planning and close collaboration with trusted partners, especially as adversaries adopt new tactics, including AI-driven threats,” said Rose.
Lower education providers who paid ransoms in cyberattacks are now paying less on average compared to last year.
Data from 34 institutions reveals they paid about 84 per cent of the initial ransom demand—down from 115 per cent in 2024.
The findings indicate shifting negotiation dynamics where 41 per cent of the affected schools managed to pay below the attackers’ original demand, though this was lower than the cross-sector average of 53 per cent.
Another 18 per cent paid more than the initial request, while 41 per cent settled for the exact amount demanded
The payments show wide variation across industries, with state and local government organizations paying the highest average of $2.5 million (Sh321 million), likely driven by critical service pressures, limited cyber resilience and the urgency to restore operations quickly.
In contrast, healthcare providers recorded the lowest average payments at $150,000 (Sh19.3 million).
The global report covering also Kenya shows that primary and secondary institutions are seen by cybercriminals as “soft targets” often underfunded, understaffed and holding highly sensitive data.
Rose notes that the consequences are severe: disrupted learning, strained budgets and growing fears over student and staff privacy.
Without stronger defenses, schools risk not only losing vital resources but also the trust of the communities they serve.
While the education sector has made progress in limiting the impact of ransomware, serious gaps remain.
In the Sophos study, 64per cent of victims reported missing or ineffective protection solutions, 66per cent cited a lack of people (either expertise or capacity) to stop attacks and 67per cent admitted to having security gaps.
Data from the study reveals an increase in attacks where adversaries attempt to extort money without encrypting data.
“Unfortunately, paying the ransom remains part of the solution for about half of all victims. However, the payment values are dropping significantly, and for those who have experienced data encryption in ransomware attacks, 97per cent were able to recover data in some way,” reads the report in part.
