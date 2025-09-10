Ransomware demands and payments have plummeted in the education sector in the past year amid improved resilience and recovery capabilities, according to a new Sophos study.

The average ransom demand issued by attackers to lower education providers fell by 74% compared to 2024, from $3.85m to $1.02m.

The fall was even more significant in higher education, from $3.55m to $697,000, an 80% decline.

This compares to a cross-sector average fall in ransom demands of 34%, Sophos found.

The researchers noted that the fall in education is largely driven by a considerable reduction in high value demands. Lower education providers saw an 86% decrease in demands of $5m or more while higher education providers saw a 34% decrease in demands of $1m or more.

“This suggests that attackers may be shifting to chase smaller, quicker payouts rather than targeting large sums,” the researchers said.

In line with falling ransom demands, the average ransom payments made by both higher and lower education providers dropped substantially over the past year.

The median ransom paid by lower education plummeted 88% from $6.60m in 2024 to $800,000 in 2025, while payments made by higher education providers fell from $4.41m in 2024 to just $463,000.

This means education has gone from having one of the highest average ransom payments in 2024 to among the lowest in 2025.