Top Cyber Threats to Educational Institutions in 2025

The education sector faces a growing array of cybersecurity threats, driven by its reliance on outdated infrastructure and the increasing adoption of disconnected digital technologies. Key threats include:

• Ransomware attacks disrupt operations by encrypting your own data and demanding hefty ransom payouts for its decryption
• Phishing attacks are aimed at stealing sensitive information by tricking individuals through deceptive emails
• Malware attacks are the unauthorized infiltration of malicious software that compromises systems and data integrity
• Distributed Denial of Service (DDoS) attacks are when the attacker sends a barrage of fake traffic that can cripple online learning platforms
• Insider threats pose risks from within the organization

The sector’s extensive storage of personal data and often limited cybersecurity resources make it an attractive target for cybercriminals. Strengthening cybersecurity measures and fostering a culture of security awareness are crucial steps to mitigate these risks.

Here we will explore what’s at stake, the types of threats impacting education, and best practices for mitigation.

The Financial and Operational Risks

According to the Zscaler ThreatLabz 2024 Ransomware Report, educational institutions face mounting pressure as the fourth-most affected sector by ransomware. Between April 2023 and April 2024, educational organizations were hit by 217 ransomware attacks, marking a year-over-year increase of more than 35%. This surge highlights a troubling trend: cybercriminals are progressively targeting schools, colleges, and universities—and their troves of sensitive student and financial data.

The financial stakes for these institutions are enormous. Not only do they face hefty ransom payments, but they also grapple with significant costs associated with data recovery efforts and system restoration. A prime example of this threat—as highlighted in the Zscaler report—is the Hive ransomware group, which managed to extort over $100 million from school districts and other sectors before being taken down, only to rebrand and resume operations as “Hunters International.”

Countries targeting the education sector include North Korea, China, and Russia. According to Zscaler, several factors contribute to the education sector’s heightened vulnerability, with one of the most critical being limited cybersecurity budgets. However, as ransomware and other threats increasingly target educational institutions, the pressure is mounting to invest in robust security solutions to safeguard against the costly repercussions of cyberattacks.

Types of Cyber Threats in Education

There are four primary cyber threats to educational institutions: malware, ransomware, phishing, and Distributed Denial of Service (DDoS) attacks.

Malware

Malware is malicious software that bad actors use to infiltrate a computer or network. According to the 2023 SonicWall Cyber Threat Report, education (+157%), finance (+86%), and retail (+50%) verticals were hit hardest by malware. The number of malware attacks leveraged against smart devices in the education sector rose 146% in 2023. SonicWall’s 2025 report shows it escalating, with their systems identifying approximately 637 “never-before-seen” malware variants per dayin 2024.

Threats of this nature will only increase as the technology landscape spreads and educational organizations rely on more smart devices for everyday use.

Ransomware

Ransomware attacks are malware threats in which cybercriminals hijack an organization’s network or data and demand monetary payment before relinquishing control back to the organization. Ransom-based attacks cause significant harm to educational organizations because of their extended duration, financial element, and propensity to cause long-term disruptions to standard operations.

According to Malwarebytes’ ThreatDown, ransomware remains the most significant cyberthreat facing the education sector. They reported a staggering 70% surge in attacks from 2022 to 2023. The data also shows that—while ransomware attacks against education are a global phenomenon—the US (with 80% of known attacks) and the UK (with 12%) were the most frequently attacked countries.

Some of the most high-profile attacks on universities and K–12 in 2023 included an attack against Western Michigan University, which caused a 13-day service disruption, and against the Minneapolis School District, which resulted in over 300,000 files leaked and a $1 million ransom.

The 2023 SonicWall report revealed massive year-over-year volume increases in attacks on K–12 as threat actors continued to shift away from government, healthcare, and other industries to zero in on education targets. SonicWall observed a 275% increase in ransomware attacks on education customers overall, including an 827% spike in attacks on K–12 schools. This growth echoed trends observed in the overall malware attack volume: Out of a 157% increase in attacks on education customers overall, the subset of K–12 customers experienced a 323% increase in overall malware attacks. The 2024 Zscaler report identified 217 separate ransomware attacks within the education sector.

In Ransomware: The Story of Extortion in Education, C1 cites the substantial impact of these attacks, with schools and colleges suffering an estimated 1,600 days (about 4 and a half years) of downtime and an average cost of $2.8M per breach. Data demonstrates that these extortions varied from $250,000USD to $950,000USD per organization. This is a significant sum for institutions that are fiscally constrained.

In 2024, a ransomware group called BlackCat launched an attack on multiple educational institutions, causing significant disruptions and data breaches. This attack was part of a broader trend where the education sector experienced a 75% year-over-year increase in cyberattacks. BlackCat claimed responsibility for the attacks on North Carolina A&T, Phillips Community College, Florida International University, and Regina Public Schools.

The pace shows little sign of abating, with attacks already occurring this year. According to C1, while ransomware attacks against educational institutions occur globally, the USA bears the brunt with 56% of the known attacks worldwide. Education, Government Agencies, Finance, Energy, and Healthcare are the top five sectors under constant siege.

Phishing

Phishing—when cybercriminals deceive individuals into clicking malicious links or revealing sensitive information—has been an ongoing threat via email for quite some time. According to Microsoft Security, QR codes are a growing phishing risk, as they often appear in emails, campus flyers, menus, parking passes, forms, and other official communications. Educational spaces, filled with handouts and bulletin boards, are especially QR code-intensive, making them prime targets for malicious actors exploiting users’ quick scans. This creates an attractive backdrop for malicious actors to target users. The United States Federal Trade Commission issued a consumer alert on the rising threat of malicious QR codes being used to steal login credentials or deliver malware.

Microsoft telemetry shows that more than 15,000 messages with malicious QR codes are targeted toward the educational sector daily, including phishing, spam, and malware. KnowBe4’s Threat Lab recently observed a phishing campaign targeting educational institutions. Over a 30-day period, 4,361 threats were reported, originating from 40 unique sender domains. 65% of these domains were compromised educational institution IDs.

Distributed Denial of Service (DDoS) Attacks

DDoS attacks disrupt a targeted server by flooding the server or surrounding infrastructure with continued traffic. Cybercriminals deploy DDoS attacks through compromised computer systems, smart technologies, and other hijacked devices.

The average educational organization now relies on more devices than ever to keep up with the ever-evolving demands of online learning and smart classrooms. These developments have also rapidly expanded the opportunity for cybercriminals to carry out DDoS attacks.

In their 2024 Data Breach Investigation Report (DBIR), Verizon examined 30,458 security incidents in total, of which 10,626 were confirmed data breaches. Of these, 1,780 incidents (17%) were attacks against the education system and1,537 (14%) with confirmed data disclosure; a figure that put education in the top five of all industries breached globally.

One example was the “MOVEit attack.” In May 2023, a ransomware group targeted entities like Colorado State University through MOVEit Transfer, software used to digitally transfer files. This attack exploited a vulnerability in the software, leading to personal data compromise for around 19,000 individuals. While the attack affected organizations from a variety of sectors, according to the 2024 DBIR, education was by far the largest impacted, accounting for more than 50% of the breached organizations.

Nation-State Cyber Threats Targeting Education

In addition to the types of threats above, malicious actors are targeting educational institutions to steal data, funds, and even academic and medical research—all to benefit foreign government entities. While they may have fun names, their work is anything but funny.

The Lazarus Group

The Lazarus Group—identified in 2014 but active since at least 2009—is a notorious Advanced Persistent Threat (APT) group linked to North Korea’s Reconnaissance General Bureau. Known for its sophisticated cyberattacks aimed at financial gain, espionage, and disruption, Lazarus employs a variety of custom malware and tactics.

In May 2017, several U.S. universities—including the Massachusetts Institute of Technology (MIT), Trinity College, University of Washington, and North Dakota State University—reported infections from the “Lazarus Wannacry” attack. These institutions experienced disruptions as WannaCry encrypted files and demanded ransom payments in Bitcoin.

Lazarus is known for targeting the cryptocurrency sector, but more recent attacks have targeted the academic, medical, automotive, energy, and defense sectors in the U.S., Europe, and other parts of the world. The group is seeking to expand their range of targets and is exploiting known vulnerabilities to achieve this goal, highlighting the importance of maintaining up-to-date cybersecurity measures to prevent such infections.

Mustang Panda

Mustang Panda is a Chinese APT group active since at least 2014. The group targets governments, nonprofit organizations, non-governmental organizations, and religious entities perceived to be working against Chinese interests.

During the “LNK File Tax Scams” in May 2024, Mustang Panda targeted Vietnamese entities with lures related to tax compliance. Based on the network infrastructure used in the May 2024 campaign, another campaign was identified from April 2024, which used lures to target entities interested in the education sector.

This group targets educational entities globally in addition to government, nonprofit, and non-governmental agencies. It supports China’s objective of stealing academic research and technology, and the education industry should defend against it.

Cozy Bear

Cozy Bear—known as APT29 and labeled Midnight Blizzard by Microsoft—is a Russian threat actor attributed to Russia’s Foreign Intelligence Service (SVR). This notorious and highly sophisticated faction primarily focuses on intelligence collection and usually targets government agencies, diplomatic entities, NGOs, and IT service providers, primarily in the U.S. and Europe.

Since late October 2024, Cozy Bear has been actively deploying a sophisticated spearphishing campaign targeting thousands of individuals across academia, government, and defense sectors, as well as NGOs. The likely goal of the ongoing campaign is intelligence collection.

Artificial Intelligence (AI) in Education

Although AI is not currently a top threat to the education industry, it will play an integral part in the future of education.

As these technologies become more widely available and accessible, discussions on “AI for Good” and “AI for Bad” surge. Cyber attackers are using AI to craft convincing phishing emails, create deepfakes to impersonate educators, and manipulate AI-based chatbots to distribute malware or harvest data. AI enables cyberattacks to automate at scale, identify and exploit network weaknesses, and become faster, smarter, and harder to detect, posing an evolving threat to underprepared institutions.

Yet AI shows a great deal of promise in education. Below is a great quote from 2025 Predictions: AI’s Impact on Education, in which one educator explains how AI could transform education:

“The future of AI in K–12 education is as promising as it is transformative. AI can automate administrative tasks, which means more time for our teachers to focus on instruction and student interaction. Schools will also look to AI to personalize learning experiences, adapting to each student’s pace and style, making learning more engaging, meaningful, and effective. Educational applications now have intelligent tutoring built in to provide instant feedback, which is a game changer for the learning process. AI-driven analytics can identify learning gaps and suggest targeted interventions or differentiators for student needs, ensuring all students are appropriately supported and adequately challenged. The important crux of successful AI integration, as with most educational technology initiatives, is the integration and teachers’ professional development. Overall, AI has the potential to revolutionize schools, making it more personalized, efficient, and inclusive on a path to equity in education.”

— Lisa Irey, director of technology & printing services, Des Moines Public Schools

The key to responsible use of AI in your organization is to craft AI policies that balance innovation and risk. This white paper can be your guide.

What Can You Do to Mitigate Risk?

Managing cybersecurity risk becomes more critical as school communities increasingly depend on technology and internet connectivity for delivering educational services and conducting daily business operations. Some essential practices include:

• Keeping software patched: Keeping software, operating systems, and firmware up to date is crucial to addressing known vulnerabilities and patching security flaws. Establish a regular patching schedule and automate updates where possible.
• Investing in fully integrated solutions whenever possible. Ad hoc integrations create vulnerability points for attackers. Ask software vendors to see their security certifications, compliance documentation, and disaster recovery plans. Explore whether they have partnered with industry-specific partners and can connect their tools through secure application programming interfaces (APIs).
• Implementing Multi-Factor Authentication (MFA): MFA adds an extra layer of security by requiring users to provide two-factor authentication—such as a password and a one-time code—to access systems or data. This can significantly reduce the risk of unauthorized access.
• Using strong passwords: Simple, short passwords are easy to guess. Using weak passwords across different accounts can make it easy for a cybercriminal to access personal information about your staff or students. They can use this information to steal, sell, or destroy identities and important data.
• Spotting and reporting phishing, vishing and smishing threats: Users are often the weakest link in an organization’s security posture. Educate students, staff, and faculty on cybersecurity best practices, such as recognizing phishing attempts, using strong passwords, and the importance of keeping software and systems up to date.
• Developing and Enforcing a Robust Security Policy: A comprehensive security policy should outline acceptable use of technology resources, password management practices, data handling procedures, and incident response protocols. This policy should be regularly updated and enforced across the institution.
• Join the Multi-State Information Sharing and Analysis Center (MS-ISAC): MS-ISAC is free to join and has free and low-cost cybersecurity tools, resources, and just-in-time information sharing to support both technology experts and school leaders in building cybersecurity resilience.

Prioritize Cybersecurity in an Evolving World

The expanding use of online learning platforms and digital tools has opened numerous attack vectors for cybercriminals, who often see schools as vulnerable targets due to limited cybersecurity budgets and a reliance on older IT infrastructures. This evolving threat landscape highlights the urgent need for improved cybersecurity measures across the education sector to safeguard against growing attacks. As demonstrated by the diverse range of incidents throughout the last few years—from ransomware attacks to data breaches—the education sector is facing unprecedented challenges that require immediate attention and action.

Threat actors, often active on the Dark Web and hacker forums, continue to adapt their tactics. This dynamic environment makes it crucial to implement effective cybersecurity strategies. By prioritizing cybersecurity, educational institutions cannot only defend against current threats but also build a robust foundation for a safer digital learning environment in the future.