Hackers attempt to extort parents after school refuses to pay ransom fee

Cybercriminals who attacked a high school in Antwerp, Belgium, last month are now attempting to extort the parents of individual students after the school refused to pay a ransom.

The attackers are believed to have gained access to the internal networks of OLV Pulhof, a secondary school in the Berchem district of Antwerp, shortly after the Christmas break. The school has not issued a detailed public statement about the incident.

A spokesperson for the Antwerp public prosecutor’s office confirmed to Recorded Future News that an investigation is underway but declined to provide further details.

According to Flemish public broadcaster VRT News, the perpetrators identified themselves as “Lock-Bit” in an extortion email sent in January. The message claimed the hackers had stolen sensitive information relating to students and staff, including financial records and confidential mental health data.

However, several indicators suggest the email was not sent by the LockBit ransomware group. In addition to the misspelling of the group’s name, LockBit typically does not rely on email as its primary extortion method, instead leaving ransom notes directly on compromised systems and directing victims to dedicated negotiation portals.

The attackers demanded the school pay €15,000 ($17,800) and, when that demand was not met, shifted their focus to parents. In the message, parents were told they could either pressure the school to pay or pay 50 euros per child themselves, with the hackers threatening to publicly leak and sell the children’s data if no payment was made.

In line with general cybersecurity guidance, the school did not engage with the extortion attempt and has advised parents not to pay.

The initial extortion fee of €15,000 is very low by LockBit’s standards. Although the ransomware scheme has tumbled in stature since a British law enforcement-led disruption in 2024, demands associated with the ransomware gang remain much higher.

Targeting individual parents for small payments cuts against the usual business model of the more mature ransomware groups. Chasing hundreds of individuals for small payments creates a huge overhead and delivers far lower returns than a single corporate payout, and signals the attackers are struggling to monetize their access to the victim’s network.