Phishing has become the most common tactic for ransomware attacks, and is often successful for these three reasons.
About a quarter of ransomware attacks succeed through phishing, according to “The State of Ransomware in Education 2025,” an annual report from Sophos, a security software and hardware company. Other popular methods of attack include malicious emails (21%), exploiting school vulnerabilities (21%), compromised emails (19%) and downloading malware (11%).
In previous conversations with IT leaders, District Administration has learned that various factors weaken K12 cybersecurity, including inadequate funding and manpower. According to the report, there were three root causes successful attacks, according to victims surveyed:
- Security gaps (67%): The school had a known or unknown weakness in its defenses.
- Resource challenges (66%): Lack of human expertise or capacity to detect and stop the attack in time.
- Protection challenges (64%): Lack of quality network security that could not stop the attack.
What’s happening to data?
Fortunately, the research suggests that a decrease in malicious encryption, the process by which cyberattackers scramble a victim’s data after gaining access to make it inaccessible without a decryption key.
In “lower education” (a term some researchers use to describe education providers for students up to 18 years old), only 29% of attacks led to data encryption, marking a four-year low for the sector.
Furthermore, the rate at which ransomware attacks are stopped before encryption can occur has soared from 14% in 2025 to 67% in 2025.
“This indicates that lower education providers are now more effective than ever at detecting and blocking ransomware attacks before they can do damage,” the report reads.
Among cases where data was encrypted, only 3% of schools were unable to recover their stolen data. Around 50% of K12 schools used backup solutions to recover their data, compared to 59% of higher education institutions that paid off their ransom.
Regardless, lower education institutions pay more on average in ransomware demands than higher education institutions. Here’s a brief comparison:
| 2024 | 2025 | |
| Lower education | ~$6.6 million | ~$800,000 |
| Higher education | ~4.41 million | ~463,000 |
Recommendations
While there are signs of improvement in the education sector’s ability to recognize and prevent cyberattacks from escalating, several improvements are still needed, according to the researchers. Including:
- Taking steps to eliminate cybercriminals’ ability to gain access to your network, including phishing training, recognizing malicious emails, etc.
- Investing in dedicated anti-ransomware protection to stop and roll back malicious encryption.
- Implementing around-the-clock threat detection and response. If you lack the resources or skills, consider working with a management detection and response provider.
- Making quality backups and regularly practicing restoring data to accelerate recovery in the event of an attack.
More from DA: The federal push for charter schools just got more expensive
