Q1 - Q3 ransomware roundup_ education

180 attacks on the education sector were recorded by Comparitech researchers during the first nine months of this year. This is a six percent increase on 2024’s figure during the same period (170).

Despite these higher figures, the last two quarters of 2025 do offer a more positive outlook for the education sector. As you can see from the chart below, attacks in Q2 and Q3 were significantly lower than the previous three quarters and mark the first dip in attacks since the start of 2024.

So far, 63 of the attacks from this year have been confirmed by the targeted organizations. This is lower than the figure noted in 2024 (99), but as many breaches are reported some time after attacks take place, we do expect 2025’s figure to rise in the coming months.

Many of these confirmed attacks on the education sector resulted in system downtime, causing disruptions to networks and canceled classes for days, if not weeks. More often than not, hackers are stealing data in the process, with an average of 2.6 TB stolen per attack.

We are also seeing another uptick in the number of attacks reported this month, with seven confirmed and seven unconfirmed already. As well as four attacks in the US (Halifax County Public Schools, Harvard University, Kearney Public Schools, and North Stonington Public Schools), attacks have also been confirmed at Wits University in South Africa, and Higashiyama Junior and Senior High School and Ryutsu Keizai University in Japan.

Key findings for Q1-Q3 2025

  • 180 attacks in total
  • 63 confirmed attacks
  • 117 unconfirmed attacks
  • 227,214 records are known to have been breached in the confirmed attacks
  • Average ransom demand across all attacks = $444,400
  • The US and UK have seen a similar number of attacks (when compared to the same period of 2024), while attacks in France have doubled and Australia, Brazil, and Spain have seen a number of attacks despite recording none in the first nine months of 2024
  • The ransomware strains that claimed the most attacks against schools, colleges, and universities were Qilin (24), Fog (18), SafePay (17), Interlock (13), and INC (12)
  • Interlock took credit for the most confirmed attacks (8), followed by Fog (7), Qilin (6), and SafePay, Medusa, Nova, and Kairos (3 each)
  • Nearly 233 TB of data was allegedly stolen across all attacks

Education data breaches via ransomware in Q1-Q3 2025

All the confirmed ransomware attacks on schools so far this year breached just over 227,200 records in total. The top five largest breaches in this period to date are:

  1. Cherokee County School District, US – 46,119 affected: In March 2025, CCSD was targeted by Interlock with systems affected for around a week and 624 GB of data allegedly stolen. In September 2025, CCSD confirmed over 46,000 people had been impacted in this breach.
  2. Tokai University, Japan – 43,451 affected: Unknown hackers hit the Japanese university in April 2025, causing widespread disruption. The university later confirmed nearly 43,500 people had been impacted in the subsequent data breach.
  3. Madison Elementary School District 38, US – 35,000 affected: MESD confirmed 35,000 people had their data breached after Interlock infiltrated school systems in April by carrying out a social engineering attack on an employee. Interlock claims it stole 75 GB of data. MESD confirmed it had enlisted the help of Arete to determine what data had been compromised. According to an emergency purchase order, this cost just over $21,700 and involved analyzing nearly 100 GB of data.
  4. Institute of Culinary Education, US – 33,342 affected: This month, the Institute of Culinary Education began notifying more than 33,000 victims of a data breach following an attack in May 2025. Ransomware group Payouts King took credit for this attack, saying it stole 1.5 TB of data in the process.
  5. School District Five of Lexington and Richland Counties, US – 31,475 affected: After also being targeted by Interlock, School District 5 notified over 31,000 people that their data had been impacted in a June 2025 breach. Interlock said it stole 1.3 TB of data.

Five other US school districts have confirmed the number of people impacted in their attacks:

  • Baltimore City Public Schools – 20,665 affected, February 2025, Cloak
  • Kalamazoo Public Schools – 8,592 affected, April 2025, Interlock
  • Prince George County Public Schools – 3,959 affected, July 2025, unknown hackers
  • Christian Brothers Academy – 2,928 affected, June 2025, Interlock
  • Riverdale Country School – 1,524 affected, February 2025, RansomHub
cherokee county school district ransomware interlock
Interlock lists Cherokee County School District on its website

Ransomware attacks on schools, colleges & universities by country

The US accounts for the most ransomware attacks on the education sector. 95 out of the 180 attacks we recorded globally took place in the US. 35 of these US attacks have been confirmed by the targeted schools so far.

In second place is the UK with 11 confirmed ransomware attacks on schools, followed by France (9), Australia (7), and Brazil and Spain (5 each).

Notably, the number of attacks in the US and UK in 2025 is similar to the same period in 2024, but France’s figure has more than doubled. Meanwhile, Australia, Brazil, and Spain noted no attacks on the education sector in the first nine months of 2024 but have seen several this year.

The UK suffered one of the most controversial ransomware attacks on the education sector to date. Newly-formed ransomware gang Radiant claimed an attack on Kido nurseries and preschools, publishing photographs of children and their parents’ contact details in its proof pack. It later removed the images.

Two of the UK’s other confirmed attacks came from Kairos. The Derby High School was targeted in April 2025 and Melland High School in August 2025.

Ransom demands on the education sector in Q1-Q3 2025

Across all of the 180 attack claims on schools, ransomware gangs demanded an average ransom of $444,400. The figures are similar when comparing confirmed ($439,000) and unconfirmed ($448,000) attacks.

Six ransom demands are known across confirmed attacks, including:

  • Asia University, Taiwan – $1.5 million: After targeting Asia University in February 2025, Crazy Hunter demanded $1.5 million for the alleged theft of a whopping 200 TB of data.
  • Fall River Public Schools, US – $400,000: Medusa targeted the school district in Massachusetts in April 2025. No data breach has yet been confirmed by Fall River but Medusa did demand $400,000 for the data it alleged it had stolen.
  • Franklin Pierce Schools, US – $400,000: Medusa also issued Franklin Pierce Schools a $400,000 ransom demand after it infiltrated the district’s network in June 2025, causing disruption to its network, internet, and phones. No breach notifications have been issued but Medusa said 821.3 GB of data had been stolen.
  • Laurens County School District 56, US – $320,000: Despite a lower ransom demand, Medusa said it had stolen 2.4 TB of data in the February 2025 attack. No notifications have been issued by the school district as of yet.

frps ransomware medusa

Other ransoms include an $8,300 demand from unknown hackers on Ensemble scolaire La Salle, France, in January 2025, which wasn’t paid, and a demand of $5,000 from Funksec on the Achievers Journal of Scientific Research by the College of Natural and Applied Sciences, Nigeria.

Which gangs are targeting the education sector?

As we’ve previously noted, Qilin (24), Fog (18), SafePay (17), Interlock (13), and INC (12) accounted for the most attacks. Interlock is responsible for the most confirmed ransomware attacks on schools (8).

Seven of the eight confirmed attacks by Interlock were on US schools. As well as the ones mentioned above, Interlock also claimed attacks on Aztec Municipal School District and Central Point School District 6 in the US and Loyola College in Australia.

Fog’s attacks were more “international”, targeting three US schools (the University of Oklahoma, Aurora Public Schools, and Williamsburg-James City County Schools), The University of Notre Dame in Australia, Saint George’s College in Chile, the University of Applied Sciences and Arts Northwestern FHNW in Switzerland, and Real Academia Española in Spain.

All but one of Qilin’s attacks on schools hit US targets. Belmont Christian College in Australia was targeted by the gang in July 2025.

The most “successful” gangs and attacks targeting schools

If we were to judge a gang’s success on the number of records breached, Interlock would come out on top. The gang was behind three of the five largest education data breaches via ransomware this year so far.

Interlock also claims it has stolen nearly 9.7 TB of data across all of its attacks with an average of just over 745 GB per attack.

However, it’s Crazy Hunter that alleges to have stolen the most data. It said it stole 200 TB of data from Asia University, Taiwan.

Crazy Hunter's claim on Asia University
Crazy Hunter’s claim on Asia University

INC claims it stole the third-highest volume of data with nearly 9.5 TB in total.

Confirmed vs unconfirmed attacks

We label a ransomware attack as “confirmed” when a) the targeted organization publicly discloses an attack that involved ransomware, or b) the targeted organization publicly acknowledges a cyber attack that matches a claim made by a ransomware group. If a ransomware group claims that it successfully attacked an organization, but the organization never acknowledged an attack, then we label the attack as “unconfirmed.”

An attack might be unconfirmed because the ransomware group making the claim is lying, or because the targeted organization chose not to disclose the attack to the public. Ransomware groups post their attack claims on their respective websites, where the data is auctioned or released when organizations don’t meet their ransom demands.

Organizations in the US are required to disclose data breaches, which often result from ransomware attacks, to state officials when they meet certain thresholds. Not all countries have breach disclosure laws.

When an attack is confirmed, it is removed from our list of unconfirmed attacks. Therefore, we must allow for some changes in figures when comparing monthly figures, especially when using unconfirmed attacks. Claims from ransomware groups often come about a month after the attack, if not longer. For example, if a ransomware gang claims an attack in January 2025,then it may later be confirmed as an attack in December 2024 and will, therefore, be attributed to a different month.

All data is sourced from our worldwide ransomware tracker (updated daily) – here.