Key points:
- Across higher ed, ransomware attacks are frequent and increasingly sophisticated
- Rising cyber threats drive higher-ed leaders to prioritize cyber resilience
- Why higher education must embrace zero trust now
- For more news on ransomware, visit eCN’s Cybersecurity hub
Most educational institutions believe they’re prepared for a cyberattack. Perhaps they’re running backups, and an incident response plan exists somewhere on the shared drive. Maybe they have a cyber insurance policy in place, or have run a tabletop exercise or two.
And then one day, something that looks like a routine outage turns out to be something like LockBit–a ransomware-as-a-service (RaaS) operation that encrypts victims’ systems and steals sensitive data to pressure organizations into paying multimillion-dollar ransoms.
That’s how it started for us at the University of Health Sciences and Pharmacy (UHSP) in St. Louis. What began as an apparently ordinary technical glitch quickly mutated into the worst crisis of my career. One moment we were troubleshooting downtime and the next, we were staring at ransomware notes, encrypted systems, and the very real possibility of operational collapse.
When ransomware strikes an educational institution, it affects far more than servers: financial aid systems, learning platforms, admissions, alumni relations, payroll and more can go dark. Research becomes inaccessible and clinical operations, if they exist, are jeopardized. Even facilities systems can be affected. The blast radius expands fast.
So before the next alert lights up your screen, it’s worth asking: If ransomware hit your educational institution, how well and how quickly could it recover?
Higher education remains uniquely exposed
Educational institutions operate differently from corporate environments. They are decentralized, collaborative, and intentionally open. Students and faculty alike expect flexibility, logging in from personal devices across residence halls and coffee shops, or collaborating globally with specialized tools.
This openness is part of what makes education extraordinary. It is also what makes it vulnerable.
Institutions maintain decades of legacy infrastructure alongside modern cloud systems. Many operate with limited cybersecurity staffing and constrained budgets. Meanwhile, the data held on campus is extraordinarily valuable: student and employee personally identifiable information, financial records, donor databases, health information, and research funded by government agencies and private industry.
Threat actors understand this landscape well. There were 251 ransomware attacks on educational institutions worldwide in 2025, comprising 3.96 million breached records. More than half of ransomware incidents in higher education result in encrypted data, and one-third involve double extortion, where threat actors exfiltrate a victim’s sensitive data in addition to encrypting it.
Those statistics reflect a sustained campaign against our sector.
Recovery tests the entire institution
Prevention and detection matter. But when an attack succeeds, recovery becomes the defining challenge. And in a crisis, organizations rarely outperform their preparation.
The first hours after an attack demand quick, coordinated leadership: informing executive teams, notifying cyber insurance carriers, bringing legal counsel in early so they can guide regulatory exposure, and looping in law enforcement agencies like the FBI to gain threat intelligence and response support.
Internally, roles must be clear. An incident commander, a communications lead, legal and insurance liaisons, technical leads, and a dedicated scribe to maintain a detailed decision log are essential. Institutions should assume that primary communication platforms may be compromised and establish secure, out-of-band channels immediately.
Discipline during this phase is critical. The instinct to immediately wipe or rebuild systems can erase forensic evidence and complicate recovery. Containment, documentation, and preservation of logs and volatile data create the foundation for informed decisions.
Backups must be proven, not assumed
Nearly every institution reports having backups. Far fewer have validated their ability to restore quickly, cleanly, and at scale under real pressure.
Recovery planning requires confirming immutable copies, off-network storage, restoration runbooks, and a prioritized sequence for bringing systems back online. Testing restores into isolated environments reveal weaknesses long before attackers do.
Financially, the stakes are significant. Institutions that relied on backups reported average recovery costs of approximately $900,000. Those that pay ransoms traditionally face higher average costs and experience longer recovery timelines. Payment does not eliminate disruption, legal exposure, or reputational damage.
Continuity requires secure pathways
Education cannot simply pause for weeks–students still need access to coursework, payroll must process, and critical research operations must continue, often under intense scrutiny.
During containment, however, many endpoints may be untrusted and patch levels inconsistent. Institutions should be prepared to provide secure, tightly controlled access pathways that allow critical work to continue while broader infrastructure is rebuilt. Strong identity controls, multifactor authentication, conditional access policies, and least-privilege enforcement are central to maintaining productivity without compounding risk.
Following our incident, we took a hard look at where control actually needed to live. In an environment where sensitive data flows across highly disparate systems–on-premise applications, cloud services, research platforms, and third-party tools–we recognized that security had to be embedded closer to the point where information is accessed and shared.
For us, that meant incorporating newer technologies such as Island’s Enterprise Browser, enabling us to apply policy and visibility directly at the interaction layer. By placing more control where users work, rather than relying solely on network-based boundaries or legacy workarounds like virtual desktop infrastructure, we were able to reduce risk while maintaining the openness that higher education requires.
Minimal viable operations should be defined in advance, with clear prioritization of services that support safety, instruction, payroll, and regulatory obligations.
Preparation determines resilience
Across higher ed, ransomware attacks are frequent and increasingly sophisticated.
Security teams at educational institutions must build an effective recovery posture long before an incident occurs. That means rehearsing the first day of response, ensuring executives understand their roles, validating backups, pre-establishing relationships with external partners, aligning communications protocols, and continuously evaluating how new technologies align with a distributed risk environment.
The question is not whether your institution will face attempted intrusion; it is whether, when those moments arrive, your response will be structured and decisive or improvised and reactive. The institutions that navigate ransomware successfully are those that constrain damage, communicate clearly, and restore operations with integrity.
Recovery begins with resilience. And the work to build that resilience must begin well before the clock starts ticking.
As the CIO and CISO for the University of Health Sciences and Pharmacy in St. Louis, a private higher education institution, Zachary Lewis has orchestrated transformative initiatives that have fortified the institution’s cybersecurity landscape while driving strategic growth. He has led successful cloud migrations, implemented robust cybersecurity measures, and established a culture of transparency and collaboration. His expertise extends to compliance with GLBA and FERPA regulations, managing cybersecurity training programs, and optimizing network infrastructure.
Zach is a three-time recipient of Cyber Defense Magazine’s Top Global CISOs, was named 40 Under 40 Business Leaders by St. Louis Business Journal, and was St. Louis Non-Profit CISO of the Year. He’s a graduate of the FBI CISO Academy, and his new book, Locked Up: Cybersecurity Threat Mitigation Lessons from A Real-World LockBit Ransomware Response, released on January 6, 2026.