Cyber Incident Victim: Bishop Luffa School
Date:
Mar 2023
Location:
United Kingdom
Summary
A British secondary school operated by the Church of England suffered a ransomware attack by the Medusa gang, leading to operational disruptions with systems taken offline and the exposure of sensitive data. The threat actors leaked samples containing student names and staff personal information on their dark-web blog while demanding $100,000 for data deletion. The institution appeared on Medusa's victim list alongside other recent targets, with the gang emerging as a prominent ransomware operator by claiming numerous attacks globally, though the details of negotiations or incident resolution remain unconfirmed by the affected organization.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 9, 2023, Bishop Luffa School, a Church of England-run secondary school in the UK, experienced a major cybersecurity disruption that forced its systems offline, rendering its website inaccessible with a public notification stating "the school systems are currently down." The incident was subsequently claimed by the Medusa ransomware gang, which listed the school on its dark-web blog alongside samples of stolen data. These samples contained student names, surnames, and staff personal information, though the full scope of compromised records remains undisclosed. Medusa publicly demanded a $100,000 ransom payment to delete the exfiltrated data, though the actual demand communicated privately to the school may have differed. The group leveraged the data leak tactically to pressure the institution into paying, reflecting a common ransomware strategy. No confirmation exists regarding the attack vector, initial access method, or specific systems compromised beyond the evident impact on digital infrastructure. The school’s operational disruption persisted beyond the initial attack date, with no public remediation timeline provided.
Medusa, identified as an emerging ransomware operator active since late 2022, escalated to prominence by February 2023, ranking as the third most prolific group that month with at least 18 confirmed attacks according to dark-web monitoring service Darkfeed. The gang’s modus operandi includes data exfiltration followed by extortion through victim listings and sample leaks on their dedicated leak site. Earlier that same month, Medusa similarly targeted Minneapolis Public Schools, underscoring its focus on educational institutions. Bishop Luffa School did not publicly acknowledge the ransomware attack or data breach in immediate response to the incident, with the article noting no reply to media inquiries prior to publication. Law enforcement guidance discouraging ransom payments was referenced in the context of the attack, though no official statements from authorities regarding this specific case were noted. The incident exposed sensitive personal information of minors and staff while disrupting educational operations, though specific impacts on academic activities were not detailed in the available reporting.