United Kingdom law enforcement has arrested two teenagers, aged 17 and 18, in connection with a ransomware attack against a London-based nursery chain that operates approximately 90 sites. The attack was attributed to the Radiant ransomware group.
The initial attack vector was a critical, yet common, security oversight. The threat actors gained access after discovering hardcoded credentials publicly exposed in a GitHub repository. Developers for the nursery chain had inadvertently left sensitive information, including a plain-text SMTP username and password, within a code file accessible to the public.
This type of vulnerability provides a direct and easy entry point for attackers, allowing them to compromise email systems, which can then be leveraged to move laterally and escalate the attack across the organization’s network.
In an unusual turn, the Radiant group reportedly issued an apology for the attack approximately a week before the arrests, subsequently removing the sensitive photos of children from their data leak site. Despite this, the National Crime Agency (NCA) and the Metropolitan Police proceeded with their investigation, arresting the two suspects on October 7th.
According to reports on the group’s initial extortion tactics, the compromised data included extremely sensitive information. Though later removed by the attackers, the data that was temporarily leaked allegedly included:
- Photographs of children attending the nursery
- Personal and administrative information related to the children and their families
