Attacks and the school year
The school calendar has predictable windows of elevated risk. Ransomware operators are known to time attacks to maximise pressure on schools.
Late August to early September and January (return from Christmas break) are historically the most common periods for ransomware deployment against UK schools.
September (back to school)
Historically the most common ransomware deployment window for UK schools. New academic year also brings new staff accounts and fresh phishing opportunities
December to January (Christmas break)
Second extended period of reduced monitoring. January return is a secondary common deployment moment.
May to July (exam season)
Exam deadlines create maximum leverage. Attackers who gained access earlier may trigger encryption during this window.
July to August (summer holidays)
IT teams are absent or reduced. Attackers establish persistence, map networks and exfiltrate data undetected before triggering the attack at September return.
Throughout the year
Phishing, credential stuffing and automated scanning are continuous. BEC fraud peaks when schools process supplier payments.