Ransomware Attacks on Schools Persist in 2025, Despite Slight Decline in Volume
In 2025, ransomware attacks on educational institutions saw a marginal decrease in frequency but a sharp rise in severity, according to Comparitech’s Education Ransomware Roundup report. Cybercriminals targeted schools 251 times down only slightly from 240 incidents in 2024 yet the scale of data exposure grew, amplifying the impact on affected organizations.
K-12 schools emerged as the most vulnerable targets, despite higher education institutions traditionally holding larger data troves. Limited cybersecurity resources and understaffed IT teams made primary and secondary schools prime targets, exposing sensitive student records, staff information, and financial data. The report highlights a critical gap in defenses, leaving smaller institutions disproportionately at risk.
A major driver of breaches in 2025 was a zero-day vulnerability in Oracle E-Business Suite, exploited by the CLOP ransomware gang in August. The flaw led to data compromises at over five schools, underscoring persistent risks from unpatched software and supply-chain weaknesses.
While attack volumes remained steady, ransom demands dropped significantly. The average minimum demand fell to $464,000 in 2025, down from $694,000 the previous year. Researchers suggest this shift may reflect a tactical adjustment by attackers, who recognize that lower demands increase the likelihood of payment from budget-constrained schools.
The report also raises concerns about third-party mediators in ransom negotiations. Some intermediaries, who take a percentage of paid ransoms, may inadvertently encourage payments, fueling the ransomware economy.
Comparitech’s Head of Research, Rebecca Moody, notes that many schools avoid disclosing attacks due to stigma, hindering collective defense efforts. Greater transparency, she argues, could help institutions share threat intelligence and adopt stronger mitigation strategies in an evolving cyber threat landscape.
Source: https://www.cybersecurity-insiders.com/ransomware-attacks-on-schools-diminished-in-the-year-2025/
Oracle TPRM report: https://www.rankiteo.com/company/dsp-oracle-e-business-suite
"id": "dsp1771259212",
"linkid": "dsp-oracle-e-business-suite",
"type": "Vulnerability",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Students and staff',
'industry': 'Education',
'size': 'Small to medium',
'type': 'K-12 School'},
{'customers_affected': 'Students and staff',
'industry': 'Education',
'size': 'Large',
'type': 'Higher Education Institution'}],
'attack_vector': 'Zero-day vulnerability in Oracle E-Business Suite',
'data_breach': {'data_encryption': 'Yes (ransomware)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Sensitive student records',
'Staff information',
'Financial data']},
'date_detected': '2025',
'date_publicly_disclosed': '2025',
'description': 'In 2025, ransomware attacks on educational institutions saw a '
'marginal decrease in frequency but a sharp rise in severity. '
'Cybercriminals targeted schools 251 times, with K-12 schools '
'being the most vulnerable due to limited cybersecurity '
'resources. A zero-day vulnerability in Oracle E-Business '
'Suite was exploited by the CLOP ransomware gang, leading to '
'data compromises at over five schools. Ransom demands dropped '
'to an average minimum of $464,000, and concerns were raised '
'about third-party mediators in ransom negotiations.',
'impact': {'brand_reputation_impact': 'Stigma associated with disclosing '
'attacks',
'data_compromised': 'Sensitive student records, staff information, '
'and financial data',
'identity_theft_risk': 'High',
'operational_impact': 'Amplified impact on affected organizations, '
'hindering collective defense efforts',
'payment_information_risk': 'High'},
'initial_access_broker': {'entry_point': 'Zero-day vulnerability in Oracle '
'E-Business Suite'},
'lessons_learned': 'Greater transparency could help institutions share threat '
'intelligence and adopt stronger mitigation strategies. '
'Limited cybersecurity resources and understaffed IT teams '
'make smaller institutions disproportionately at risk.',
'motivation': 'Financial gain',
'post_incident_analysis': {'root_causes': ['Unpatched software',
'Supply-chain weaknesses',
'Limited cybersecurity resources']},
'ransomware': {'data_encryption': 'Yes',
'ransom_demanded': '$464,000 (average minimum)',
'ransomware_strain': 'CLOP'},
'recommendations': 'Adopt stronger mitigation strategies, patch software '
'vulnerabilities promptly, and improve transparency in '
'disclosing attacks.',
'references': [{'date_accessed': '2025',
'source': 'Comparitech’s Education Ransomware Roundup '
'report'}],
'response': {'communication_strategy': 'Avoid disclosing attacks due to '
'stigma',
'third_party_assistance': 'Third-party mediators in ransom '
'negotiations'},
'threat_actor': 'CLOP ransomware gang',
'title': 'Ransomware Attacks on Schools Persist in 2025',
'type': 'Ransomware',
'vulnerability_exploited': 'Zero-day vulnerability in Oracle E-Business Suite'}