K12 Online Schooling Giant Paid Ryuk Ransom To Prevent Data Leaks

K12 Online Schooling Giant Paid Ryuk Ransom To Prevent Data Leaks

In Mid November 2020, K12, an online education giant, paid Ryuk ransom to the ransomware gang. The Ryuk gang made a cyberattack against the online platform that prompted K12 to lock down IT systems. They paid the ransom to stop the spread of the attack. It is still unknown how much ransom K12 has paid.

K12 says that they detected an unapproved activity on their network in the middle of November. In a short time, they realized and confirmed the suspicious activity as a criminal onslaught in the form of ransomware.


Improve the effectiveness of your SOC with our experts at Lifars


According to BleepingComputer, K12 employed the response, taking all counter-measures to contain the spread of the attack. They locked down impacted systems and notified the federal enforcement authorities about it. They also started working with third-party forensics to look into the incident.

The degree of impact

The cyber threat actors have acquired access to some back-office systems that incorporated student data and other information. It would prove ruinous for any company supposing the leak of student data occurs.

Thankfully, they were not able to impact their online Learning Management System (LMS). The other significant systems also remained unaffected, including accounting, payroll, and enrollment systems.

Ryuk ransomware

One of the types of ransomware is Ryuk, employed particularly in targeted attacks. The cyber threat actors ensure that critical files are encrypted to demand a large ransom. It encrypts network drives and resources. Besides, it erases shadow copies on the endpoint.

Stealing unencrypted data before encrypting devices is the cause of notoriety for the Ryuk ransomware gang. Later on, the group attempts double-extortion using this data, where it intimidates to leak stolen data unless a ransom is paid.

In the third quarter of 2020, as per a report from Check Point, Ryuk attacked 20 companies every week on average.

Was it the right decision to pay the ransom?

The threat actors assured K12 that they would not leak stolen data in return for the ransom. In response, K12 paid the ransom by utilizing their cyber insurance.

Conversely, according to some security experts, it makes no sense to pay a ransom. This is because there is no guarantee for data misuse in the future.

Ransomware negotiators harbor suspicions over the assurances of ransomware gangs sticking with their promises. After all, there are instances where certain groups leaked stolen data even after payment of ransom. They did it, despite using fake data as proof of deletion.

Indicators of Compromise (IoCs)









IP Addresses:





Phishing sender email:



We published a case study of a recent engagement where RYUK ransomware coupled with the Zbot/Zloader embedded in an Excel macro made up for a deadly combo. Download the case study do see findings from our digital forensics analysis and additional IoCs.



It is concerning coming across such news when online education platforms are taking over brick-and-mortar educational institutes due to the pandemic situation. COVID-19 has affected education enormously along with other spheres of life.

Instead of traditional public schools, students in large numbers are moving towards online education. For example, over one million students have chosen the K12 platform to learn from home. Therefore, containing a threat to online platforms is a must nowadays.