Ransomware group demands £500,000 from British schools, citing cyber insurance policy

The Hive ransomware group is allegedly demanding £500,000 (about $608,000) from two schools in England following a hack targeting their IT systems, according to reports in British media. 

Students and parents of the Wootton Upper School and Kimberley College — both owned by Wootton Academy Trust in Bedfordshire, England — received a message last week from the hacking group claiming to have breached the Trust’s network and exfiltrated student’s home addresses, banking information, and medical records, with threats to leak the data if the it fails to pay. 

“If Wootton management decides to move on with their plan and refuse to negotiate, we are going to release all of the stolen data online for everyone to see,” the message read, “All of your child's private information will be online for everyone and for free.”

Executive principal Michael Gleeson wrote in a publicly released letter to parents on Tuesday that they are consulting with “specialist third party experts,” and are focused on rebuilding the IT system. A forensic investigation to understand what data was impacted is underway, he wrote.

The Hive group claims to have breached the system and then obtained details of its cyber insurance policy to use in negotiations. “We are very well informed and precise in our operations, so we know that Wootton have cyber insurance that reaches £500k,” the group wrote in the message to students and parents. 

Allan Liska, a ransomware expert at Recorded Future, called such a threat “largely bluster from the bastards behind the ransomware attack.” 

“A £500,000 cyber insurance policy does not mean that an insurance company will pay it,” he said.“This is part of the expanded extortion ecosystem we see ransomware groups increasingly rely on – not just using information from the cyber insurance policy, but you can see the group has reached out to parents directly threatening to release their children's sensitive information if the school doesn't pay.” 

Hive has been active since June 2021 and is known for being one of the most aggressive financially-motivated cybercrime organizations, frequently targeting U.S. healthcare systems. Hive reportedly breached more than 350 organizations over a four month period, though only a small number of them have had their data leaked, suggesting most victims pay the ransom. 

School districts continue to be a top target for cybercrime groups — next to healthcare organizations — as reports of ransomware attacks continue to rise. Although a majority of victims who pay the ransom get some amount of data back, there has been a drop in how much is returned. In 2021 the amount of data both lower and higher education organizations got back after paying a ransom was just over 60%, according to a 2022 report by Sophos.