Schools & Districts

Schools on Their Own: K-12 Ransomware After the Federal Cuts

Published June 3, 2026 · 8 min read · By the ScamDrill Team
Editorial cover graphic on a deep navy field showing a school building with its federal safety net being pulled away, titled Schools on Their Own

The renewal notice landed in district inboxes last October, and it asked for money nobody had budgeted. The Multi-State Information Sharing and Analysis Center, the threat-watching network that had quietly covered school systems for free for nearly two decades, now wanted dues. About $1,495 a year for a small district, more for big ones. And buried in the grant rules, a catch: federal cyber grant dollars can’t be used to pay it.

That invoice is the cleanest artifact of what changed for school cybersecurity over the past year. Between March 2025 and this spring, the federal scaffolding that quietly held up K-12 cyber defense was taken down piece by piece. Not with one dramatic announcement. With expirations, lapses, and reorganizations that each looked small on their own.

Meanwhile the people attacking schools did not pause to mark the occasion. They got more efficient.

What actually went away

Start with MS-ISAC, because schools leaned on it more than almost anyone. For a district with two IT people and 4,000 students, MS-ISAC was the security team: free malicious-domain blocking, threat alerts written for non-specialists, network monitoring, and a number to call at 2 a.m. when the file servers started encrypting themselves. In March 2025, CISA cut $10 million from its support. On September 30, the cooperative agreement that funded the rest of it ended outright, and the center moved to paid membership the next day.

The same September 30, the $1 billion State and Local Cybersecurity Grant Program lapsed. Congress revived its authority in the November shutdown deal, but the fine print mattered more than the headline: no new money was appropriated. A reauthorization bill passed the House and a Senate companion is still working through committee. Districts that built multi-year security plans around those grants are now planning around a question mark.

Zoom out and the pattern repeats. CISA has lost roughly a third of its workforce since early 2025, dropping from about 3,400 employees to around 2,400, and several of its education-facing programs were cut or shelved along the way. The Department of Education eliminated its Office of Educational Technology, the office that had published the playbooks district tech directors actually used. None of these cuts named schools as the target. Schools just happened to be the heaviest users of everything that got cut.

Figure 01 · Twelve months of disappearing backstops
MARCH 2025 CISA trims $10M from ISAC support First cut to the threat-sharing network that watches school and local-government systems. SEPT 30, 2025 Federal MS-ISAC funding ends The DHS cooperative agreement expires. The $1B state-and-local cyber grant program lapses the same day. OCT 1, 2025 Free becomes a fee MS-ISAC moves to paid membership, from about $1,495 a year. Federal grants can’t cover the dues. NOV 2025 Revived on paper A shutdown deal extends the grant program into 2026, but appropriates no new grant money. THROUGH 2025–26 Fewer federal hands CISA loses roughly a third of its staff. The Education Department closes its educational-technology office.

Sources: The Record, StateScoop, StateTech Magazine, Cybersecurity Dive, 2025–2026 reporting.

Meanwhile, the attackers kept their schedule

The raw count of school ransomware incidents did not explode in 2025. It roughly plateaued, which sounds like good news until you look at what changed inside the number. Researchers at Comparitech confirmed 96 ransomware attacks on US K-12 schools in 2025, almost triple the 34 confirmed against colleges and universities. Across confirmed education attacks, exposed records climbed 27 percent to 3.9 million.

One gang explains a lot of that growth. Interlock claimed two K-12 attacks in 2024. In 2025 it claimed seventeen, including a breach at Georgia’s Cherokee County School District that exposed 46,000 records. The group’s specialty is the part that should worry parents most: it often doesn’t bother encrypting anything. It steals the student records and threatens to publish them.

96 vs. 34 Confirmed US ransomware attacks in 2025: K-12 districts versus colleges and universities. Schools with the thinnest IT staffing drew nearly three times the confirmed attacks of higher education.
Source: Comparitech confirmed-attack tracking, reported by Government Technology, 2026.

That extortion-first model is why the vendor breaches sting twice. When PowerSchool was breached in December 2024, the company paid the hackers to delete the data. Months later, individual districts started getting their own ransom emails, built on the very records that were supposedly destroyed. Roughly 62 million students were in that dataset. And this spring the pattern repeated at even larger scale when ShinyHunters hit Instructure’s Canvas platform; we broke down that incident in our Canvas hack post. The lesson a year of vendor breaches has taught every district: your data lives in other people’s buildings, and their breach becomes your ransom note.

Figure 02 · Who got hit in 2025
K-12 schools 96 Colleges & universities 34 Confirmed US ransomware attacks on education, 2025. Claimed K-12 attacks by the Interlock gang: 2in 202417in 2025 Including a 46,000-record breach at Cherokee County, Georgia.

Source: Comparitech confirmed-attack data via Government Technology; Interlock claims tracked across 2024–2025.

The honest wrinkle: schools were getting better at this

Here is the part of the story that rarely makes the headline. By the numbers, schools spent 2025 improving. Sophos surveyed hundreds of education organizations hit by ransomware and found average recovery costs in lower education fell from $3.76 million to $2.20 million year over year. Median ransom demands dropped from $3.85 million to about $1 million. More districts restored from backups instead of paying.

Those gains came from unglamorous work: better backups, multi-factor authentication, incident plans that existed on paper before the bad day. But a lot of that work was scaffolded by exactly the things that just disappeared, free MS-ISAC monitoring, grant-funded assessments, federal advisors who would review a district’s plan for nothing. The next two years will test whether the improvement was structural or rented. A district that built habits keeps them. A district that depended on a free service it never had to think about is about to find out which kind it was.

A 9-year-old’s Social Security number is a clean credit file that nobody checks for a decade. That is exactly why gangs stopped bothering to encrypt and started simply taking.

Why this lands harder on schools than anyone else

Three structural facts make districts the softest target in the public sector. First, staffing: CoSN’s surveys have found that nearly 70 percent of districts have fewer than five IT staff, and many of those teams spend their days on Chromebook carts and bell schedules, not threat hunting. Second, budgets: among state and local organizations broadly, about 22 percent dedicate zero dollars specifically to cybersecurity. A district can’t raise prices or cut a product line to fund a security hire. The money comes out of the same pot as teachers and buses.

Third, and this is the one that changes how you should think about the whole problem: the data itself. A stolen credit card dies in a day. A child’s stolen identity can sit unused until they apply for their first student loan. The GAO’s review of school cyberattacks found districts lost three days to three weeks of learning after an attack, took two to nine months to fully recover, and ate direct costs from $50,000 to $1 million. The learning loss makes the news. The identity theft surfaces years later, quietly, one rejected loan application at a time.

Figure 03 · The bill that lands on a district
3 days–3 wks of class time lost while systems are down GAO 2–9 months to fully recover systems and records GAO $50K–$1M in direct losses reported by attacked districts GAO $2.20M average recovery bill in lower ed, down from $3.76M SOPHOS 2025

Sources: US Government Accountability Office; Sophos, The State of Ransomware in Education 2025.

A district playbook that doesn’t need a federal check

If you run technology for a district, or you sit on a school board deciding what to fund, the question is no longer “what does the federal government cover?” It covers very little. The honest question is what buys the most protection per dollar of local money. Our answer, in rough priority order:

Make the MS-ISAC decision on purpose. For most small districts, $1,495 is still the cheapest threat intelligence available anywhere, and nonprofit gap funding kept some services running through the transition. If you decide to skip it, decide who reads threat alerts instead. K12 SIX, the K-12-specific information sharing group, costs less than a classroom projector and was built for exactly this moment. Going without either is a choice; make it consciously, not by letting the renewal lapse.

Put MFA on staff email and the student information system before anything else. Most district incidents start with one phished staff credential, the same pattern we documented in dental and medical offices in our practice ransomware guide. One stolen login becomes payroll fraud, then lateral movement, then a leak site post with your students’ names on it.

Keep one backup the attacker can’t reach. Offline or immutable, and test-restored on a schedule someone’s name is attached to. The districts in the Sophos data that recovered cheaply were overwhelmingly the ones that restored instead of negotiated.

Give the business office a callback rule. Any change to vendor banking details or payroll direct deposit gets verified by phone, on a number you already had. This costs nothing and kills the single most expensive attack a district faces.

Drill people like you drill fire. The federal tabletop exercises and free training programs were among the first things cut, so the practice reps now have to come from somewhere else. Regular phishing simulations for staff, with a kind teachable moment instead of a wall of shame, build the one reflex that holds up when the technology fails. Our 30-day simulation plan was written for small businesses, and it maps onto a district office almost line for line.

Inventory your vendors. PowerSchool and Canvas were the loudest reminders that a district’s biggest breach may happen on someone else’s servers. List every vendor that holds student data. Ask each one two questions: do your employees use phishing-resistant MFA, and what exactly do you commit to telling us, and how fast, if you’re breached?

For parents: assume the records are already out there

The era of borrowed muscle is over

For twenty years, the deal was implicit: schools ran thin IT shops, and the federal government supplied the missing muscle for free. That deal ended in the span of about twelve months, with no replacement on the schedule and a reauthorization bill still waiting on the Senate. Some states are stepping in to cover memberships. Most districts are simply absorbing the gap.

The encouraging part is that the defenses that actually moved the numbers in 2025 were never federal. They were local and mostly cheap: a second factor on a login, a backup nobody can touch, a phone call before money moves, a staff that has seen a fake before the real one arrives. Districts that build those habits will be fine without the safety net. The ones that don’t will be the line items in next year’s confirmed-attack count.

Your staff is the security budget you already have.

ScamDrill runs realistic phishing, smishing, and voice-scam drills for school and district staff, with a friendly teachable moment when someone clicks. No federal grant required, and your first drills are free.

Start a staff drill program →

Frequently asked questions

Did the federal government really stop funding school cybersecurity?

Largely, yes. The DHS cooperative agreement that funded the Multi-State Information Sharing and Analysis Center (MS-ISAC) ended on September 30, 2025, after an earlier $10 million cut in March. The $1 billion State and Local Cybersecurity Grant Program lapsed the same day; a November continuing resolution revived its authority into 2026 but added no new grant money. CISA has also lost roughly a third of its workforce since early 2025, and the Department of Education closed its Office of Educational Technology.

What is MS-ISAC and why does the new fee matter for schools?

MS-ISAC is the threat-sharing network that for nearly two decades gave state and local governments, including school districts, free threat intelligence, malicious-domain blocking, network monitoring, and incident response coordination. After federal funding ended, it moved to a paid membership model on October 1, 2025, starting around $1,495 a year for small organizations. Federal cyber grant dollars cannot be used to pay the dues, so districts must find the money in their own budgets or go without those services.

Are ransomware attacks on schools going up or down?

The number of confirmed attacks roughly plateaued in 2025, but the damage shifted. Confirmed US K-12 ransomware incidents (96) outnumbered higher education incidents (34) by almost three to one, and the number of records exposed across confirmed education attacks rose 27 percent to 3.9 million. Gangs increasingly skip encryption and simply steal student data to extort districts, the same pattern seen in the PowerSchool and Canvas vendor breaches.

What should parents do after a school data breach?

Freeze your child’s credit with all three bureaus (Equifax, Experian, and TransUnion); it is free and blocks new accounts from being opened with a stolen Social Security number. Treat any email or text that references your child’s real school, teacher, or schedule with suspicion, since stolen records make scam messages look authentic. Ask the district which vendors hold your child’s data and whether staff accounts require multi-factor authentication.

What is the cheapest way for a district to cut ransomware risk quickly?

Three controls cover most of the risk for very little money: multi-factor authentication on staff email and the student information system, offline or immutable backups that get test-restored on a schedule, and regular phishing drills with a callback rule for any payment or banking change in the business office. Most district incidents begin with one phished staff credential, so the human layer is where small budgets buy the most protection.

Keep reading

The ShinyHunters Canvas Hack

275 million records, 8,809 institutions, one phone call at a time. What the largest education breach on record means downstream.

When Ransomware Comes for Your Practice

Why small offices with valuable records are the soft target, how the attack actually unfolds, and what the cleanup involves.

The 30-Day Phishing Simulation Plan

A week-by-week program for getting a small team from zero to drilled, and it maps onto a district office almost line for line.

Join our free newsletter to stay ahead of the scammers

Receive updates on monthly scam trends, along with best practices to protect yourself and those you care about.