The number of global ransomware attacks in the first quarter of 2025 was nearly double that of the first quarter of 2024, with the education sector remaining a common target, according to a new analysis conducted by Comparitech.
In Q1 of 2025, the England-based organization recorded 2,190 ransomware attacks globally — 1,000 more than during the same period of 2024 (1,172). Of the 2,190 attacks tracked, 197 have been confirmed through a data breach notification, company press release or other forms of disclosure. While this number is significantly lower than the 373 confirmed attacks logged in Q1 of 2024, Comparitech added that many attacks aren’t confirmed until months after the event.
The U.S. requires organizations to disclose data breaches, which often result from ransomware attacks, to state officials when they meet certain thresholds, but not all countries have breach disclosure laws.
“The average ransom across all of the confirmed attacks was $2.14 million, with government organizations seeing the highest average across each sector,” at $6.7 million, according to Rebecca Moody, head of Data Research at Comparitech. “There weren’t any confirmed ransom payments during the reporting period, but 26 organizations confirmed they hadn’t paid a ransom.”
While governments have become a key focus for hackers, all sectors — including education — have seen an uptick in the number of ransomware attacks.
Of the 197 confirmed attacks, 22 were on educational institutions, and of 1,993 unconfirmed attacks, 59 were on educational institutions. The analysis noted that 28 unconfirmed attacks couldn’t be attributed to a sector due to limited company information.
The total of 81 ransomware attacks on the education sector in Q1 2025 account for a 69 percent increase over this time a year ago. Thus far, the average ransom across confirmed attacks was $608,000, and the largest demanded $1.5 million from Asia University, Taiwan.
The most prolific and “successful” ransomware gangs thus far include Interlock, whose confirmed attacks include two American school systems (Aztec Municipal School District in New Mexico and Cherokee County School District in South Carolina), and Clop whose attack on Chicago Public Schools allowed a third party to gain unauthorized access to 700,000 students’ data.
That data breach late last year compromised information of current and former students included their names, dates of birth, genders, student ID numbers and Medicaid ID numbers.
CSBA has developed a suite of resources to support governance teams navigating complex questions and challenges related to cybersecurity. Those and additional resources can be found here.
