Ransomware demands down by 73% for education, report states

Cyberattackers making ransomware demands on educational institutions fell 73% over the past year, according to a report by cybersecurity and hardware firm Sophos. Experts see this dip as giving schools some bandwidth to perfect their future responses to ransomware attempts.

The State of Ransomware in Education 2025 report found that the decrease in ransomware targeting schools is attributable to a “considerable reduction in high-value demands.” In other words, attackers may now be after smaller, quicker payouts rather than demanding huge sums of money.

Alexandra Rose, the director of government partnerships and threat research at Sophos, told IT Brew the reason for smaller demands could be ransomware attackers trying to evade law enforcement and detection.

These bad actors, according to Rose, “do know that there are certain types of attacks that draw more pressure and attention, and that would prevent them from operating their business model moving forward.”

“A bit of self-preservation, perhaps, is what’s coming through here,” Rose said. “Then just efficiency, because if you can get in, take over a little bit of the system, make some money, and move on. But you can do that five times in the time you could have done one before, and in that one, you had a really high demand, but then you had to negotiate it down.”

While the attacks and threats are still present within the education sector, the combination of fewer ransomware demands, less network encryption from successful attackers, and better institutional cybersecurity gives organizations more leverage to avoid paying bad actors.

“I don’t think a single organization says, ‘I want to give money to criminals,’ but when the demands are lower, they’re encrypting less of your network, you’re starting to get an opportunity to say…‘Maybe we won’t make this payment,’” Rose said.

Assuredly insured. Mike Hamilton, the field CISO for cybersecurity solution provider Lumifi, referenced the reduced size of ransom demands as bad actors evaluate the “market” for their targets.

“When you go after smaller organizations, you know that [they] are more poorly protected, they’re not going to have the same amount of insurance coverage,” Hamilton said. “They’re not going to be able to cover a ransom demand, so they have to set the ransom, the extortion demand, at a threshold that this company, this organization can actually consider paying.”

Once an attack happens, educational organizations are required to call their cybersecurity insurance company, provided they have one. The cyber insurers may decide to pay the ransom to get the client’s system back up and running.

“For them, this is a financial calculation,” Hamilton said. “What’s the cheapest way for us to get out of this? If [the response is] ‘pay the ransom,’ the insurance company is going to pay the ransom, if it’s ‘build the network back,’ then that’s what they’re going to suggest.”

Cyber insurers, who take a degree of control in the negotiation process when ransomware attacks happen, want to bring the situation to a close quickly, said Michael Klein, senior director for preparedness and response at the Institute for Security and Technology.

“Cyber insurers often will have an amount that they’re willing to pay, and [a] whole process that’s in place,” Klein said. “If you have gotten cyber insurance, as soon as an incident occurs, you’re handing over your control of this to an entity that’s going to do this whole negotiation process for you.”

So, is cyber insurance a good idea? Chris Schueler, the former CEO at Simeio and current CEO at cybersecurity firm Cyderes, wrote in Forbes that the argument for cyber insurance isn’t complicated, but the decision to spend money on top of cybersecurity investments could present a larger challenge.

“Many companies find that cyber insurance acquisition ultimately comes down to the gaugings of a breach against the cost of the consequence premiums,” Schueler wrote.

He said that an organization has to address the core question of if the benefits of purchasing cyber insurance outweigh the cost of it.