Cyber Incident Victim: Keystone SMILES Community Learning Center

On or around April 26, 2023, the Keystone SMILES Community Learning Center, a nonprofit preschool organization, was the victim of a cyberattack. The attack was claimed by an affiliate of the LockBit ransomware group. The affiliate successfully compromised the organization's network and deployed ransomware, which encrypted systems and data. The attackers also exfiltrated data from the organization's network. Following the attack, the affiliate listed Keystone SMILES on LockBit's data leak site, a platform used by the group to threaten the public release of stolen data to pressure victims into paying a ransom.

The attack on a nonprofit educational organization, particularly one focused on early childhood education, drew significant negative attention. In response to this public relations backlash, the core LockBit ransomware group leadership took action against its own affiliate. LockBit publicly apologized for the attack on its leak site. The group stated that it had deleted the data that was stolen from Keystone SMILES during the breach. As a remedial measure, LockBit also provided a free decryptor to the organization, which would allow it to recover its encrypted files without having to pay a ransom. This action was characterized as an attempt by the group to appear as "good guys — or, at least, not terrible guys" by not putting lives at risk through attacks on sensitive sectors like healthcare or education. The public apology and offer of a free decryptor were unusual steps for a ransomware group, highlighting the operational and reputational risks they can face when targeting certain types of organizations.

The public-facing response from the LockBit group indicated that the affiliate responsible for the attack had violated the group's rules. While many ransomware groups have publicly stated rules prohibiting attacks on critical infrastructure like hospitals, these rules are often ignored or applied arbitrarily. The incident demonstrated that even groups like LockBit, which have attempted to attack hospitals in low-income countries, enforce these rules selectively, often only when an attack generates significant negative publicity that could harm their business model. The enforcement action against the affiliate, including the public ban and the group's subsequent apology, was primarily for public relations purposes. The core business incentive for such an action is that if a group gains a reputation for attacking organizations where lives are directly at risk, it makes it harder for other potential victims to justify paying a ransom, as funding such groups would be seen as funding "almost-terrorists."

There is no public information available regarding how Keystone SMILES initially detected the suspicious activity within its network or the specific initial intrusion vector used by the attackers. The public record is also silent on the exact scope of the systems that were encrypted or the specific types of data that were exfiltrated. The organization did not respond to requests for comment regarding whether it used the free decryptor provided by LockBit or any other details of its incident response. It is therefore unknown what internal steps the organization took to contain the incident, whether law enforcement was notified, or if third-party cybersecurity experts were engaged to assist with the investigation and recovery. The lack of public statement from the victim organization is common in such incidents.

The primary immediate consequence for Keystone SMILES was the operational disruption caused by the encryption of its systems. As a learning center, this likely impacted its ability to conduct normal administrative and educational activities. The potential exposure of any stolen data also posed a risk to the privacy of the children, families, and employees associated with the center, though the LockBit group claimed this data was deleted. The financial impact on the nonprofit, including any costs associated with recovery and remediation that were not mitigated by the free decryptor, is not publicly documented. The incident had a broader consequential impact on the ransomware ecosystem by serving as a high-profile example of a ransomware group enforcing its own rules against an affiliate for targeting a charitable educational institution. This case joined other examples, such as attacks on hospitals, where negative publicity has sometimes compelled ransomware actors to provide free decryption keys. The event underscored that while financial gain is the primary motive for these groups, reputational management can occasionally influence their actions after an attack has occurred. The incident did not prevent LockBit or other groups from continuing to target a wide range of organizations, but it highlighted the complex and often contradictory dynamics within the ransomware criminal marketplace.