A ransomware attack on Surya Shakti Infotech Pvt Ltd, which manages online college admissions, compromised student data and disrupted entrance processes at several institutes, including Scottish Church College. According to a report from
Times of India (ToI), hackers gained access to servers in Chennai and Dallas between 15th June and 25 June 2025, sent fake payment emails to students, deleted admission records and issued extortion threats, forcing the company to buy a new server and restart admissions.
These examples show just a glimpse of a much bigger problem. Over the past five years, ransomware has become one of the most serious threats to schools and universities across the world. With limited budgets, weak resources, and outdated IT systems, educational institutions are increasingly seen by cybercriminals as 'soft targets'.
Multiple studies and threat-intelligence reports show that educational and research institutions in India are facing extremely high volumes of cyberattacks. For example, a report from Check Point Software found that
Indian education and research institutions are getting 8,487 cyberattacks per week on average. However, smaller schools in towns and rural areas may also face breaches, but such incidents are rarely reported or publicly acknowledged. In addition, details about ransom demands or payments are often not made public in cases involving schools.
For cyber attackers, the logic is simple: if you disrupt a school, you disrupt an entire community of students, teachers, staff and families. The impact is serious—classes get cancelled, sensitive data is stolen, budgets take a hit, and public trust in institutions suffers. For example,
in July, nearly 100 educational institutions across Delhi and Bengaluru received bomb threat emails, leading to mass evacuations, exam cancellations, tightened security and widespread alarm among parents and students.
According to cyber law and cybersecurity expert advocate (Dr) Prashant Mali, India’s education sector is sitting on a cyber time-bomb. “Without urgent steps, mandatory cybersecurity audits, cyber awareness training for teachers and administrators, and stronger data protection compliance, the sector will continue to be a low-hanging fruit for attackers. I feel they should also start taking cyber insurance as a control against ransomware disruptions and data loss,” he says.
Amid these challenges, there is a small ray of hope. A new global study by security firm Sophos, in its fifth annual
‘State of Ransomware in Education’ report, shows that schools are starting to fight back more effectively. According to the report, “Recovery rates are improving, ransom demands are dropping sharply, and more attacks are being stopped before files are encrypted.”
But the progress is still fragile. The report warns that “gaps in protection, understaffed IT teams, and the rise of artificial intelligence (AI)-powered scams mean the education sector remains dangerously exposed.”
A Hard-won Victory against Ransomware
The Sophos study, based on surveys of 441 IT and cybersecurity leaders across 17 countries, highlights real improvements in how schools are handling ransomware. Globally, 97% of institutions that had data encrypted in an attack were able to recover it through backups, decryption keys, or other methods. This marks a major shift from just a few years ago, when many victims felt forced to pay ransoms, often without any guarantee of getting their data back, the report notes.
One of the most encouraging trends is the steep fall in ransom payments. In lower education, the average payout has dropped from US$6mn (million) to US$800,000. In higher education, it has fallen from US$4mn to US$463,000. Overall, ransom demands themselves have reduced by 73%, saving schools millions in potential costs, Sophos says.
The cost of recovery—which includes IT restoration, legal fees, public relations (PR) efforts and security upgrades—has also gone down. According to the report, higher education institutions saw a 77% drop in average recovery bills, while lower education institutions reported a 39% decline. Schools are also stopping more attacks before they cause damage: 67% of lower education and 38% of higher education institutions say they managed to block ransomware before files were encrypted, the highest success rate in four years.
Sophos analysts credit these improvements to greater awareness, stronger backup systems, and closer partnerships with cybersecurity providers. Many schools have learned from earlier attacks, putting money into managed detection and response (MDR) services, drafting incident response plans, and conducting simulations to prepare for real-world threats.
Cracks Beneath the Surface
Despite these gains, the report warns of serious weaknesses that still leave schools exposed. Nearly two-thirds (64%) of respondents admitted their security tools were either missing or ineffective. Another 66% say they did not have enough skilled staff to deal with advanced attacks. Even more worrying, 67% discovered gaps in their defences only after an attack had already happened.
Smaller schools remain especially vulnerable. Phishing was the most common entry point in 2024, responsible for 22% of ransomware incidents. With artificial intelligence (AI) making fake emails, voice scams and even deepfake videos more convincing, the risks are rising. A teacher or principal could easily click on a malicious link if it appears to come from a trusted colleague or parent.
Universities face different pressures, largely because of the sensitive and valuable data they hold. According to Sophos, attackers often go after student records, research data and even AI and large language model datasets. In 35% of cases, hackers exploited known software flaws, while in 45% they took advantage of weaknesses that universities did not even know existed.
The human toll is another cost that often goes unnoticed, the report says. “Every institution that reported a ransomware attack also reported emotional strain on its IT teams. More than one in four employees needed time off, nearly 40% said they experienced higher stress, and over one-third admitted feeling guilty for not stopping the breach. For already overworked IT staff, a ransomware strike can be deeply demoralising.”
As Alexandra Rose, director of Sophos’ Threat Research Unit, explains: “Ransomware attacks in education don’t just disrupt classrooms, they disrupt communities of students, families, and educators. While it’s encouraging to see schools strengthening their ability to respond, the real priority must be preventing these attacks in the first place. That requires strong planning and close collaboration with trusted partners, especially as adversaries adopt new tactics, including AI-driven threats.”
Risk of Complacency
Cybercriminals are quick to adapt. As schools strengthen their defences against traditional ransomware, where files are encrypted and money is demanded for the key, attackers are shifting to new tactics. One growing trend, according to Sophos, is ‘pure extortion’ attacks. Here, hackers steal sensitive data and threaten to leak it unless they are paid, avoiding encryption altogether.
For schools, such breaches can be especially damaging. The exposure of personal details of students, parents, and staff could have long-lasting consequences.
Another rising threat is the use of generative AI to make attacks smarter and more convincing. Phishing emails that look authentic, fake calls pretending to be from school administrators, or even deepfake video messages could be used to trick teachers and staff. As Ms Rose from Sophos warns, without stronger defences, schools could become ‘test grounds’ for these new tactics.
Financial strain also remains a serious concern. Even though ransom and recovery costs are falling, lower education reported the highest average recovery bill of any industry surveyed. For a school already battling budget cuts, a single cyberattack can wipe out funds meant for classrooms, books, or even salaries.
Building Stronger Defences
The way forward for schools and universities lies in strengthening prevention and resilience. Sophos experts recommend a few key steps:
1. Prevention First: The success of many education institutions with low resources in blocking ransomware before it caused damage shows that prevention works. Schools need to invest in strong endpoint security, fix software vulnerabilities quickly, and use tools that can spot and stop malicious activity early.
2. Unified Strategies: Fragmented IT systems leave gaps that attackers can exploit. Schools should adopt a coordinated approach across their entire digital infrastructure to improve visibility and reduce blind spots.
3. Support for Staff: With IT teams already stretched thin, managed security services that provide 24/7 monitoring and response can help. This boosts capacity while easing pressure on staff.
4. Preparedness Drills: Just like fire drills, cyber drills allow schools to practise their response to attacks. Regular testing of incident response plans ensures that critical services can continue and recovery is faster when real incidents occur.
Here are a few simple habits that can go a long way in reducing risks for everyone—teachers, staff, parents, and even students:
• Be cautious with links and attachments: Avoid clicking on messages that seem urgent, unusual, or suspicious.
• Use strong, unique passwords: Protect accounts with multi-factor authentication (MFA) wherever possible.
• Keep devices updated: Regular updates close security gaps in software and apps.
• Back up important data: Store copies offline or in a separate cloud account to ensure recovery if systems are compromised.
• Stay alert to phishing attempts: Watch out for unusual requests or impersonation attempts, even if they appear to come from trusted contacts.
The education sector’s progress against ransomware deserves recognition. Schools and universities have shown that even with limited budgets, it is possible to push back against one of the most damaging cyber threats of our time. But, as the Sophos report makes clear, the fight is far from over.
Cybercriminals will keep evolving, using AI and new extortion methods to outsmart defences. That is why schools cannot afford complacency. Cybersecurity must be treated not as an optional cost, but as an essential part of protecting education itself.
An interesting contrast stands out. While the world is working hard to tackle new-age cybersecurity threats, in India, even accessing the websites of many educational institutions (with a few exceptions) or government portals remains a Himalayan task. And if you ask why, you may even hear a response along the lines of: “We deliberately made our website difficult to access, so hackers can be kept away!”
In today’s digital world, keeping students’ data, teachers’ work and institutions’ reputations safe is just as important as securing classrooms. The ransomware battle may be changing shape, but for education, it remains a defining challenge.
Stay Alert, Stay Safe!
