2025 ransomware roundup_ education

In 2025, ransomware gangs took credit for 251 cyberattacks on schools, universities, and other educational institutions. While similar to 2024’s figure (247), 2025’s attacks resulted in the breach of over 3.96 million records, a significant increase from 2024 (3.11 million).

The three largest breaches of 2025 all stem from Clop’s exploit of a zero-day vulnerability in Oracle’s E-Business Suite software, highlighting how schools not only face the threat of ransomware attacks on their own systems but also on the third parties they rely on.

So far, 94 of the attack claims from this year have been confirmed by the targeted organizations. This is lower than the figure noted in 2024 (133), but as many breaches are reported some time after attacks take place, we do expect 2025’s figures to rise in the coming months.

One figure that did decline from 2024 to 2025 was the average ransom demand in the education sector. It dropped by 33 percent from $694,000 in 2024 to $464,000 in 2025. As our recent 2025 ransomware report* (across all sectors) found, average ransom demands have dropped on the whole. This could be due to hackers scaling up their ransomware operations (through the likes of RaaS and AI) and/or lower demands more likely leading to payments from the victim.

*Please note: this report was written after our end-of-year report, so figures may have changed slightly as more attacks have been confirmed.

Key findings for 2025

  • 251 attacks in total
  • 94 confirmed attacks
  • 157 unconfirmed attacks
  • 3,962,869 records are known to have been breached in the confirmed attacks–UP 27% from 2024’s figure (3,112,121)
  • Average ransom demand across all attacks = $464,000–DOWN 33% from 2024 ($694,000)
  • The ransomware strains that claimed the most attacks against schools, colleges, and universities were Qilin (37), SafePay (23), Fog and Interlock (18 each), and INC (17)
  • Interlock took credit for the most confirmed attacks (11), followed by Qilin (9), Fog (7), SafePay, INC, and Clop (6 each), and Medusa (4)
  • Over 241 TB of data was allegedly stolen across all attacks
  • The United States saw the most attacks (130), followed by the United Kingdom (12), France, Brazil, and Japan (9 each), Canada (8), and Australia and Spain (7 each)
  • Attacks in the US (-9%), the UK (-50%), France (-18%), and Germany (-40%) all declined, while attacks in Brazil (+125%), Japan (+350%), Canada (+14%), Australia (+250%), and Spain (+600%) all increased

The top 5 biggest education data breaches via ransomware in 2025

Across the 94 confirmed attacks noted in 2025, over 3.9 million records have been breached. The top five are:

  1. University of Phoenix, US – 3,489,274 affected: Nearly 3.5 million people were caught up in the August 2025 attack on the University of Phoenix. The attack was part of Clop’s exploitation of an Oracle zero-day vulnerability.
  2. Dartmouth College, US – 99,596* affected: Also carried out by Clop via Oracle, nearly 100,000 people are confirmed to have been impacted in this breach so far (figures confirmed in seven states to date, including over 31,700 in the state of New Hampshire, where the college is based)
  3. The University of Pennsylvania, US – 46,491* affected: Another Clop Oracle breach, 46,500 people have been notified across 10 states so far. This doesn’t include Pennsylvania, where the college is based.
  4. Cherokee County School District, US – 46,119 affected: In March 2025, CCSD was targeted by Interlock with systems affected for around a week and 624 GB of data allegedly stolen. In September 2025, CCSD confirmed over 46,000 people had been impacted in this breach.
  5. Tokai University, Japan – 43,451 affected: Unknown hackers hit the Japanese university in April 2025, causing widespread disruption. The university later confirmed nearly 43,500 people had been impacted in the subsequent data breach.

Also within the top 10 are four other US schools and colleges (Madison Elementary School District 38 – 35,000 affected, Clackamas Community College – 33,381 affected, the Institute of Culinary Education – 33,342 affected, and School District Five of Lexington and Richland Counties – 31,475 affected) and another Japanese university (Miyagi Gakuin Women’s University – 30,000 affected).

*These figures are not the full total of people affected but represent the total known through values provided on attorney general websites.

cherokee county school district ransomware interlock
Interlock lists Cherokee County School District on its website.

Ransom demands on the education sector in 2025

An average ransom of $464,000 was noted across all attacks on education providers in 2025. This was slightly lower when looking at confirmed attacks ($392,300) and slightly higher when looking at unconfirmed attacks ($515,000).

Ransom demands aren’t often reported, meaning data surrounding these figures is limited. Across all of the 251 attacks in 2025, only 24 ransom demand figures are known. Equally, none of the entities reporting an attack in 2025 confirmed they had paid a ransom, but 12 did state they did not meet their hackers’ demands.

The top five biggest ransom demands across confirmed attacks were:

  1. Asia University, Taiwan – $1.5 million: After targeting Asia University in February 2025, Crazy Hunter demanded $1.5 million for the alleged theft of a whopping 200 TB of data.
  2. YOKOSUKA GAKUIN Elementary School, Japan – $519,000: In December 2025, Rhysida issued the Japanese school with a 6 bitcoin ransom demand, worth $519,000 at the time.
  3. Collège Supérieur de Montréal, Canada – $430,400: Rhysida also claimed this October 2025 attack on Collège Supérieur, demanding 5 bitcoin to delete the alleged stolen data.
  4. Fall River Public Schools, US – $400,000: Medusa targeted the school district in Massachusetts in April 2025. No data breach has yet been confirmed by Fall River but Medusa did demand $400,000 for the data it alleged it had stolen.
  5. Franklin Pierce Schools, US – $400,000: Medusa also issued Franklin Pierce Schools a $400,000 ransom demand after it infiltrated the district’s network in June 2025, causing disruption to its network, internet, and phones. No breach notifications have been issued here either, but Medusa said 821.3 GB of data had been stolen.
frps ransomware medusa
Medusa lists Fall Rivers Public School on its data leak site

Other known ransom demands include Laurens County School District 56, US ($320,000, Medusa) and Clackamas Community College, US ($300,000, Medusa).

Please note: Although Medusa and Rhysida feature heavily here, that doesn’t necessarily mean they’re demanding the biggest ransoms out of all of the groups. Rather, these groups almost always disclose ransom demands when claiming an attack, which gives us access to more data. Other groups often do not reveal their ransom demands.

Which gangs are targeting the education sector?

As we have seen, Qilin claimed responsibility for the most attacks on the education sector in 2025 with 37 in total. It was followed by SafePay (23), Fog and Interlock (18 each), and INC (17).

Interlock took credit for the most confirmed attacks (11), followed by Qilin (9), Fog (7), SafePay, INC, and Clop (5 each), and Medusa (4).

All but one of Interlock’s attacks took place in the US with nearly 128,000 records known to have been breached across these attacks to date. The largest breach was from its attack on the Cherokee County School District, mentioned above. Its one other attack was carried out in August 2025 on Loyola College in Australia.

The majority of Qilin’s confirmed attacks were also carried out in the US with seven here in total. The others were Belmont Christian College in Australia and Eastern Townships School Board in Canada.

The most “successful” gangs and attacks targeting schools

If we were to judge a gang’s success on the number of records breached, there’s one clear winner — Clop. As we have already noted, its exploit of an Oracle zero-day vulnerability led to some of the biggest breaches in the education sector in 2025. In total, Clop’s five confirmed attacks led to the breach of over 3.6 million records. As well as the University of Phoenix, Dartmouth College, and the University of Pennsylvania (mentioned above), Clop was also confirmed in breaches against Wits University in South Africa and Harvard University in the US (both also carried out via the Oracle exploit).

Interlock breached the second-highest number of records but it was Crazy Hunter that alleged to have stolen the most data. It said it stole 200 TB of data from Asia University, Taiwan.

Crazy Hunter's claim on Asia University
Crazy Hunter’s claim on Asia University

Ransomware attacks on schools, colleges & universities by country

The US accounts for just over half of all the attacks we logged on the education sector in 2025 with 130 in total. 50 of these attacks have been confirmed by the entity affected. Most of the records breached in 2025 (3.89 million out of 3.96 million) also came from the US. While it was home to some extensive breaches (as noted above), the US is also one of only a few countries with public data breach reporting tools and requirements.

In second place for the number of attacks is the UK with 12 ransomware attacks on schools in total, followed by France, Brazil, and Japan (9 each), Canada (8), and Australia and Spain (7 each).

As we have already noted, none of these countries saw the same plateau in attacks that we witnessed overall. Rather, some countries saw significant increases, e.g. Spain (up 650%), Japan (350%), and Australia (250%), while the UK saw the biggest decline out of all these countries (down 50%).

Confirmed vs unconfirmed attacks

We label a ransomware attack as “confirmed” when a) the targeted organization publicly discloses an attack that involved ransomware, or b) the targeted organization publicly acknowledges a cyber attack that matches a claim made by a ransomware group. If a ransomware group claims that it successfully attacked an organization, but the organization never acknowledged an attack, then we label the attack as “unconfirmed.”

An attack might be unconfirmed because the ransomware group making the claim is lying, or because the targeted organization chose not to disclose the attack to the public. Ransomware groups post their attack claims on their respective websites, where the data is auctioned or released when organizations don’t meet their ransom demands.

Organizations in the US are required to disclose data breaches, which often result from ransomware attacks, to state officials when they meet certain thresholds. Not all countries have breach disclosure laws.

When an attack is confirmed, it is removed from our list of unconfirmed attacks. Therefore, we must allow for some changes in figures when comparing monthly figures, especially when using unconfirmed attacks. Claims from ransomware groups often come about a month after the attack, if not longer. For example, if a ransomware gang claims an attack in January 2025, then it may later be confirmed as an attack in December 2024 and will, therefore, be attributed to a different month.

All data is sourced from our worldwide ransomware tracker (updated daily) – here.