Cyber Incident Victim: Nonprofit preschool organization

In late April 2023, the LockBit ransomware group publicly disclosed an unauthorized cyber incident involving Keystone SMILES Community Learning Center, a nonprofit preschool organization. An affiliate of LockBit executed the attack, during which data was stolen from the organization’s systems. Following the breach, LockBit leadership intervened by banning the affiliate responsible, citing violations of the group’s operational rules prohibiting attacks on certain sensitive sectors. The affiliate issued a public apology on LockBit’s data leak site, claiming to have permanently deleted all stolen data obtained during the intrusion. LockBit provided a free decryptor to the preschool to restore any encrypted files, though no confirmation was received regarding whether the organization utilized this tool. The preschool did not publicly comment on the incident or disclose operational impacts.

This incident occurred amid broader discussions about ransomware groups’ targeting practices. LockBit had previously emphasized prohibitions against attacking healthcare and educational institutions, though enforcement appeared inconsistent. Security researchers noted LockBit occasionally reversed course on attacks against low-revenue targets—such as offering free decryption to a hospital in a low-income country after ransom negotiations failed—to manage public perception. The preschool attack demonstrated operational friction within affiliate-based ransomware models, where centralized rules conflicted with individual actors’ target selection. No data leaks or financial demands materialized against Keystone SMILES following the affiliate’s removal and apology, suggesting containment through LockBit’s internal disciplinary action rather than external response measures by the organization.