Sophos, a global leader and innovator of advanced security solutions for defeating cyberattacks, has released its fifth annual Sophos State of Ransomware in Education report. 

Sophos, a global leader and innovator of advanced security solutions for defeating cyberattacks, has released its fifth annual Sophos State of Ransomware in Education report. 

The global study of 441 IT and cybersecurity leaders shows the education sector is making measurable progress in defending against ransomware, with fewer ransom payments, dramatically reduced costs, and faster recovery rates. 

Yet, these gains are accompanied by mounting pressures on IT teams, who report widespread stress, burnout, and career disruptions following attacks – nearly 40% of respondents reported dealing with anxiety.

Over the past five years, ransomware has emerged as one of the most pressing threats to education, with attacks becoming a daily occurrence. Primary and secondary institutions are seen by cybercriminals as “soft targets”, often underfunded, understaffed, and holding highly sensitive data. 

The consequences are severe: disrupted learning, strained budgets, and growing fears over student and staff privacy. Without stronger defenses, schools risk not only losing vital resources but also the trust of the communities they serve.

Indicators of Success against Ransomware

The new Sophos study demonstrates that the education sector is getting better at reacting and responding to ransomware, forcing cybercriminals to evolve their approach. 

Trending data from the Sophos study reveals an increase in attacks where adversaries attempt to extort money without encrypting data. 

Unfortunately, paying the ransom remains part of the solution for about half of all victims. 

However, the payment values are dropping significantly, and for those who have experienced data encryption in ransomware attacks, 97% were able to recover data in some way. The study found several key indicators of success against ransomware in education: 

• Stopping More Attacks: When it comes to blocking attacks before files can be encrypted, both lower and higher education institutions reported their highest success rate in four years (67% and 38% of attacks, respectively) 

• Following the Money: In the last year, ransom demands fell 73% (an average drop of $2.83M), while average payments dropped from $6M to $800K in lower education and from $4M to $463K in higher education.

• Plummeting Cost of Recovery: Outside of ransom payments, average recovery costs dropped 77% in higher education and 39% in lower education. Despite this success, lower education reported the highest recovery bill across all industries surveyed.

Gaps Still Need to be Addressed

While the education sector has made progress in limiting the impact of ransomware, serious gaps remain. In the Sophos study, 64% of victims reported missing or ineffective protection solutions; 66% cited a lack of people (either expertise or capacity) to stop attacks; and 67% admitted to having security gaps. These risks highlight the critical need for schools to focus on prevention, as cybercriminals develop new techniques, including AI-powered attacks.

Highlights from the study that shed light on the gaps that still need to be addressed include: 

• AI-powered threats: Lower education institutions reported that 22% of ransomware attacks had origins in phishing. With AI enabling more convincing emails, voice scams, and even deepfakes, schools risk becoming test grounds for emerging tactics.

• High-value data: Higher education institutions, custodians of AI research and large language model datasets, remain a prime target, with exploited vulnerabilities (35%) and security gaps the provider was not aware of (45%) as leading weaknesses that were exploited by adversaries. 

• Human toll: Every institution with encrypted data reported impacts on IT staff. Over one in four staff members took leave after an attack, nearly 40% reported heightened stress, and more than one-third felt guilt they could not prevent the breach.

“Ransomware attacks on schools are among the most disruptive and brazen crimes,” said Alexandra Rose, Director, CTU Threat Research, Sophos. “It’s encouraging to see schools getting better at responding and recovering, but the real opportunity is to stop attacks before they start. Prevention, backed by strong incident response planning and collaboration with trusted public and private partners, is essential as adversaries adopt new tactics, including AI-driven threats.” 

Holding on to the Gains 

Based on its work protecting thousands of educational institutions, Sophos experts recommend several steps to maintain momentum and prepare for evolving threats:

• Focus on Prevention: The dramatic success of lower education in stopping ransomware attacks before encryption offers a blueprint for broader public sector organizations. Organizations need to couple their detection and response efforts with preventing attacks before they compromise the organization. 

• Secure Funding: Explore new avenues such as the U.S. Federal Communications Commission’s E-Rate subsidies to strengthen networks and firewalls, and the UK’s National Cyber Security Centre initiatives, including its free cyber defence service for schools, to boost overall protection. These resources help schools both prevent and withstand attacks.

• Unify Strategies: Educational institutions should adopt coordinated approaches across sprawling IT estates to close visibility gaps and reduce risks before adversaries can exploit them.

• Relieve Staff Burden: Ransomware takes a heavy toll on IT teams. Schools can reduce pressure and extend their capabilities by partnering with trusted providers for managed detection and response (MDR) and other around-the-clock expertise.

• Strengthen Response: Even with stronger prevention, schools must be prepared to respond when incidents occur. They can recover more quickly by building robust incident response plans, running simulations to prepare for real-world scenarios, and enhancing readiness with 24/7/365 services like MDR.

Data for the State of Ransomware in Education 2025 report comes from a vendor-agnostic survey of 441 IT and cybersecurity leaders – 243 from lower education and 198 from higher education institutions hit by ransomware in the past year. 

The organizations surveyed ranged from 100 – 5,000 employees and across 17 countries. 

The survey was conducted between January and March 2025, and respondents were asked about their experience of ransomware over the previous 12 months.

Download the State of Ransomware in Education 2025 report on Sophos.com.

Sophos, a global leader of innovative security solutions for defeating cyberattacks, today announced that Sophos Endpoint is now natively integrated and automatically included in all Taegis Extended Detection and Response (XDR) and Taegis Managed Detection and Response (MDR) subscriptions.

This milestone gives customers immediate access to combined prevention, detection, and response capabilities in a single platform, while lowering costs and simplifying operations.

The integration follows Sophos’ acquisition of Secureworks in February 2025 and represents a major milestone in combining the companies’ strengths to help customers defeat cyberattacks with a higher ROI.

Endpoint protection remains one of the most critical layers of defense against today’s cyberthreats, delivering both frontline prevention and vital telemetry for detection and response. 

With Sophos Endpoint included in all new and existing Taegis XDR and MDR subscriptions, customers can benefit from unmatched ransomware defenses and adversary mitigation capabilities that automatically deploy in the event of an attack.

The integration enables organizations to strengthen protection while lowering licensing costs, reduce management overhead through native integration, and accelerate threat mitigation with expanded response actions.

Taegis remains a fully open platform, ensuring customers continue to receive full value from their existing cybersecurity investments and maintain the freedom to use the endpoint protection solution of their choice.

This ensures that customers maximize ROI while allowing room in their budget for other cybersecurity priorities.

“Integrating Sophos Endpoint with Taegis delivers a best-in-class unified protection, detection, investigation, and response platform – while also reducing customer costs,” said Raja Patel, chief product officer at Sophos. “Too many organizations still treat endpoint protection like a commodity, and that’s exactly the mistake attackers are counting on. The reality is, not all endpoint products are built to stop today’s hands-on-keyboard attacks. Sophos Endpoint’s prevention-first capabilities, like CryptoGuard anti-ransomware protection and Adaptive Attack Protection, shut down attacks before they can escalate, which is a true game changer for enterprises managing thousands of devices. And by simplifying deployment and policy management, we’re helping organizations stay ahead of threats, lower their total cost of ownership, and maximize the return on their security investments.”

Key benefits for Taegis customers include:

• Lower costs and improved ROI: Sophos Endpoint is now automatically included with all Taegis XDR and Taegis MDR subscriptions, eliminating the need to purchase a separate endpoint security solution.
• Vendor choice preserved: Taegis remains an open platform, allowing organizations to continue using their preferred endpoint solution.
• Industry-leading protection: A 16-time leader in the Gartner® Magic Quadrant™ for Endpoint Protection Platforms, Sophos Endpoint provides unmatched defense against ransomware and other advanced threats, with features such as CryptoGuard and Adaptive Attack Protection, accessible directly from the Taegis console.
• Workflow continuity: Telemetry and detections from Sophos Endpoint are ingested into the Taegis platform, allowing customers to retain existing detection and response workflows.
• Simplified management: Customers can download, install and manage Sophos Endpoint directly from Taegis.

To support a range of environments, customers can now choose between three deployment options for endpoint protection:

• Sophos Endpoint: Natively integrated for comprehensive prevention, detection, and response in a single agent.
• Non-Sophos native integrations: Telemetry ingestion ensures full visibility from products such as CrowdStrike, Microsoft Defender, SentinelOne and Carbon Black by Broadcom.
• Other non-Sophos endpoint security solutions: Supported through a detection only sensor deployment option.

“This integration expands the value and flexibility we deliver to customers and partners,” said Chris Bell, senior vice president of Global Channel, Alliances and Corporate Development at Sophos. “By including Sophos Endpoint in Taegis, organizations gain stronger protection, reduced costs and simplified operations. For partners, it creates new opportunities to help customers consolidate tools, drive renewals and expand enterprise relationships.”

Product managers often need to make a clear-cut decision: what should we build next? But the decisions which hold real importance go beyond adding features.

It’s about getting what makes people tick.

It goes way beyond what you would expect, getting into how people behave and using game theory.

These areas give insight into how users decide and how a product’s design can improve growth and keep people interested.

This is what Amarachi Nnochiri excels at. She is a senior product manager that knows how to use economics and psychology in her job.

She goes beyond simply managing product tasks; she develops whole product systems based on how users think, feel, and use a service. Her background shows how understanding human psychology and behaviour can give you a significant advantage in the competition.

One idea Amarachi uses is  “loss aversion.” In this scenario, people feel worse about losing something than they feel good about gaining something of equal value.

She uses this when designing her products, mostly when it comes to pricing and getting people to try new strategies. For example, instead of giving a free trial, she might use a freemium setup where users get some stuff for free but could lose it if they don’t buy an upgrade. This pushes them to pay.

She might also use progress bars or streak counters, since losing progress gets people to keep using the product.

Amarachi also uses ideas from “game theory” to get how users act and change their behavior. She realizes that users are doing more than operating a product, but are playing a game with other users or with the product itself. She designs things that use ideas like “Nash equilibrium,” where nobody can do better by changing what they’re doing. For a social product, this could mean creating a system where doing something good for yourself (like inviting friends) also helps everyone else. This makes the whole thing stable and positive.

Her know-how in game theory also applies to making strong “network effects.” This means making stuff that gets better as more people use it.

A good example is a social network where each new user makes the product more helpful for everyone else. Amarachi endeavours to make things go viral on purpose, not just by luck.

She might use “commitment devices,” which are things that make a user stick with a behaviour by making them depend on it socially or functionally. For example, inviting team members to a tool makes the user stick with the platform and makes the product’s network stronger.

This way of thinking is better than just following the usual steps. By using these economic and psychological tricks, Amarachi develops competitive advantages which are difficult to replicate.

She knows that a company’s best thing is not just a simple interface, but a product that’s designed to sync with how people behave.

Her product choices aren’t just about the needs of users, but equally focus on motivating them to like the product, use it, and stick with it.

In her work, choosing a subscription price isn’t just a business thing; it’s about behaviour. Designing a social feed isn’t just about the content; it’s about balancing what people want and watching how they interact. Amarachi knows extensively about the economics of product decisions. This makes her products innovative and appealing to human behaviour, which leads to more use, keeps people around, and helps the product grow. She’s a leader in product management, where identifying customer desires is backed by understanding human motivation.