In March 2025, Cherokee County School District (CCSD) in the US fell victim to a ransomware attack by the Interlock group. The assault disrupted systems for a week, crippling operations and forcing cancellations of classes. Hackers allegedly exfiltrated 624 GB of sensitive data, later confirmed to impact 46,119 individuals, including students, staff, and possibly parents. The breach exposed personal records, financial details, and internal documents, raising concerns over identity theft and fraud. While the district engaged cybersecurity firm Arete for forensic analysis (costing over $21,700), the long-term repercussions such as reputational damage, legal liabilities, and operational recovery costs remain unresolved. The attack underscores the education sector’s vulnerability to targeted ransomware campaigns, with threat actors exploiting weak security protocols to extract high-value data for extortion.
TPRM report: https://www.rankiteo.com/company/cherokee-county-schools
"id": "che2692926103025",
"linkid": "cherokee-county-schools",
"type": "Ransomware",
"date": "3/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': '46,119',
'industry': 'Education',
'location': 'US',
'name': 'Cherokee County School District (US)',
'type': 'K-12 School District'},
{'customers_affected': '43,451',
'industry': 'Education',
'location': 'Japan',
'name': 'Tokai University (Japan)',
'type': 'University'},
{'customers_affected': '35,000',
'industry': 'Education',
'location': 'US',
'name': 'Madison Elementary School District 38 (US)',
'type': 'K-12 School District'},
{'customers_affected': '33,342',
'industry': 'Education',
'location': 'US',
'name': 'Institute of Culinary Education (US)',
'type': 'Vocational School'},
{'customers_affected': '31,475',
'industry': 'Education',
'location': 'US',
'name': 'School District Five of Lexington and '
'Richland Counties (US)',
'type': 'K-12 School District'},
{'customers_affected': '20,665',
'industry': 'Education',
'location': 'US',
'name': 'Baltimore City Public Schools (US)',
'type': 'K-12 School District'},
{'customers_affected': '8,592',
'industry': 'Education',
'location': 'US',
'name': 'Kalamazoo Public Schools (US)',
'type': 'K-12 School District'},
{'customers_affected': '3,959',
'industry': 'Education',
'location': 'US',
'name': 'Prince George County Public Schools (US)',
'type': 'K-12 School District'},
{'customers_affected': '2,928',
'industry': 'Education',
'location': 'US',
'name': 'Christian Brothers Academy (US)',
'type': 'Private School'},
{'customers_affected': '1,524',
'industry': 'Education',
'location': 'US',
'name': 'Riverdale Country School (US)',
'type': 'Private School'},
{'industry': 'Education',
'location': 'US',
'name': 'Halifax County Public Schools (US)',
'type': 'K-12 School District'},
{'industry': 'Education',
'location': 'US',
'name': 'Harvard University (US)',
'type': 'University'},
{'industry': 'Education',
'location': 'US',
'name': 'Kearney Public Schools (US)',
'type': 'K-12 School District'},
{'industry': 'Education',
'location': 'US',
'name': 'North Stonington Public Schools (US)',
'type': 'K-12 School District'},
{'industry': 'Education',
'location': 'South Africa',
'name': 'Wits University (South Africa)',
'type': 'University'},
{'industry': 'Education',
'location': 'Japan',
'name': 'Higashiyama Junior and Senior High School '
'(Japan)',
'type': 'K-12 School'},
{'industry': 'Education',
'location': 'Japan',
'name': 'Ryutsu Keizai University (Japan)',
'type': 'University'},
{'industry': 'Education',
'location': 'Taiwan',
'name': 'Asia University (Taiwan)',
'type': 'University'},
{'industry': 'Education',
'location': 'US',
'name': 'Fall River Public Schools (US)',
'type': 'K-12 School District'},
{'industry': 'Education',
'location': 'US',
'name': 'Franklin Pierce Schools (US)',
'type': 'K-12 School District'},
{'industry': 'Education',
'location': 'US',
'name': 'Laurens County School District 56 (US)',
'type': 'K-12 School District'},
{'industry': 'Education',
'location': 'France',
'name': 'Ensemble scolaire La Salle (France)',
'type': 'Private School'},
{'industry': 'Education',
'location': 'Nigeria',
'name': 'Achievers Journal of Scientific Research '
'(Nigeria)',
'type': 'Research Institution'},
{'industry': 'Education',
'location': 'UK',
'name': 'Kido Nurseries and Preschools (UK)',
'type': 'Early Education'},
{'industry': 'Education',
'location': 'UK',
'name': 'Derby High School (UK)',
'type': 'Secondary School'},
{'industry': 'Education',
'location': 'UK',
'name': 'Melland High School (UK)',
'type': 'Secondary School'},
{'industry': 'Education',
'location': 'US',
'name': 'University of Oklahoma (US)',
'type': 'University'},
{'industry': 'Education',
'location': 'US',
'name': 'Aurora Public Schools (US)',
'type': 'K-12 School District'},
{'industry': 'Education',
'location': 'US',
'name': 'Williamsburg-James City County Schools (US)',
'type': 'K-12 School District'},
{'industry': 'Education',
'location': 'Australia',
'name': 'University of Notre Dame (Australia)',
'type': 'University'},
{'industry': 'Education',
'location': 'Chile',
'name': 'Saint George’s College (Chile)',
'type': 'Private School'},
{'industry': 'Education',
'location': 'Switzerland',
'name': 'University of Applied Sciences and Arts '
'Northwestern FHNW (Switzerland)',
'type': 'University'},
{'industry': 'Education',
'location': 'Spain',
'name': 'Real Academia Española (Spain)',
'type': 'Academic Institution'},
{'industry': 'Education',
'location': 'Australia',
'name': 'Belmont Christian College (Australia)',
'type': 'Private College'},
{'industry': 'Education',
'location': 'Australia',
'name': 'Loyola College (Australia)',
'type': 'College'},
{'industry': 'Education',
'location': 'US',
'name': 'Aztec Municipal School District (US)',
'type': 'K-12 School District'},
{'industry': 'Education',
'location': 'US',
'name': 'Central Point School District 6 (US)',
'type': 'K-12 School District'}],
'attack_vector': ['social engineering', 'unknown (varied by attack)'],
'customer_advisories': ['Notices sent to affected individuals in confirmed '
'breaches (e.g., Institute of Culinary Education '
'notified 33,342 victims).'],
'data_breach': {'data_encryption': 'yes (ransomware)',
'data_exfiltration': 'yes (~233 TB allegedly stolen across '
'all attacks)',
'number_of_records_exposed': '227,214 (confirmed)',
'personally_identifiable_information': 'yes',
'sensitivity_of_data': 'high (includes PII, student records, '
"and in some cases, children's "
'photographs)',
'type_of_data_compromised': ['personally identifiable '
'information (PII)',
'student/employee records',
'financial data (in some cases)',
'photographs (e.g., Kido '
'nurseries)']},
'date_detected': '2025-01-01',
'description': '180 ransomware attacks were recorded in the education sector '
'during the first nine months of 2025, marking a 6% increase '
'from the same period in 2024. The attacks resulted in system '
'downtime, canceled classes, and data theft, with an average '
'of 2.6 TB stolen per attack. The US was the most targeted '
'country (95 attacks), followed by the UK (11), France (9), '
'Australia (7), Brazil (5), and Spain (5). Ransomware strains '
'like Qilin, Fog, SafePay, Interlock, and INC were the most '
'prevalent. The average ransom demand was $444,400, with '
'227,214 records breached in confirmed attacks.',
'impact': {'brand_reputation_impact': ['high (e.g., Kido nurseries '
'controversy in UK)'],
'data_compromised': '227,214 records (confirmed); ~233 TB total '
'data allegedly stolen',
'downtime': ['days to weeks (varied by attack)'],
'identity_theft_risk': ['high (PII exposed in multiple breaches)'],
'operational_impact': ['canceled classes',
'network disruptions',
'phone/internet outages'],
'systems_affected': ['networks',
'class scheduling systems',
'student/employee databases']},
'initial_access_broker': {'data_sold_on_dark_web': ['yes (e.g., Kido '
'nurseries data published '
'by Radiant)'],
'entry_point': ['social engineering (e.g., Madison '
'Elementary School District)',
'unknown (varied by attack)'],
'high_value_targets': ['student databases',
'financial records',
'research data '
'(universities)']},
'investigation_status': 'ongoing (some attacks confirmed, others unconfirmed; '
'investigations vary by institution)',
'lessons_learned': ['Education sector remains a prime target for ransomware '
'due to perceived weaker cybersecurity defenses and '
'high-value data.',
'Social engineering (e.g., Madison Elementary School '
'District) is a common initial access vector.',
'Delayed public disclosure of breaches complicates '
'real-time threat tracking.',
'Ransomware gangs like Interlock and Crazy Hunter are '
'highly active, with some specializing in education '
'sector targets.',
'Data exfiltration is nearly universal in these attacks, '
'increasing risks of identity theft and reputational '
'harm.'],
'motivation': ['financial gain', 'data theft', 'disruption'],
'post_incident_analysis': {'corrective_actions': ['Strengthening access '
'controls and '
'authentication mechanisms.',
'Improving employee '
'training on phishing and '
'social engineering.',
'Enhancing network '
'segmentation and '
'monitoring.',
'Investing in third-party '
'incident response services '
'(e.g., Arete).',
'Implementing stricter data '
'encryption and backup '
'protocols.'],
'root_causes': ['Inadequate cybersecurity defenses '
'(e.g., lack of MFA, unpatched '
'systems).',
'Successful social engineering '
'attacks (e.g., phishing).',
'Delayed detection and response to '
'breaches.',
'Targeting of high-value data '
'(PII, student records).']},
'ransomware': {'data_encryption': 'yes',
'data_exfiltration': 'yes (~233 TB allegedly stolen)',
'ransom_demanded': ['$1.5M (Asia University, Taiwan by Crazy '
'Hunter)',
'$400,000 (Fall River Public Schools, US '
'by Medusa)',
'$400,000 (Franklin Pierce Schools, US by '
'Medusa)',
'$320,000 (Laurens County School District '
'56, US by Medusa)',
'$8,300 (Ensemble scolaire La Salle, '
'France by unknown hackers)',
'$5,000 (Achievers Journal of Scientific '
'Research, Nigeria by Funksec)'],
'ransom_paid': ['unknown (mostly unconfirmed); $8,300 demand '
'in France was not paid'],
'ransomware_strain': ['Qilin (24 attacks)',
'Fog (18 attacks)',
'SafePay (17 attacks)',
'Interlock (13 attacks, 8 confirmed)',
'INC (12 attacks)',
'Medusa (multiple attacks)',
'Cloak (Baltimore City Public Schools)',
'RansomHub (Riverdale Country School)',
'Crazy Hunter (Asia University)',
'Payouts King (Institute of Culinary '
'Education)',
'Radiant (Kido nurseries)',
'Kairos (Derby High School, Melland High '
'School)']},
'recommendations': ['Implement multi-factor authentication (MFA) and endpoint '
'detection/response (EDR) tools to mitigate social '
'engineering risks.',
'Conduct regular security awareness training for staff '
'and students.',
'Develop and test incident response plans, including '
'partnerships with third-party forensic firms (e.g., '
'Arete).',
'Segment networks to limit lateral movement by attackers.',
'Enhance backup strategies to ensure rapid recovery '
'without paying ransoms.',
'Monitor dark web for stolen data to proactively address '
'breaches.',
'Comply with regulatory disclosure requirements to avoid '
'legal penalties.'],
'references': [{'date_accessed': '2025-10-01',
'source': 'Comparitech',
'url': 'https://www.comparitech.com/blog/information-security/education-ransomware-attacks/'}],
'regulatory_compliance': {'regulations_violated': ['potential GDPR (UK/EU), '
'FERPA (US), and other '
'local data protection '
'laws'],
'regulatory_notifications': ['mandatory disclosures '
'in US (where '
'thresholds met)']},
'response': {'communication_strategy': ['public disclosures (where required '
'by law, e.g., US)'],
'incident_response_plan_activated': ['yes (e.g., Madison '
'Elementary School District '
'enlisted Arete for '
'forensic analysis)'],
'third_party_assistance': ['Arete (for Madison Elementary School '
'District)']},
'stakeholder_advisories': ['Public disclosures by affected institutions '
'(where legally required); advisories from '
'cybersecurity firms like Comparitech.'],
'threat_actor': ['Qilin',
'Fog',
'SafePay',
'Interlock',
'INC',
'Medusa',
'Cloak',
'RansomHub',
'Crazy Hunter',
'Payouts King',
'Radiant',
'Kairos',
'Funksec',
'unknown hackers'],
'title': 'Ransomware Attacks on the Education Sector (Q1-Q3 2025)',
'type': ['ransomware', 'data breach', 'system disruption']}