Ransomware and other attacks continue to be a major threat for schools. Education is an appealing target for hackers because of the level of student data school networks often contain.
A new cybersecurity report from Travelers, a cyber insurance company, found that ransomware attacks increased by 32% from Q3 to Q4 last year. Schools saw similar trends, with 82% of K-12 organizations experiencing cyber incidents during the 18-month study period, according to the 2025 State of K-12 Cybersecurity Report from the Center for Internet Security (CIS).
Randy Rose, VP of Security Operations & Intelligence at CIS, discusses the recent trends in ransomware and cybersecurity, and shares advice for how schools can continue to overcome these attacks and keep their networks and data safe.
Increase of “Malvertisement” Attacks
“Malvertisements,” ransomware attacks that gain entry to school networks through malicious code hidden in advertisements, have become more common, serving as the vector for malware 63% of the time. These attacks can utilize watering hole adware attacks, in which malicious code is snuck into the ads of reputable sites that teachers or students might commonly visit from their school devices.
“These advertisers tend to be criminal actors who specialize in early entry, so they gain access to systems,” Rose says. “Typically, what ends up happening is they rent ad space, usually through a third party.”
Newspaper ad space can be sold multiple times by various reputable companies but eventually, someone sells the space accidentally to a hacker.
“So a couple of layers down, you end up with a criminal actor who’s buying that ad space, and they’re putting malicious code into those ads,” Rose says. “When you visit that website, your browser, which is building the website on the fly, is actually executing code that’s in that advertisement. That code is looking for a vulnerability in your browser or on your local system.”
The Rise of Ransomware Groups
The Travelers report highlights the emergence of 55 new ransomware groups in 2024. Many of these hacker groups were supported by nation-state resources, while others were more loosely affiliated groups of cyber outlaws with complementary skill sets.
“Ransomware in particular, it’s hard to pin down specifically who’s doing what, because the actors that are associated with one group might not have a particular loyalty to that group, and they might operate under multiple ransomware organizations at a time,” Rose says. “If I’m one of those initial access brokers, and I’m really good at gaining access into networks, I might sell my access to four or five different ransomware affiliates.”
Personalized Ransom Demands
When hacking groups obtain sensitive information about students and teachers they don’t always just threaten the school or district.
“We’ve seen with a couple of ransomware groups where they specifically target teachers and students’ parents, and go after them to try to get them to put pressure on the schools to pay,” Rose says. “When they go after the stakeholders, that’s a triple extortion attempt.”
In addition, human vulnerability is often targeted in the initial attacks. According to the CIS report, cyber threat actors target human behavior 45% more often than technical vulnerabilities.
Keeping Networks Safe
Rose recommends schools follow the CIS Community Defense Model resource. While he knows that funding are tight, basic security measures can go a long way.
“If you put just essential security controls in place, you offset your risk by 90%,” he says. “Even as threats are becoming more sophisticated, you’re really setting yourself up for success by focusing on the simple tasks.”
In addition to action such as making sure there is an offline backup of data and that all apps are regularly updated, culture is important, particularly a culture that doesn’t stigmatize reports of potential hacks.
“Some of the best chief information security officers and IT directors that we know really have a no judgment, no punishment policy,” he says. These technology school leaders let their stakeholders know they can “come to us and share the things that are going on, and we’ll work it together,” he adds. “You’re not going to get in trouble for highlighting a security issue with us.”