LevelBlue SpiderLabs: Breaking Down the Ransomware Groups Targeting the Education Sector

Ransomware attack groups have ramped up their efforts, launching attacks on the education sector with recent incidents striking a range of targets from an Australian institution of higher learning to a school district in North Carolina.

These facilities contain a large amount of very valuable data, such as student records, intellectual property, and financial information that threat groups can leverage for financial gain. An additional reason education is targeted is that it must stay in operation. Public schools can’t just close if their systems are locked up by ransomware, a fact the attacker is well aware of, which adds extra pressure.

They essentially say, “This is a mighty nice school district you have; it would be a shame if it had to stay closed for several months. How about just paying the ransom and moving past all this unpleasantness?”

Gaining Access

Ransomware operators typically exploit weak authentication controls, unpatched vulnerabilities, employ social engineering tactics, and leverage compromised credentials obtained from successful infostealer infections to obtain initial access.

More or less the same playbook is used for any attack. However, LevelBlue SpiderLabs continuously tracks data published on ransomware leak portals, enabling us to provide unique insights into the operational activities and targeting patterns of specific ransomware groups’ activity in the education field.

Leak portal disclosures typically represent attacks where threat actors successfully exfiltrated sensitive data and/or encrypted critical resources that could be leveraged for extortion demands. Keep in mind, this represents only a subset of all ransomware attacks, omitting cases where organizations successfully prevented compromise and cases resolved through ransom payments prior to data publication. Therefore, the actual number of ransomware attacks targeting the education sector is likely significantly higher than the following statistics suggest.

From September to December 2025, more than 80 ransomware attacks were reported against educational institutions worldwide. Most of the activity took place in the United States, with 54 attacks publicly disclosed on ransomware leak sites. Canada ranked second with five attacks, followed by Brazil with three reported incidents.

The Top Three Ransomware Groups Attacking the Education Sector

Among ransomware groups responsible for these attacks, Qilin emerged as the most prolific threat actor, with 16 recorded attacks (20% of total activity), followed by INC Ransom with eight attacks and CL0P with seven attacks.

An analysis of the initial access vectors revealed that phishing was the most frequently reported method, accounting for 22% of incidents. This finding highlights the continued effectiveness of social engineering tactics and underscores the critical need for enhanced security awareness training across students, faculty, and staff.

LevelBlue SpiderLabs recommends that educational institutions place extra focus on popular social engineering techniques such as fake CAPTCHA and ClickFix.

Ransom Demand and Payment Trends

According to research published by Sophos, in 2025, median ransom demands targeting the education sector declined significantly compared to the previous year.

While the drop can be considered good news, the reality is any demand is a problem, and the business and human impact of ransomware incidents remain significant.

In lower education institutions (K-12), demands fell from $3.85 million to $1.02 million, while actual ransom payments decreased from $6.60 million to $800,000. Similarly, in higher education institutions, median demands dropped from $3.55 million to $697,000, and median payments declined from $4.41 million to $463,000. These reductions suggest changing ransomware economics or improved defensive postures within educational organizations.

Qilin Ransomware Group

Qilin emerged in mid-2022 as a sophisticated Ransomware-as-a-Service (RaaS) operation, quickly gaining notoriety for its targeted attacks on financial institutions. The group is known for its aggressive tactics and high-value targeting strategy, making it the most active group targeting financial services. The group’s Rust-based ransomware is highly customizable, targeting Windows, Linux, and VMware ESXi environments.

A significant attack happened in early September 2025. The Qilin group targeted Mecklenburg County Public Schools (MCPS) in southern Virginia. The attackers claimed to have stolen 305 GB of sensitive data, including financial records, grant documents, budgets, and children’s medical files, significantly disrupting school operations.

Initial Access Vectors

• T1566: Phishing - Advanced social engineering campaigns targeting financial sector employees

• T1190: Exploit Public-Facing Application - Exploiting vulnerabilities in internet-facing systems

• T1078: Valid Accounts - Compromised credentials from previous breaches

• T1133: External Remote Services - RDP and VPN exploitation

• T1195: Supply Chain Compromise - Targeting third-party financial service providers

CVEs Involved

• CVE-2023-4966 - Citrix NetScaler ADC and Gateway Vulnerability 'Citrix Bleed'

• CVE-2023-27350 - PaperCut MF/NG Improper Access Control Vulnerability

• CVE-2023-0669 - GoAnywhere MFT Remote code injection via admin panel

• CVE-2021-22986 - BIG-IP F5 iControl Server-Side Request Forgery / RCE

• CVE-2021-44228 - Apache Log4j2 Remote Code Execution Vulnerability

• CVE-2019-0708 - Microsoft Remote Desktop Services RCE Vulnerability

External Intelligence: DarkTrace | THN | SoCRadar

INC Ransom Group

INC Ransom, which emerged in July 2023, operates a sophisticated double-extortion scheme while deceptively positioning itself as a "security improvement service." The group employs psychological manipulation, claiming that ransom payment would help victims to save their reputation and improve security posture - a tactic designed to rationalize payment and reduce resistance. The group exfiltrates sensitive data before encryption and maintains a leak site used to threaten victims.

Initial Access Vectors

• T1566: Phishing - Advanced social engineering campaigns targeting financial sector employees

• T1190: Exploit Public-Facing Application - Exploiting vulnerabilities in internet-facing systems

• T1078: Valid Accounts - Compromised credentials from previous breaches

• T1133: External Remote Services - RDP and VPN exploitation

CVEs Involved

• CVE-2023-48788 - Fortinet FortiClient EMS SQL Injection Vulnerability

• CVE-2023-3519 - Citrix NetScaler Application Delivery Controller Vulnerability

CL0P Ransomware

The CL0P ransomware group exhibited exceptional operational activity throughout early 2025, establishing itself as the most prolific threat actor based on leak site disclosures. CL0P dominated the threat landscape with 413 public victim posts during Q1 2025, driven primarily by the exploitation of two zero-day vulnerabilities: CVE-2024-50623 and CVE-2024-55956, affecting Cleo managed file transfer (MFT) solutions.

The impact of this campaign was particularly severe in February 2025, with 389 victim organizations publicly disclosed, representing an extraordinary 1,400% increase compared to the 26 victims recorded in February 2024. CL0P’s tactical approach emphasizes mass data exfiltration over traditional encryption-based ransomware, enabling rapid compromise of multiple organizations through a single vulnerability exploitation campaign.

CL0P’s historical track record demonstrates significant impact to affected organizations, most notably through the 2023 MOVEit Transfer vulnerability exploitation campaign (CVE-2023-34362), which generated an estimated $75–100 million in ransom revenue while affecting data belonging to over 95 million individuals across hundreds of compromised organizations worldwide.

Initial Access Vectors

• T1566: Phishing - Advanced social engineering campaigns targeting financial sector employees

• T1190: Exploit Public-Facing Application - Exploiting vulnerabilities in internet-facing systems

• T1078: Valid Accounts - Compromised credentials from previous breaches

CVEs Involved

• CVE-2024-50623 - Cleo Unrestricted File Upload Vulnerability

• CVE-2024-55956 - Cleo Remote Code Execution Vulnerability

• CVE-2023-0669 - GoAnywhere MFT Remote Code Injection

• CVE-2023-34362 - MOVEit Transfer SQL Injection Remote Code Execution

Ransomware activity against the education sector shows no signs of slowing, driven by valuable data stores, operational pressure, and persistent weaknesses in authentication and user awareness.

While median ransom demands have declined, the frequency and impact of attacks from data theft to prolonged disruption remain severe.

However, by understanding how groups like Qilin, INC Ransom, and CL0P operate, and by prioritizing phishing resistance, timely patching, and visibility into emerging threat actor behavior, educational institutions can take meaningful steps to reduce risk and strengthen their resilience against an increasingly aggressive threat landscape.