Why Universities Are Ransomware's Easy Target: Lessons from the 23% Surge

• By Manuel Leos Rivas
• 09/25/25

While businesses collectively paid $814 million in ransomware in 2024, one sector saw attacks surge 23% in the first half of 2025 alone: higher education. This sharp increase reflects the challenge of running secure operations in open, collaborative environments.

Higher education institutions are prime targets for ransomware attacks due to their open, decentralized IT environments, limited cybersecurity resources, and the high value of the data they store, including proprietary research, personal information, and financial records. With a critical need for system uptime to support academic workflows, universities are often pressured to respond quickly to attacks, making them especially attractive to cybercriminals. Earlier this year, Texas Tech University Health Sciences Center suffered a breach that exposed the personal data of over 1.4 million individuals, including names, birth dates, addresses, Social Security numbers, and driver's license numbers.

Artificial intelligence has created both new tools for defenders and new risks from adversaries. Universities that plan ahead and adapt quickly will be better positioned than those that only respond after an attack.

Beyond the Payout: How Ransomware Threatens University Budgets and Learning

Universities face unique pressures — open networks by design, diverse user bases, and legacy systems mixed with cutting-edge research. A recent report showed that the average cost of ransomware in Q2 2025 doubled the amount from the previous quarter at $1.13 million.

The costs of ransomware extend well beyond the ransom itself. Lost productivity, downtime, and reputational damage can be far more expensive than the payment demand. Following the initial attacks, universities must begin the recovery process, a phase that is often both complex and costly.

In 2024, the average recovery cost from a ransomware attack was $3.76 million for lower education institutions and $4.02 million for higher education organizations. This marks a dramatic increase from the $1.06 million average reported in 2023, nearly quadrupling year over year.

AI Is Fueling Smarter Ransomware — Are Universities Ready?

Higher education security teams today are not facing the ransomware attacks of 10 years ago. With the rise in AI, today's ransomware attacks are evolving. In 2019, the CEO of the U.K.-based energy company was scammed out of $243,000 by criminals using AI-based voice software. While traditional red flags like grammatical errors once made phishing attempts obvious, AI-generated content now produces localized, contextually appropriate communications that can fool even security-conscious employees.

These attacks are becoming harder to spot, and organizations are taking note. In a recent report, 47% of organizations cite adversarial advances powered by generative AI as their primary concern, enabling more sophisticated and scalable attacks. As cybercriminals increasingly use AI to power their ransomware attacks, universities face the challenge of developing comprehensive defense strategies that evolve in tandem with AI advancements.

Academic environments face heightened risk because their collaboration-driven environments are inherently open, making them more susceptible to attack, while the high-value research data they hold makes them an especially attractive target. The question is not if this data will be targeted, but whether universities can defend it swiftly enough against increasingly AI-powered threats.

Using AI to Strengthen University Defenses Against Ransomware Attacks

Just as attackers are using AI, defenders can apply it to strengthen security. Universities have a unique opportunity to use the technology to transform their cyber defense from reactive to proactive threat prevention. Behavioral analysis systems enable campus IT teams to detect anomalies in real time by monitoring unusual data access, such as research data being accessed outside regular academic hours.

AI can preempt attacks before they escalate into full-scale breaches, giving IT teams the critical early warning needed to protect their most valuable data assets. Not only can these tools help prevent universities from paying the ransom, but they can also impact many other factors through early detection. A recent IBM report revealed that organizations that made extensive use of security AI and automation achieved mean time to identify (MTTI) and contain (MTTC) data breaches of 148 and 42 days, respectively. In using these solutions, organizations were able to cut breach times by 42 days compared to those not using these technologies.

For university IT teams, reducing breach duration is essential to maintaining operational continuity, protecting constrained budgets, and ensuring uninterrupted access to critical systems and data for students, faculty, and staff. Faster recovery times help safeguard academic workflows, such as course delivery, research activities, and administrative functions, that rely on constant system availability and data integrity. Today's universities must have robust cybersecurity measures in place, not only to prevent attacks but also to ensure they can recover quickly and resume operations with minimal disruption.

Campus-Ready Defense Strategies

Universities need cybersecurity strategies that account for the realities of academic environments. This includes deploying solutions that understand and integrate with academic workflows, as well as implementing institution-wide training to build a culture of cyber awareness.

By proactively identifying risks and strengthening response capabilities, higher education institutions can minimize the impact of potential threats, ensuring they remain focused on their core mission of innovation, research, and student success. Here are three strategies for more effective cyber defense.

Deploy detection that understands academic workflows. By investing in AI-powered technology, universities can continuously monitor and detect endpoint activities, flag unusual behavior, and isolate threats. Unlike human monitoring, these tools can constantly scan for threats specifically within higher education workflows, alerting security teams before the attack is too far along.

Train diverse campus populations (students, faculty, staff). Universities can implement security training to ensure their entire campus is prepared in the event of an attack. These trainings can help students, faculty, and staff effectively detect phishing attempts and other ransomware tactics. A report revealed that employees engaging in security awareness training lead to a 70% reduction in security incidents for companies. These training sessions can be the reason a student or employee doesn't click on a suspicious link in their e-mail inbox, which may be disguised as a phishing scam.

Run tabletop exercises for academic calendar scenarios. By participating in two key cybersecurity practices — penetration testing and disaster recovery testing — higher education security teams can reduce their security risks. Each of these exercises can be used to run through disaster recovery scenarios in the academic calendar, such as the first day of class or other important dates, to ensure that teams are best prepared.

• Penetration testing encompasses various levels of testing, where organizations collaborate with an outside consultant to assess the scope, depth, and breadth of their testing procedures. This is to test for vulnerabilities that the university might not be aware of.
• Disaster recovery testing involves working through a simulated recovery scenario to ensure a quick and seamless recovery process. In the event of a ransomware attack, teams will feel prepared knowing they've run through the scenario before.

The Strategic Value of Proactive Cyber Defense in Higher Education

As artificial intelligence technologies evolve, so too do the threats they enable, making it imperative for higher education institutions to develop their defense strategies in parallel. Today's universities face a staggering monetary risk that is increasing in frequency, and failure to proactively address it can lead to devastating operational and financial consequences.

Universities will be targeted. Preparing now is essential to protect data, sustain operations, and safeguard the academic mission. Cybersecurity preparedness has become a strategic imperative, not just for defense, but for ensuring institutional continuity, protecting sensitive data, and upholding the academic mission.
Universities that embrace a proactive security strategy, built on continuous monitoring, adaptive controls, and resilience by design, can safeguard critical operations and confidently focus on driving innovation and long-term growth.