A notorious cybercriminal group claimed Wednesday that it hacked an elite Riverdale prep school and is holding its data for ransom, according to the group’s dark web page.
The group, known as RansomHub, posted Riverdale Country School’s website along with a countdown clock on its dark web site, alleging that it had stolen 42 GB of data. The post warned that the private school had just over five days to comply with its demands or it would release the data.
RansomHub formed in February 2024, and experts say that it has already become one of the most prolific ransomware groups, extorting at least 210 victims last year, according to the Cybersecurity and Infrastructure Security Agency (CISA).
The organization works by offering its malicious software, or malware, as a service to affiliates – other criminals who then target, compromise and extort victims by stealing high value or sensitive data and threatening to leak it if the target doesn’t pay up.
Riverdale Country School, a PK – 12 independent school with over 1,000 students on 27 acres and two campuses, charged over $57,000 in tuition in the 2024-2025 school year. With a lengthy list of influential alumni like President John F. Kennedy, Senator Richard Blumenthal, Carly Simon and Chevy Chase, the data the institution has on its students and their families could have potentially made it a target for cyber criminals.
Although the cyber gang didn’t share what type of data it’s threatening to release, K-12 schools keep personal information about students and their families, vaccination records, academic records, health data, staff payroll and more.
Luke Connolly, a cybersecurity threat analyst with Emsisoft, a firm specializing in security solutions, said RansomHub typically employs multiple extortion tactics against its victims. He flagged the update to the cyber criminal’s site on the darkweb on social media, sharing a screenshot of the countdown clock on X. Sometimes the ransomware will encrypt data, only unscrambling a target’s files once they have been paid using cryptocurrency, but also downloading data, or exfiltrating it, to their own servers to get victims to pay.
RansomHub said it stole 42 GB of data from the school, which is less than the amount of data it takes to fill up a smartphone, but Connolly said that size doesn’t necessarily indicate the severity of the breach.
“ It doesn’t have to be big,” Connolly said. “It depends on how sensitive the data is, because what they are trying to do is either take data that’s critical to their operations and holding it ransom or they’re taking data that’s very sensitive.”
Without speaking specifically to the alleged attack on the Bronx school, he said what happens next is typically some sort of negotiation.
“ If the victim has cyber insurance, then one of their first calls might be to their insurance company because the insurance that is being paid for may cover ransomware payments,” Connolly said.
Riverdale Country School did not respond to a request for comment.
But Connolly said the group putting the attack on the dark web could indicated that it’s turning up the heat.
“ Individual [ransomware] victims may be compromised but not posted on a website until the threat actor deems that they’re not being cooperative in negotiations,” Connolly said. “Then they’ll put them on, on the dark website in order to start to apply pressure.”
