Ransomware in Education Part 2: Why Schools, Colleges and Universities Struggle to Recover and How to Improve

In the first article in this series, I wrote about why educational establishments are so frequently targeted by ransomware and cyber extortion groups.  The short version is not that education is simply “easy to attack,” it is that education is highly susceptible to coercion to pay.

Schools, colleges and universities hold sensitive data, operate under public pressure, depend on complex digital platforms, run with constrained resources and have very little tolerance for disruption during exams, admissions, safeguarding, payroll or teaching periods. That is why they are targeted, but being targeted is only the first part of the problem.

The more uncomfortable issue is what happens after the attack has landed.  Many educational establishments do not fail during recovery because they have no backups. They fail because recovery is treated as a technical restoration problem, when in reality it is an operational crisis involving identity, trust, governance, communications, safeguarding, third parties, regulatory exposure and the ability to make fast decisions with incomplete information. 

Restoring data is not the same as recovering an institution.  

The breach is often only the start of the crisis

A destructive cyberattack does not arrive neatly packaged as an IT ticket, it usually starts with uncertainty.

• Which systems are compromised?

• Which identities can still be trusted?

• What data has been stolen?

• Which backups are clean?

• Which suppliers need to be involved?

• Which services must be restored first?

• Will students and staff be able to get past digital access controls?

• Can teaching continue?

• Can exams proceed?

• Can safeguarding processes operate?

• Can payroll run?

• Can leadership communicate with staff, students and parents?

• Can the institution prove that it is not simply restoring the attacker back into the environment?

This is where recovery starts to break down.  Not because people are not working hard enough, they usually are performing heroics.  It breaks down because the recovery model was designed for IT failure, not hostile compromise.  

A storage outage, flood, server failure, fire or accidental deletion is a fundamentally different problem from ransomware. In a normal disaster recovery scenario, you are trying to restore availability but in a destructive cyberattack, you are trying to restore availability and establish trust.  That second part is what slows everything down.

Education has a large operational blast radius

Recent incidents show how quickly cyber disruption in education becomes operational disruption.

The May 2026 Canvas incident disrupted access to a platform used for assignments, grades, exams and academic communications across universities, colleges and schools, with reports of disruption during finals season and institutions temporarily blocking access while they assessed the security position.  The Canvas incident showed the dependency model in common education.

An educational establishment may not own the compromised platform, but it still owns the operational consequence. If students cannot access exams, teachers cannot access grades, parents cannot receive communications or staff cannot coordinate teaching, the institution is disrupted regardless of where the technical fault originated.

The breach of PowerSchool highlighted a different form of dependency. Threat actors later attempted to extort schools using student and staff data stolen from the December 2024 PowerSchool incident, despite the compromise sitting in a widely used education technology supplier rather than an individual school district’s own infrastructure.

This is the reality of education recovery, you are not recovering a neat stack of applications in a data centre. You are recovering an operating model spread across internal systems, cloud platforms, managed service providers, learning platforms, identity services, safeguarding systems, research platforms, faculty systems, finance systems and communications channels.  It is more like trying to restart a city than reboot a server.

The first recovery failure is usually decision-making

Most recovery plans are built on a set of optimistic assumptions: that the right people will be reachable, the right information will still be accessible, the right systems will be available, and the right decisions will be self-evident.  My experience supporting ransomware incidents across multiple educational institutions is that these assumptions often collapse almost immediately.

The senior leadership team needs to decide whether to shut down systems, whether to communicate publicly, whether to notify regulators, whether to engage law enforcement, whether to bring in external incident responders, whether to restore from backup, whether to rebuild, whether to disconnect from suppliers and whether to continue operating manually.  

Those decisions are rarely technical-only decisions, they affect safeguarding, legal exposure, student welfare, public confidence, insurance coverage, contractual obligations, academic integrity and institutional reputation.  Yet many schools, colleges and universities have not built a cyber recovery governance model that clearly defines who makes those decisions, what evidence they need, how decisions are recorded and how competing priorities are resolved.

That is why the first few days of a ransomware incident can quickly become chaotic without appropriate preparedness.

IT is trying to contain the incident. Security is trying to understand the attack. Leadership is trying to communicate before all the facts are known. Legal is trying to manage notification obligations. Suppliers are waiting for instructions. Staff are asking what they should do. Students and families are looking for answers. And through all of this, the attacker is applying constant pressure - sometimes even directly harassing staff, students or families to increase fear, confusion and the likelihood of payment.

If the governance model is being invented during the incident, recovery will be slower.

Identity becomes the critical path

In many destructive cyberattacks, the hardest question is not “where are the backups?,” it is “who can we trust?”

If Active Directory, Entra ID, privileged access management, MFA, service accounts or administrative credentials are compromised, the institution has an identity crisis before it has a recovery problem.  This is particularly difficult in education because identity is complex.

Students, staff, governors, trustees, parents, alumni, suppliers, research partners, visiting academics, contractors and shared service providers may all interact with institutional systems. Universities may also have federated identity relationships, research collaborations and departmental autonomy that make the identity plane even harder to control.

If the attacker has stolen credentials, created persistence, compromised domain controllers, abused service accounts or tampered with administrative access, restoring applications before restoring identity trust is dangerous.  It is the cyber equivalent of rebuilding a school but handing the keys back to the burglar.

This is why identity recovery needs to be treated as a first-class recovery workstream. Institutions need a tested plan for minimum viable identity: the smallest trusted identity capability required to restart critical services safely.  That may include clean administrative workstations, break-glass accounts, known-good domain controller recovery, privileged access reset, MFA re-enrolment, service account rotation and a controlled process for reconnecting systems.  Without that, recovery becomes guesswork.

Backups exist, but confidence does not

Educational establishments often have backups, but I know from extensive first-hand experience that this is not the same as having a genuine cyber recovery capability.  A backup strategy designed for accidental deletion or hardware failure may not answer the questions that matter during ransomware:

• Were the backups reachable by the attacker?

• Were backup policies changed before encryption?

• Were snapshots deleted, expired or corrupted?

• Which restore points pre-date attacker persistence?

• Which copies are immutable?

• Which copies are isolated from the production identity plane?

• Can the backup platform itself be trusted?

• Can malware be scanned before restore?

• Can systems be mounted for investigation without restoring them into production?

• Can recovery be performed at the scale needed to restart priority services?

• Has anyone actually tested this under ransomware conditions?

This is where modern data management platforms change the conversation.

The value is not simply that they hold backup data. It is that they can help determine which data is recoverable, which restore points are safe, which systems contain indicators of compromise and which recovery path gives leadership the best chance of returning to a trusted state.

That matters because backup data is one of the few sources of historical truth left after production systems have been encrypted, wiped or taken offline.  During a destructive attack, the backup estate can become a time-series evidence store.

It can help answer questions like:

• ·When did suspicious files first appear?

• What emails contained links to phish credentials or malicious payloads?

• Which systems contained known malware indicators?

• Which snapshots contain vulnerable software?

• Which restore points are likely to be clean?

• Which systems changed materially before encryption?

• Which servers should be rebuilt rather than restored?

• Which data needs additional validation before being trusted?

This is a very different mindset from “restore the latest backup”.  In ransomware, the latest backup may simply be the most recent compromised copy.

Recovery sequencing is usually underdeveloped

Another reason education struggles with recovery is that criticality is often poorly defined.  

Most institutions can say that “teaching is critical”. Fewer can identify the specific systems, identities, data sets, suppliers, network services, documents and manual workarounds required to sustain teaching during a destructive cyberattack.  That gap becomes intolerable when in the middle of a destructive cyberattack: if everything is critical, nothing is sequenced.

The institution needs to know what must come back first, what can operate manually, what can wait, what must be rebuilt from trusted images, what must be restored from backup and what must be validated by security before reconnection.

• For a school, the priority may be safeguarding, attendance, parent communications, payroll, access control, learning resources and core administrative systems.  

• For a college, it may include teaching platforms, student records, finance, enrolment, exams, timetabling and communications.

• For a university, it may include identity, network, learning management, email, research systems, student records, accommodation, finance, library systems, HR, regulated research environments and third-party platforms.

Those priorities should not be discovered during the incident, they should be mapped in advance as part of a Minimum Viable Institution (MVI) model: the smallest set of capabilities required to continue operating safely while full recovery progresses.

My consulting team spends a significant amount of time working inside educational institutions to facilitate workshops that help them identify the systems, data, identities, suppliers, processes and decision points that should form part of their MVI. That approach is grounded in our experience supporting education customers globally and seeing, first-hand, where recovery efforts most often slow down or fail.

Third parties are often outside the recovery plan

The PowerSchool and Canvas incidents are reminders that third-party platforms are now part of institutional resilience, not just procurement risk, but many recovery plans still focus mainly on internal systems.

If a learning platform, student information system, managed network provider, payroll provider, cloud tenant, identity provider or outsourced IT partner is essential to recovery, then the institution needs to know in advance:

• Who owns the relationship?

• How will the supplier be contacted during an incident?

• What evidence will the supplier provide?

• What are the recovery obligations?

• What are the escalation routes?

• What alternative processes exist if the supplier is unavailable?

• How will the institution validate that the service is safe to reconnect?

• What data might the supplier hold that changes notification obligations?

Supplier resilience needs to be operationalised, not buried in a contract: a contract clause does not restore a learning platform during finals week.

Communications channels fail when they are needed most

Educational establishments are highly dependent on communication, which makes ransomware particularly disruptive.

• If email is down, how does leadership communicate with staff?

• If ticketing is down, how will IT and Security operations coordinate response & recovery?

• If collaboration systems are compromised by an adversary, how can you ever get ahead of their attack?

• If the website is unavailable, how are parents informed?

• If the learning platform is down, how are students told what to do?

• If identity is compromised, can internal messaging be trusted?

• If you use Voice-over-IP, what is the fallback?

• If staff use personal messaging apps, how is information controlled?

During a destructive attack, communications is not a support function, it is part of response recovery.

Institutions need pre-prepared communication channels, contact lists, message templates and decision rights. They need offline copies of key contacts. They need to know how to communicate with staff, students, parents, regulators, insurers, law enforcement, suppliers and the media.  This is one of the reasons my team created the concept of the Digital Jump Bag.

A Digital Jump Bag is not a collection of random incident response documents. It is the vaulted, accessible set of resources required to start recovery when normal systems cannot be trusted. It should include runbooks, escalation matrices, contact lists, architectural diagrams, insurance details, legal contacts, supplier escalation routes, clean build documentation, identity recovery procedures, communications templates, critical service maps and recovery decision logs.

It should be stored somewhere isolated from the primary environment, protected by a separate identity plane and available when the institution is operating under hostile conditions.

Because the worst time to look for the recovery plan is after the file share has been encrypted.

The recovery objective should be trusted state, not normal state

This is the most important point of this post.  After ransomware, the goal is not to get back to normal as quickly as possible, the goal is to get back to a trusted operating state as safely and quickly as possible.

Normal may include the vulnerabilities, misconfigurations, excessive privileges, flat networks, stale service accounts and unmanaged dependencies that allowed the attack to succeed in the first place.  Restoring normal often restores risk.

Trusted-state recovery requires a different set of disciplines:

• ·Confirming the likely initial access path.

• Identifying attacker persistence mechanisms.

• Validating restore points before recovery.

• Scanning backup snapshots to validate malware and suspicious artefacts have been identified and removed.

• Checking vulnerable software and configurations has been resolved across protected workloads.

• Rebuilding high-risk systems from trusted images where appropriate.

• Rotating credentials and re-establishing identity trust.

• Restoring services in a controlled sequence.

• Monitoring for re-emergence of indicators of compromise.

• Capturing evidence for regulators, insurers and internal lessons learned.

This is where modern data management can support the security team, not just the infrastructure team.  A modern data management solution can perform threat hunts on snapshot data and discover potential malware in protected objects. You can use time-series immutable snapshots for file-level forensic investigation and scan backup snapshots for known vulnerabilities.

The backup platform should not sit passively waiting for a restore request, it should also help the institution investigate, validate and recover.

A practical trusted recovery model for education

Educational establishments do not need a 300-page cyber recovery strategy that gathers dust and nobody reads.  They need a pragmatic operating model that can survive contact with a real incident.  At minimum, that should include seven things.

1. Define the minimum viable institution
   Identify the services that must be restored first to keep the institution safe and operational.  For schools, this may include safeguarding, attendance, parent communications, payroll, access control and core teaching support.  For colleges and universities, it may include identity, learning platforms, student records, exams, finance, research systems and communications.
   
   Do not start with applications, start with outcomes.  What must the institution still be able to do?

2. Build a recovery governance modelDefine who makes decisions during a destructive cyberattack.  This should include executive leadership, IT, security, legal, communications, safeguarding, academic operations, finance, HR, estates and supplier management.  The model should specify decision rights, escalation routes, evidence requirements and how decisions are recorded.
   
   During a ransomware incident, ambiguity is expensive.

3. Protect and test identity recoveryCreate a specific identity recovery plan.  This should include Active Directory and Entra ID recovery, privileged account reset, service account rotation, MFA recovery, break-glass access, clean administrative workstations and a process for restoring trust before reconnecting recovered systems.
   
   Remember, identity is not just another service, it is the control plane for recovery.

4. Vault the resources needed to respond and recoverUse a Digital Jump Bag approach, storing recovery-critical documents, build guides, diagrams, contacts, supplier details, licence keys, communications templates, insurance information, runbooks and clean images in an isolated, protected location.
   
   Where possible, this should be held in a modern data management or cyber vaulting platform with immutability, separation from production identity and controlled access.

5. Use backup data for investigation, not only restorationTreat protected data as an investigative asset.  Use immutable snapshots to compare points in time, hunt for indicators, scan for malware, identify vulnerable software and determine which restore points are suitable for recovery.  This helps bridge the gap between DFIR and infrastructure recovery.
   
   Security should help determine root cause and therefore what is safe to restore, IT should not be guessing.

6. Create a clean recovery environmentA clean room or isolated recovery environment allows systems to be investigated, restored, scanned, validated and sequenced before reconnection. This is especially important for critical services, identity infrastructure, student information systems and systems that may contain sensitive data.
   
   The clean room, however, is not just a technical architecture it is a workflow and shared responsibility model to restore, inspect, validate, harden, reconnect and monitor.

7. Test recovery under destructive attack conditions
   Most recovery testing proves that a file can be restored, that is simply not enough.  Institutions should test realistic scenarios that contain domain compromise, backup administration compromise, learning platform outage, student information system unavailability, compromised communications platforms, failure of physical access systems, ransomware encryption across file servers, loss of email and collaboration tools, recovery during exams or enrolment and supplier compromise affecting a critical service.
   
   The test should measure decision-making, communications, sequencing, technical recovery, evidence capture and the ability to recover to a trusted state.  A tabletop alone is not enough, a backup restore test alone is not enough. You need both the governance rehearsal and the technical validation.

There are positive examples

The point of this article is not that education cannot recover. It can — and, with the right preparation, it can recover efficiently and effectively.  The institutions that recover rapidly to a trusted state tend to have three things in common before the incident occurs: protected recovery data, clear recovery priorities and a tested operating model.

Blaine County School District is a useful example. The district was hit by ransomware just two days after implementing Cohesity backup and recovery; the attack encrypted 60% of its systems, but the district restored clean backups from Cohesity FortKnox in 48 hours, paid no ransom and had critical systems running when students and teachers returned.  That is the outcome education leaders should care about.

Not because every institution will have the same environment or the same recovery timeline, but because it demonstrates the right principle: ransomware recovery is not about whether backups exist. It is about whether the institution can use them quickly, safely and confidently under pressure.

The leadership question

For boards, governors, trustees and executive teams, the recovery question should be reframed from “Do we have backups?” and “Can we recover our most important educational services to a trusted state, in the right order, using clean data, trusted identity, available communications and clear decision-making - while under active pressure from a criminal adversary?”  That is the real test of an institution’s cyber resiliency.

Educational establishments are frequently targeted because they are highly susceptible to coercion to pay.

They struggle to recover because the incident is treated as a technology outage long after it has become an institutional crisis.

The answer is not panic, it is preparation.

• Define the minimum viable institution.

• Protect identity.

• Vault the jump bag.

• Use backups as evidence.

• Validate restore points.

• Build a clean recovery workflow.

• Test the decisions, not just the technology.

• Recover to trusted state, not simply back to normal.

After a destructive cyberattack, the question is not whether learning matters, it is whether the institution has built the operational resilience to continue protecting it.