{
	"id": "a5dffe4c-4a40-4ad3-9dd7-a95a49426f50",
	"created_at": "2026-04-06T00:14:11.474411Z",
	"updated_at": "2026-04-10T03:20:24.703216Z",
	"deleted_at": null,
	"sha1_hash": "85afc75d170ad9a0e99680d30ff373890a173225",
	"title": "Russia-linked cybercriminals target school for children with learning difficulties",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 90917,
	"plain_text": "Russia-linked cybercriminals target school for children with\r\nlearning difficulties\r\nBy Alexander Martin\r\nPublished: 2023-08-02 · Archived: 2026-04-02 10:39:33 UTC\r\nThe LockBit ransomware group, potentially the world’s most prolific cybercrime organization, is attempting to\r\nextort a school for children with special educational needs.\r\nWest Oaks School, in Leeds, England, has a capacity for 440 pupils between the ages of 2 and 19. It was listed on\r\nthe gang’s darknet site on July 31 alongside a notice that the school had two weeks to make a ransom payment or\r\nthe purportedly stolen data would be published.\r\nThe school — which is currently on its summer break — specializes in education for children “with a wide range\r\nof needs including profound, multiple, and complex conditions, autistic spectrum conditions and severe learning\r\ndifficulties.”\r\nIt is not clear what information, if any, was stolen from the school, nor whether its computer network had been\r\nencrypted. As is typical, the listing simply claims “all available data will be published.”\r\nThe day before publication, Recorded Future News emailed the school’s generic contact address, and emailed\r\nheadteacher Andrew Hodkinson, as well as the chair of its governing body, John Hayton, to ask for a statement\r\nregarding whether teachers, parents, and regulators had been informed about the incident. These emails, and a\r\nmessage left on the school’s phone system, were not answered.\r\nWest Oaks is the latest educational establishment in Britain to face a ransomware incident, with a large number of\r\nattacks prompting repeated warnings from cyber authorities in recent years.\r\nBritain’s National Cyber Security Centre (NCSC) first issued an alert to British schools about ransomware attacks\r\nin September 2020 warning of “an increased number of ransomware attacks affecting education establishments in\r\nthe U.K., including schools, colleges, and universities.”\r\nThe alert page states that it has been updated several times since then due to further ransomware attacks.\r\nThe NCSC continued to reference an increase in attacks earlier this year when it published a survey finding that\r\n“despite an increase in the number of ransomware attacks” schools were becoming “better prepared” to deal with\r\nthese incidents. This preparation includes protecting IT networks but also focusing on a quick recovery from the\r\nincident itself.\r\nAsked previously about the number of attacks impacting schools in the United Kingdom, a spokesperson for the\r\nDepartment for Education told The Record the department monitors cybersecurity incidents closely and that there\r\nis no evidence to suggest attacks are on the rise.\r\nhttps://therecord.media/russian-cybercriminals-target-uk-school\r\nPage 1 of 3\n\nThis year has seen multiple incidents affecting Tanbridge House School in West Sussex, Wymondham College in\r\nNorfolk — the largest state boarding school in the country — and Guildford County School in Surrey, where the\r\nextortionists appeared to leak safeguarding reports, sensitive internal documents teachers write to record\r\ninformation about at-risk students.\r\n“Cyber-attacks on schools undermine the hard work of school leaders and are completely unacceptable,” said the\r\nspokesperson for the Department for Education, adding that they provide a risk protection arrangement to more\r\nthan 9,500 schools throughout England. The program includes cover for cyber incidents as well as access to a 24/7\r\nincident response service.\r\nLockBit, the gang behind the attack on West Oaks School, was also behind the attack on Royal Mail earlier this\r\nyear.\r\nThe LockBit model\r\nThe LockBit brand itself was first observed on Russian-language cybercrime forums in January 2020 and, as of\r\n2022, was responsible for more attacks on U.S. government offices — one in six — than any other group.\r\nA joint cybersecurity advisory on the group circulated in June by authorities in the U.S., United Kingdom, France,\r\nGermany, Canada, Australia and New Zealand, described LockBit as the “most deployed ransomware variant\r\nacross the world.”\r\nThe 30-page advisory explains how LockBit “functions as a Ransomware-as-a-Service (RaaS) model where\r\naffiliates are recruited to conduct ransomware attacks using LockBit ransomware tools and infrastructure,” with\r\nthe main gang taking a cut of the affiliates’ earnings.\r\nThe gang previously apologized after encrypting the network of Canada’s largest children’s hospital and then\r\noffered the hospital the decryptor for free, although even with the decryptor available the incident still delayed\r\npatient care.\r\nIt was not the first time a ransomware group offered a decryptor to a hospital after an attack. Both the Conti and\r\nDoppelPaymer ransomware gangs offered free decryptors following massive attacks on Ireland's healthcare\r\nsystem and Helios University Hospital, respectively.\r\nEven with the decryptor — and after proving that it was found to be viable and effective — the work to recover\r\nIreland’s entire healthcare network was a “significant undertaking,” as explained by its interim chief technology\r\nofficer, John Ward.\r\n“Despite having the key, it still took us four months to recover 99% of the systems. I couldn't tell you, had we not\r\nhad that key, how long it would have taken.”\r\nhttps://therecord.media/russian-cybercriminals-target-uk-school\r\nPage 2 of 3\n\nAlexander Martin\r\nis the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and a fellow\r\nat the European Cyber Conflict Research Initiative, now Virtual Routes. He can be reached securely using Signal\r\non: AlexanderMartin.79\r\nSource: https://therecord.media/russian-cybercriminals-target-uk-school\r\nhttps://therecord.media/russian-cybercriminals-target-uk-school\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://therecord.media/russian-cybercriminals-target-uk-school"
	],
	"report_names": [
		"russian-cybercriminals-target-uk-school"
	],
	"threat_actors": [],
	"ts_created_at": 1775434451,
	"ts_updated_at": 1775791224,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/85afc75d170ad9a0e99680d30ff373890a173225.pdf",
		"text": "https://archive.orkl.eu/85afc75d170ad9a0e99680d30ff373890a173225.txt",
		"img": "https://archive.orkl.eu/85afc75d170ad9a0e99680d30ff373890a173225.jpg"
	}
}