Ransomware scumbags say they deleted kids' info after other gangs called them out

A ransomware crew that posted pictures and addresses of preschool children in an effort to get a payday has now deleted the data, apparently under pressure from other criminals.

Last month, an extortion gang calling itself the Radiant Group stole data from Kido International, a school for young children with branches in the UK, US, and India. They then posted unblurred pictures of 10 children, along with their addresses, parents' names, and other personal data, and threatened to expose more if a ransom wasn't paid.

Parents of some children claimed to have received threatening calls after Radiant published the data. London's Metropolitan Police investigators are following up on the case.

But now, Radiant says it removed the child data it had posted after receiving pressure from other ransomware groups. It seems they crossed a line in the criminal world and backed down when called out for it.

Rebecca Taylor, a threat intelligence knowledge manager at security biz Sophos, tells The Register that the crew was called out by the well-established ransomware-as-a-service Nova gang on the Russian Anonymous Market Place (RAMP), an online souk for cybercriminals. One of Nova's affiliate members, going under the handle BlackBeard, told Radiant, "reputation important, don't attack child right."

"We have disabled any attacks relating to them, is not allowed anymore," Radiant answered, and added, "Any data relating to under 18s who attended have been deleted." BlackBeard congratulated them and wished the extortionists good luck for the future and Nova offered to help in future raids.

Radiant backs down, sort of - Click to enlarge

Radiant claimed to have information on over 8,000 children enrolled at Kido, as well as their family, teachers, and staff.

Kido declined to comment at the time of publication, but told The Guardian that it was following advice from authorities that discourages paying ransom payments, and is working on investigating and confirming the data has been deleted.

• Callous crims break into preschool network, publish toddlers' data
• Ransom gang claims attack on NHS Alder Hey Children's Hospital
• Ransomware crooks now SIM swap executives' kids to pressure their parents
• Banned Tornado Cash code reuploaded to GitHub in free speech test

Taylor told us that the Radiant Group seems to be new script kiddies on the block and have overstepped themselves, and are now trying to make nice with the rest of the criminal community.

"If you consider the conversation that they've had openly with other ransomware groups, they are worrying about how they're perceived by these groups, because collaboration is really important," she said. "I think they're a group to be concerned about in the future."

Radiant only appeared on criminal forum boards at the end of September, she said, and Kido appears to be the group's first victim. But Nova has a strong presence on RAMP and getting a public slapdown appears to have changed Radiant's tactics.

"There is a moral code and a moral compass in underground forums," Taylor said. "I think they're seeing the harsh realities of that, which is why they're now having to react." ®