Save the Children hit by ransomware, 7TB stolen

A new low, even for these lowlifes

Updated Cybercrime crew BianLian says it has broken into the IT systems of a top nonprofit and stolen a ton of files, including what the miscreants claim is financial, health, and medical data.

As highlighted by VX-Underground and Emsisoft threat analyst Brett Callow earlier today, BianLian bragged on its website it had hit an organization that, based on the gang's description of its unnamed victim, looks to be Save The Children International. The NGO, which employs about 25,000 people, says it has helped more than a billion kids since it was founded in 1919.

BianLian added that its victim, "the world's leading nonprofit," operates in 116 countries with $2.8 billion in revenues. The extortionists claim to have stolen 6.8TB of data, which they say includes international HR files, personal data, and more than 800GB of financial records. They claim to also have email messages as well as medical and health data.

Presumably BianLian intends to leak or sell this info if a ransom demand is not met. The NGO did not immediately respond to The Register's inquiries.

The Register has not been able to verify all of the crooks' claims. But we tend to agree with VX-Underground, which opined: "BianLian ransomware group needs to be punched in the face." And while breaking into and extorting a nonprofit whose focus is to make children "healthier, safer and better educated" seems beneath even the most tragic of cyber-criminals, it's pretty much par for the course with BianLian.

The crew, which has been around since June 2022, has made a name for itself by targeting healthcare and critical infrastructure sectors. 

While BianLian started off as a double-extortion ransomware crew — steal data, encrypt systems, and threaten to leak files and not provide a decryption key unless the victim pays a ransom — earlier this year, they shifted to pure extortion, as before but minus the encryption, according to government and private-sector threat hunters. 

The operators typically use Go, a newer programming language, to get around some endpoint protection tools. In May, the US and Australian law enforcement and cyber security agencies issued a joint statement warning organizations to "strictly limit the use of RDP and other remote desktop services" to avoid BianLian infections and extortion attempts.

The alert also detailed the gang's indicators of compromise along with its tactics, techniques and procedures observed as recently as March.

And while we don't know how the criminals broke into Save The Children, now's a good time to review the Feds' advice [PDF] and shore up your remote-desktop security to avoid becoming the next victim on BianLian's list. ®

Updated to add

Save the Children has confirmed someone broke into its computer systems, understood to be BianLian. In a statement, the nonprofit told us:

Save the Children International recently experienced an IT incident involving unauthorised access to part of our network. There has been no operational disruption and the organisation continues to function as normal to build a better future for children across the world.

We are working hard with external specialists to understand what happened and what data was impacted so we can take all the appropriate next steps. This process is complex and takes time, but remains our absolute priority. Our systems are also secured, and we are confident in the ongoing integrity of our IT infrastructure.

These types of incidents are a reality that all organisations face, but it is disappointing that Save the Children, whose core purpose is to help those most in need, is also subject to such unwarranted activity. Our investigation is ongoing, and we will continue to work with the relevant authorities. We will get to the bottom of this, and we thank all our staff and supporters for their patience and understanding in the meantime.

More about


Send us news

Other stories you might like