"A new low!": Nursery hackers and the shocking evolution of amorality
Cybersecurity professionals horrified as threat actors publish pictures of innocent children and families' "sensitive" data.
The internet has always been a dark place and there are no signs that things are getting better.
More than a decade ago, a teenager linked to a famous hacktivist group warned that the digital world is "devoid of empathy".
Today, that halcyon world of lols and lulz looks almost quaint in its innocence after threat actors plumbed new depths of depravity with an attack on a nursery chain, followed by the publication of children's pictures and "sensitive" data.
A gang called the Radiant Group has compromised a childhood education network with schools in the UK, US and India. We have decided not to name the company for legal reasons.
In a statement attributed to the crooks, they said: "Despite us giving discounts and us not leaking their name to resolve the issue, [the nursery chain] continues to be non-compliant with us.
"We currently possess sensitive data on over 1000+ children (they know the exact number), along with their parents and relatives, all employees and company data."
Pictures of five children and their families' PII (Personally Identifiable Information) have now been published. It appears as if the gang has issued a ransomware request, which has not been paid.
"They know exactly where to contact us, but they are a disgraceful company that fails to care about their own customers' data," the hackers added. "They also know we possess even more sensitive information on every child, which at the moment we will not leak. And lastly, they are aware that this will fully ruin their entire company as we slowly leak, and we urge them to continue our dialogue."
Leave the kids alone...
The news of an attack involving innocent children has shocked the cybersecurity sector.
Graeme Stewart, head of public sector at Check Point Software, said, “This is an absolute new low. These attacks follow a familiar playbook: breaking in, stealing data and deploying ransomware. The use of children’s images and details takes it to a shocking level.
"Cybercriminals are driven by money, not morals. They do not care if the collateral damage is a preschool, a hospital or a global company. To deliberately put children and schools in the firing line is indefensible. Frankly, it is appalling.
"This takes away any romantic notion of hackers and shows the reality of pure criminality. In every hack, it is people who suffer: families missing flights and funerals due to aviation disruption, shoppers losing money through retail breaches, or children having their images exploited.
"In conventional warfare, even the Geneva Convention recognises the principle of protecting non-combatants. Here, cybercriminals show no ethics, no standards and no limits. It is another stark illustration of the race to the bottom and a reminder that all organisations, particularly those entrusted with protecting the most vulnerable, must have the planning, support and resilience in place to withstand attacks of this nature."
READ MORE: "Businesses aren’t taking it seriously": Why attackers love phones more than laptops
Security professionals predicted that the attack could actually backfire on the ransomware industry as a whole, making victims less likely to engage with demands for payments.
Dray Agha, senior manager of security operations at Huntress: “This represents a reprehensible erosion of any remaining boundaries in the cybercriminal ecosystem. By weaponising the personal data of infants and toddlers, this group has sunk to a depth that even other threat actors may condemn.
"From a negotiation standpoint, this attack effectively burns a bridge for the entire ransomware industry. Engaging with a group that demonstrates such blatant disregard for human decency is now an intolerable risk for any organisation.
"This action will likely harden the stance of both victims and law enforcement, making productive negotiations, even in extreme circumstances, almost impossible. It signals that some groups are now purely opportunistic predators, and the only viable strategy is to invest heavily in security prevention and rendering their tactics ineffective."
"There are no words!"
It is highly unusual for ransomware gangs to publish pictures of kids in order to extort a payment - but not necessarily surprising due to the financial rewards on offer to any criminals willing to push the bounds of morality.
Rebecca Moody, Head of Data Research at Comparitech: "This is a new ransomware group, and as this is its only claim, I'd normally remain quite sceptical until we can confirm or corroborate the attack through the entity involved. However, due to the nature of the data posted along with the claim, this attack instantly raises alarm bells.
"We've seen some low claims from ransomware gangs before, but this feels like an entirely different level. Using preschool children as "bait" to try and secure a ransom--well, quite frankly, there are no words. However, it does serve as a stark warning that, as the ransomware landscape changes and evolves, hackers will constantly push the boundaries in a bid to make money.
READ MORE: "Your role has been eliminated!": What it's like to lose your corporate job to AI
"And, let's face it, even if the company involved has secured its systems and removed the threat, the pressure it now faces to have these pictures and the data removed from the gang's data leak site is immense."
The attack has raised fears that parents will also be hit with ransom demands in order to have their child's image and data deleted.
"While we can warn those impacted to be on high alert for any phishing messages and monitor accounts for unauthorised activity, we can do little to ease the vulnerability they'll no doubt feel as their children's pictures circulate online along with their home addresses," Moody added.
Stealing from innocents
Unfortunately, cybercriminals are likely to continue to hit "soft" targets like nursery companies with relatively weak defences.
In the future, the use of automated tools and AI agents is likely to make the situation worse as the last faint traces of empathy are removed from the threat landscape, leading to attacks carried out with minimal human involvement.
Amorality is not a bug, but a feature of the modern internet. It's not going away.
Martin Kraemer, CISO advisor at KnowBe4: "When cybercriminals target schools and childcare providers, they are deliberately going after the most vulnerable members of our society. Such attacks reveal a complete absence of ethical or societal consideration. This breach marks yet another low point and should serve as a massive wake-up call — not only for the organisation involved, but also for parents and regulators.
"Threat actors have previously gone after schools and nurseries across the UK. In some cases, ransoms were paid and the stolen data was never published, but this offers little reassurance. What is more concerning is that, if such data is published, it becomes gold dust for ruthless attackers.
READ MORE: Bad dates: Criminals weaponise calendar invites to sneak phishing lures past email defences
"We have seen early warnings of this risk before. In 2016, customers of a babycare retailer received invitations to participate in a fake online survey after customer data was accidentally released via a test server exposed to the internet. This demonstrates how quickly criminals can pivot from a breach to targeted scams. One can only imagine the exploitation potential when the data relates directly to children and their families.
"The extreme vulnerability of children — combined with parents’ profound sense of responsibility and duty of care — creates a uniquely dangerous leverage point for attackers. Parents must be informed immediately by the platform provider and equipped with practical knowledge about the cyber risks they may now face.
"The provider, in turn, must exercise the utmost duty of care. This includes briefing parents on possible threats and the potential fallout from the incident. For instance, criminals could deploy social engineering tactics, such as sending parents convincing deepfake videos portraying their children in danger or distress, in order to extort money. It is an act of almost unimaginable cruelty — but precisely because it is possible, it must be anticipated and guarded against."
