Article Details

Radiant Group won't touch kids' data now, but apparently hospitals are fair game. Ransomware crooks utterly fail to find moral compass. First they targeted a preschool network, now new kids on the ransomware block Radiant Group say they've hit a hospital in the US, continuing their deplorable early cybercrime careers. With just three claimed victims on its website, including preschool network Kido Schools, Radiant Group today gave a Minnesota hospital seven days to comply with its demands or risk having its data plastered online. The ransomware crooks have not yet named the hospital, but said they would identify it if their extortion demands are unmet. Radiant added the hospital to its data leak site in the early hours of Monday morning – the latest victim it claimed to have attacked since spinning up in September. The group mired itself in controversy following its inaugural attack on Kido International, primarily due to it leaking images of preschoolers along with their parents' contact details. It wasn't just media and cybersecurity pressure that prompted Radiant to cover its tracks; a rival ransomware crew also appears to have played a role. Rebecca Taylor, a threat intelligence knowledge manager at security biz Sophos, told The Register last week that the Nova group chastised Radiant on the Russian hacker forum RAMP for its treatment of young people. In response, Radiant agreed to remove the children's data. Kido International's listing on Radiant's website now reflects that, with the group saying one of its affiliates went rogue. "All data relating to Kido Schools International has been deleted," its website now reads. "One of our partners violated our rules by targeting a childcare company. Therefore, we will not continue any leakage of this childcare company, and they have been provided with a security report and deletion log." We asked Kido to confirm the veracity of Radiant's claims, specifically about providing a deletion log. A spokesperson for the preschool network said: "We understand that the group responsible has unilaterally elected to delete data they copied. We have continued to monitor their site and can confirm they have removed the information they previously published." "Throughout this incident, we have followed guidance from the authorities that discourages ransom payments as they only fuel and incentivise further criminal activity. We continue to work closely with families, regulators, law enforcement, and our cybersecurity experts, to investigate and take active steps to confirm that the data is permanently deleted." According to Taylor, Radiant said that during the RAMP discussion of its attack on Kido it forbade any attacks that involve children's data. "We have disabled any attacks relating to them, is not allowed anymore," it said. So children are a no-go, yet hospitals are seemingly fair game. Little is known about Radiant Group, although the cyber sleuths at malware collector vx-underground, who claim to have spoken with its hierarchy after the Kido attack, said they appear to be native English speakers and understand how the UK school system works. They said Russian ransomware groups tend not to have a great understanding of what data they steal from Western organizations or how damaging it could be if leaked.