Sophos, a global leader and innovator of advanced security solutions for defeating cyberattacks, has released its fifth annual Sophos State of Ransomware in Education report. 

Sophos, a global leader and innovator of advanced security solutions for defeating cyberattacks, has released its fifth annual Sophos State of Ransomware in Education report. 

The global study of 441 IT and cybersecurity leaders shows the education sector is making measurable progress in defending against ransomware, with fewer ransom payments, dramatically reduced costs, and faster recovery rates. 

Yet, these gains are accompanied by mounting pressures on IT teams, who report widespread stress, burnout, and career disruptions following attacks – nearly 40% of respondents reported dealing with anxiety.

Over the past five years, ransomware has emerged as one of the most pressing threats to education, with attacks becoming a daily occurrence. Primary and secondary institutions are seen by cybercriminals as “soft targets”, often underfunded, understaffed, and holding highly sensitive data. 

The consequences are severe: disrupted learning, strained budgets, and growing fears over student and staff privacy. Without stronger defenses, schools risk not only losing vital resources but also the trust of the communities they serve.

Indicators of Success against Ransomware

The new Sophos study demonstrates that the education sector is getting better at reacting and responding to ransomware, forcing cybercriminals to evolve their approach. 

Trending data from the Sophos study reveals an increase in attacks where adversaries attempt to extort money without encrypting data. 

Unfortunately, paying the ransom remains part of the solution for about half of all victims. 

However, the payment values are dropping significantly, and for those who have experienced data encryption in ransomware attacks, 97% were able to recover data in some way. The study found several key indicators of success against ransomware in education: 

• Stopping More Attacks: When it comes to blocking attacks before files can be encrypted, both lower and higher education institutions reported their highest success rate in four years (67% and 38% of attacks, respectively) 

• Following the Money: In the last year, ransom demands fell 73% (an average drop of $2.83M), while average payments dropped from $6M to $800K in lower education and from $4M to $463K in higher education.

• Plummeting Cost of Recovery: Outside of ransom payments, average recovery costs dropped 77% in higher education and 39% in lower education. Despite this success, lower education reported the highest recovery bill across all industries surveyed.

Gaps Still Need to be Addressed

While the education sector has made progress in limiting the impact of ransomware, serious gaps remain. In the Sophos study, 64% of victims reported missing or ineffective protection solutions; 66% cited a lack of people (either expertise or capacity) to stop attacks; and 67% admitted to having security gaps. These risks highlight the critical need for schools to focus on prevention, as cybercriminals develop new techniques, including AI-powered attacks.

Highlights from the study that shed light on the gaps that still need to be addressed include: 

• AI-powered threats: Lower education institutions reported that 22% of ransomware attacks had origins in phishing. With AI enabling more convincing emails, voice scams, and even deepfakes, schools risk becoming test grounds for emerging tactics.

• High-value data: Higher education institutions, custodians of AI research and large language model datasets, remain a prime target, with exploited vulnerabilities (35%) and security gaps the provider was not aware of (45%) as leading weaknesses that were exploited by adversaries. 

• Human toll: Every institution with encrypted data reported impacts on IT staff. Over one in four staff members took leave after an attack, nearly 40% reported heightened stress, and more than one-third felt guilt they could not prevent the breach.

“Ransomware attacks on schools are among the most disruptive and brazen crimes,” said Alexandra Rose, Director, CTU Threat Research, Sophos. “It’s encouraging to see schools getting better at responding and recovering, but the real opportunity is to stop attacks before they start. Prevention, backed by strong incident response planning and collaboration with trusted public and private partners, is essential as adversaries adopt new tactics, including AI-driven threats.” 

Holding on to the Gains 

Based on its work protecting thousands of educational institutions, Sophos experts recommend several steps to maintain momentum and prepare for evolving threats:

• Focus on Prevention: The dramatic success of lower education in stopping ransomware attacks before encryption offers a blueprint for broader public sector organizations. Organizations need to couple their detection and response efforts with preventing attacks before they compromise the organization. 

• Secure Funding: Explore new avenues such as the U.S. Federal Communications Commission’s E-Rate subsidies to strengthen networks and firewalls, and the UK’s National Cyber Security Centre initiatives, including its free cyber defence service for schools, to boost overall protection. These resources help schools both prevent and withstand attacks.

• Unify Strategies: Educational institutions should adopt coordinated approaches across sprawling IT estates to close visibility gaps and reduce risks before adversaries can exploit them.

• Relieve Staff Burden: Ransomware takes a heavy toll on IT teams. Schools can reduce pressure and extend their capabilities by partnering with trusted providers for managed detection and response (MDR) and other around-the-clock expertise.

• Strengthen Response: Even with stronger prevention, schools must be prepared to respond when incidents occur. They can recover more quickly by building robust incident response plans, running simulations to prepare for real-world scenarios, and enhancing readiness with 24/7/365 services like MDR.

Data for the State of Ransomware in Education 2025 report comes from a vendor-agnostic survey of 441 IT and cybersecurity leaders – 243 from lower education and 198 from higher education institutions hit by ransomware in the past year. 

The organizations surveyed ranged from 100 – 5,000 employees and across 17 countries. 

The survey was conducted between January and March 2025, and respondents were asked about their experience of ransomware over the previous 12 months.

Download the State of Ransomware in Education 2025 report on Sophos.com.

Sophos, a global leader of innovative security solutions for defeating cyberattacks, today announced that Sophos Endpoint is now natively integrated and automatically included in all Taegis Extended Detection and Response (XDR) and Taegis Managed Detection and Response (MDR) subscriptions.

This milestone gives customers immediate access to combined prevention, detection, and response capabilities in a single platform, while lowering costs and simplifying operations.

The integration follows Sophos’ acquisition of Secureworks in February 2025 and represents a major milestone in combining the companies’ strengths to help customers defeat cyberattacks with a higher ROI.

Endpoint protection remains one of the most critical layers of defense against today’s cyberthreats, delivering both frontline prevention and vital telemetry for detection and response. 

With Sophos Endpoint included in all new and existing Taegis XDR and MDR subscriptions, customers can benefit from unmatched ransomware defenses and adversary mitigation capabilities that automatically deploy in the event of an attack.

The integration enables organizations to strengthen protection while lowering licensing costs, reduce management overhead through native integration, and accelerate threat mitigation with expanded response actions.

Taegis remains a fully open platform, ensuring customers continue to receive full value from their existing cybersecurity investments and maintain the freedom to use the endpoint protection solution of their choice.

This ensures that customers maximize ROI while allowing room in their budget for other cybersecurity priorities.

“Integrating Sophos Endpoint with Taegis delivers a best-in-class unified protection, detection, investigation, and response platform – while also reducing customer costs,” said Raja Patel, chief product officer at Sophos. “Too many organizations still treat endpoint protection like a commodity, and that’s exactly the mistake attackers are counting on. The reality is, not all endpoint products are built to stop today’s hands-on-keyboard attacks. Sophos Endpoint’s prevention-first capabilities, like CryptoGuard anti-ransomware protection and Adaptive Attack Protection, shut down attacks before they can escalate, which is a true game changer for enterprises managing thousands of devices. And by simplifying deployment and policy management, we’re helping organizations stay ahead of threats, lower their total cost of ownership, and maximize the return on their security investments.”

Key benefits for Taegis customers include:

• Lower costs and improved ROI: Sophos Endpoint is now automatically included with all Taegis XDR and Taegis MDR subscriptions, eliminating the need to purchase a separate endpoint security solution.
• Vendor choice preserved: Taegis remains an open platform, allowing organizations to continue using their preferred endpoint solution.
• Industry-leading protection: A 16-time leader in the Gartner® Magic Quadrant™ for Endpoint Protection Platforms, Sophos Endpoint provides unmatched defense against ransomware and other advanced threats, with features such as CryptoGuard and Adaptive Attack Protection, accessible directly from the Taegis console.
• Workflow continuity: Telemetry and detections from Sophos Endpoint are ingested into the Taegis platform, allowing customers to retain existing detection and response workflows.
• Simplified management: Customers can download, install and manage Sophos Endpoint directly from Taegis.

To support a range of environments, customers can now choose between three deployment options for endpoint protection:

• Sophos Endpoint: Natively integrated for comprehensive prevention, detection, and response in a single agent.
• Non-Sophos native integrations: Telemetry ingestion ensures full visibility from products such as CrowdStrike, Microsoft Defender, SentinelOne and Carbon Black by Broadcom.
• Other non-Sophos endpoint security solutions: Supported through a detection only sensor deployment option.

“This integration expands the value and flexibility we deliver to customers and partners,” said Chris Bell, senior vice president of Global Channel, Alliances and Corporate Development at Sophos. “By including Sophos Endpoint in Taegis, organizations gain stronger protection, reduced costs and simplified operations. For partners, it creates new opportunities to help customers consolidate tools, drive renewals and expand enterprise relationships.”

Technology Company, Globacom, has announced significant reductions in its International Direct Dialing (IDD) rates, making international calls more affordable for its existing and new customers across Nigeria.

Effective August 10, the new rates began applying to over 15 popular international destinations, including United States which will has moved to ₦30 per minute, down from ₦35, United Kingdom is now N350 from ₦400, while India also moved down to ₦40 from N45.

The rates for China, Saudi Arabia and Cameroon however recorded major reduction moving to N75, N300 and ₦700 respectively.

The reduction was also extended to African countries including Benin Republic which goes for ₦650 per minute, Niger Republic ₦750, Ghana ₦500, and Togo ₦650. United Arab Emirates also moved from ₦450 to ₦325, Germany to ₦550, Côte d’Ivoire ₦700, Libya ₦700, while calls to Malawi is now N1,100 from ₦1,200.

Glo aims to provide more value for its customers through these revised rates, encouraging them to make Glo their preferred network for international calls. New IDD bundles will also be introduced, offering frequent international callers even more attractive deals.

Globacom, which remained optimistic that frequent international callers will benefit immensely from the reductions in IDD bundles, enjoined customers to take advantage of the new rates to stay connected with friends and business associates across the globe.