PowerSchool hackers are extorting schools despite the company's ransom payment

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

Education software and cloud provider PowerSchool said that hackers have tried to extort "multiple" school districts in the United States and Canada using previously stolen data from the company, despite the company's payment of the ransom demanded by the attackers.

PowerSchool, which serves more than 60 million students globally, disclosed in December 2024 that personal information had been stolen from its US student database in a cybersecurity incident.

The company said at the time that the data stolen varied but could have included names, contact information, dates of birth, limited medical alert information, and social security numbers. The hacker claimed to have stolen the data of 62.4 million students and 9.5 million teachers for 6,505 school districts across the US, Canada, and other countries.

In an update, the company said it was "aware that a threat actor has reached out to multiple school district customers in an attempt to extort them " and acknowledged for the first time that it paid the hackers responsible for the breach a ransom for an undisclosed amount.

The company said the extortion attempts relied on data stolen as part of that incident. The company made "the difficult decision" to pay the ransom "because we believed it to be in the best interest of our customers and the students and communities we serve." The company believed the hackers would delete the data, the company said, "based on assurances and evidence provided to us."

Some of the school districts being individually extorted by the threat actor are those in North Carolina and the Toronto District School Board (TDSB), which is the largest school board in Canada. (AJ Vicens / Reuters and Lawrence Abrams / Bleeping Computer)

Related: PowerSchool, TDSB, Cyberscoop, The Record, Cyber Daily, NBC News, The Register, CTV News, CBC, WRAL, Axios, WXII, Databreaches.net, CityNews Toronto, ABC11, Spectrum News, WFMY News, CBS17, WSOC, ABC45, Inside Halton, Wall Street Journal, WBTV, News & Observer, Databreaches.net

Government workers say Elon Musk's DOGE Service is racing to build a single centralized database with vast troves of personal information about millions of US citizens and residents, a campaign that often violates or disregards core privacy and security protections meant to keep such information safe.

The team is collecting data from across the government, sometimes at the urging of low-level aides. The intensifying effort to unify systems into one central hub aims to advance multiple Trump administration priorities, including finding and deporting undocumented immigrants and rooting out fraud in government payments. And it follows a March executive order to eliminate “information silos” as DOGE tries to streamline operations and cut spending.

Federal workers said DOGE officials have sought to merge databases that had long been kept separate at several agencies. For example, longtime Musk lieutenant Steve Davis told staffers at the Social Security Administration that they would soon start linking various sources of Social Security data for access and analysis, according to a person briefed on the conversations, with a goal of “joining all data across government.”

DOGE has also sometimes removed protections around sensitive information—Social Security numbers, birth dates, employment history, disability records, medical documentation, and more. In one instance, a website for a new visa program wasn’t set up behind a protective virtual private network, as would be customary, according to a Department of Homeland Security employee and records.

According to security analysts, the administration’s moves ramp up the risk of exposing data to hackers and other adversaries, and experts worry that any breaches could erode public confidence in the government. Civil rights advocates and some federal employees also worry that the data assembled under DOGE could be used against political foes or for targeted decisions about funding or basic government services. (Hannah Natanson, Joseph Menn, Lisa Rein, and Rachel Siegel / Washington Post)

Related: Daily Beast, Raw Story

The LockBit ransomware gang, currently in its fourth iteration, suffered a data breach after its dark web affiliate panels were defaced and replaced with a message linking to a MySQL database dump.

All of the ransomware gang's admin panels now state. "Don't do crime CRIME IS BAD xoxo from Prague," with a link to download a "paneldb_dump.zip."

This archive contains an SQL file dumped from the site affiliate panel's MySQL database, containing twenty data tables.

In a Tox conversation with the threat actor Rey, the LockBit operator known as 'LockBitSupp' confirmed the breach, stating that no private keys were leaked or data lost.

Based on the MySQL dump generation time and the last date record in the negotiation chats table, the database appears to have been dumped at some point on April 29th, 2025.

It's unclear who carried out the breach and how it was done, but the defacement message matches the one used in a recent breach of Everest ransomware's dark web site, suggesting a possible link. (Lawrence Abrams / Bleeping Computer)

Related: GBHackers, Cyber Security News

Sources say three federal departments prohibited their employees from accessing TeleMessage, the message archiving app that former National Security Adviser Michael Waltz used while communicating with other members of the Trump administration, after assessments determined they weren’t secure enough.

According to the sources, the IT chiefs at the three departments considered using TeleMessage to allow staff members to comply with federal record retention laws while using encrypted messaging apps. TeleMessage, owned by Portland, Oregon-based Smarsh Inc., enables users to archive messages from the Signal, WhatsApp, and Telegram apps.

Security officials at one of the departments met with TeleMessage staff this year to assess the app, but they grew concerned when TeleMessage engineers couldn’t answer technical security questions about where messages were saved or which country its servers were located in. (Margi Murphy / Bloomberg)

Related: Wired, 404 Media

eWorldTrade, a Texas firm recently charged with conspiring to distribute synthetic opioids in the United States, is at the center of a vast network of companies in the US and Pakistan whose employees are accused of using online ads to scam westerners seeking help with trademarks, book writing, mobile app development, and logo designs.

In an indictment (PDF) unsealed last month, the US Department of Justice said Dallas-based eWorldTrade “operated an online business-to-business marketplace that facilitated the distribution of synthetic opioids such as isotonitazene and carfentanyl, both significantly more potent than fentanyl.”

Launched in 2017, eWorldTrade[.]com now features a seizure notice from the DOJ. eWorldTrade operated as a wholesale seller of consumer goods, including clothes, machinery, chemicals, automobiles, and appliances. The DOJ’s indictment includes no additional details about eWorldTrade’s business, origins, or other activity. At first glance, the website might appear to be a legitimate e-commerce platform that just happened to sell some restricted chemicals.

An investigation into the company’s founders reveals they are connected to a sprawling network of websites with a history of extortionate scams involving trademark registration, book publishing, exam preparation, logo design, mobile applications, and websites.

eWorldTrade is owned by someone named Azneem Bilwani in Karachi, who is perhaps better known as the director of the Pakistan-based IT provider Abtach Ltd., which the USPTO and Google have singled out for operating trademark registration scams (the main offices for eWorldtrade and Abtach share the same address in Pakistan). (Brian Krebs / Krebs on Security)

Researchers at Symantec report that the Play ransomware gang has exploited a high-severity Windows Common Log File System flaw in zero-day attacks to gain SYSTEM privileges and deploy malware on compromised systems.

Microsoft tagged the vulnerability, CVE-2025-29824, as exploited in a limited number of attacks and patched it during last month's Patch Tuesday.

Microsoft linked these attacks to the RansomEXX ransomware gang, saying the attackers installed the PipeMagic backdoor malware. This malware was used to drop the CVE-2025-29824 exploit, deploy ransomware payloads, and send ransom notes after encrypting files.

Since then, Symantec's Threat Hunter Team has also found evidence linking them to the Play ransomware-as-a-service operation. The team says the attackers deployed a CVE-2025-29824 zero-day privilege escalation exploit after breaching a US organization's network.

Although there was no ransomware payload,  the attackers deployed the Grixba infostealer, a custom tool associated with Balloonfly, behind the Play ransomware operation. The Grixba custom network-scanning and information-stealing tool was first spotted two years ago, and Play ransomware operators typically use it to enumerate users and computers in compromised networks. (Sergiu Gatlan / Bleeping Computer)

Related: Symantec, Security Affairs

Google's Threat Intelligence Group said it has identified new malware called "LOSTKEYS" tied to the Russian-based hacking group Cold River, which is capable of stealing files and sending system information to attackers, which "marks a new development in the toolset" of Cold River.

Cold River, a name used to track hacking campaigns previously linked, opens a new tab to Russia's Federal Security Service. It is primarily known for stealing login credentials for high-profile targets, including those within NATO governments, non-governmental organizations, and former intelligence and diplomatic officers. The central goal was intelligence collection in support of Russian strategic interests.

Recent targets, observed in January, March, and April 2025, include current and former advisers to Western governments and militaries, journalists, think tanks, NGOs, and unnamed individuals connected to Ukraine. (Deborah Sophia and AJ Vicens / Reuters)

Related: Google Cloud, Cointelegraph, Regtech Times, Deccan Herald, Channel News, The420CyberNews, CyberInsider

Europol announced that in concert with Operation PowerOFF, authorities in Poland have arrested four people accused of administering and selling access to distributed denial of service (DDoS) services.

The suspects are believed to have operated six so-called “stresser” or “booter” services that enabled customers across the world to launch thousands of attacks on targets ranging from government offices to businesses and schools. From 2022 to 2025, the platforms, identified as Cfxapi, Cfxsecurity, neostress, jetstress, quickdown, and zapcut, allegedly allowed users to bombard websites and servers with high volumes of junk traffic, often rendering them inaccessible.

The arrests in Poland were part of a coordinated law enforcement response spanning four countries and supported by Europol. In addition to the Central Cybercrime Bureau in Poland, the investigation was supported by German Federal Criminal Police Office, the Prosecutor General’s Office in Frankfurt, the Dutch National Police, and multiple US agencies, including the Department of Justice, FBI, Homeland Security Investigations (HSI), and Defense Criminal Investigative Service (DCIS).

US authorities also seized nine domain names linked to similar DDoS-for-hire operations. (Greg Otto / Cyberscoop)

Related: Europol, The Cyber Express, HackRead

German beer and drinks giant Oettinger Getränke (Oettinger Brauerei or Oettinger) has confirmed that it suffered a cyber attack following claims made by threat actors after the RansomHouse ransomware gang listed the drinks manufacturer on its dark web leak site, claiming to have exfiltrated and encrypted business data.

“We are currently investigating the cyber attack on OeTTINGER GETRÄNKE in conjunction with IT forensic experts, the data protection authority, and cyber crime specialists,” said Oettinger.

“We are also conducting an investigation into the potential for data leaks. For forensic reasons, we are unable to provide any further details at this moment.

“Production and logistics have not been affected by the cyber attack." (Daniel Croft / Cyber Daily)

Related: Just Drinks, Cybernews, The Drinks Business, SC Media, Heise Online

Daniel Stenberg, the original author and lead of the curl project, accused AI users of submitting slop vulnerabilities.

"A threshold has been reached. We are effectively being DDoSed. If we could, we would charge them for this waste of our time," Stenberg wrote on LinkedIn.

Stenberg, saying that he's "had it" and is "putting my foot down on this craziness," suggested that every suspected AI-generated HackerOne report will have its reporter asked to verify if they used AI to find the problem or generate the submission. If a report is deemed "AI slop," the reporter will be banned. "We still have not seen a single valid security report done with AI help," Stenberg wrote. (Kevin Purdy / Ars Technica)

Related: Daniel Stenberg on LinkedIn, HackerOne, Socket, Cyber Security News, Slashdot

Researchers at Proofpoint report that a new phishing kit named 'CoGUI' sent over 580 million emails to targets between January and April 2025, aiming to steal account credentials and payment data by impersonating major brands like Amazon, Rakuten, PayPal, Apple, tax agencies, and banks.

The activity, which Proofpoint said is the highest-volume phishing campaign they currently track, culminated in January 2025, when 170 campaigns sent 172,000,000 phishing messages to targets, but the following months maintained equally impressive volumes. 

The analysts found several similarities to the Darcula phishing kit, which has been linked to China-based operatives. Initially, they believed that the origin of the CoGUI attacks was the same.

However, upon deeper examination, Proofpoint concluded that the two phishing kits are unrelated, even though they are both utilized by Chinese threat actors. (Bill Toulas / Bleeping Computer)

Related: Proofpoint, Dark Reading, Cyber Security News, TechRadar, The 420, inkl

In a joint advisory issued with the FBI, the Environmental Protection Agency (EPA), and the Department of Energy (DOE), the US Cybersecurity and Infrastructure Security Agency (CISA) warned critical infrastructure organizations of "unsophisticated" threat actors actively targeting the US oil and natural gas sectors.

While these attacks use fundamental tactics to compromise their targets' industrial control systems (ICS) and operational technology (OT) equipment, CISA cautioned that they could still lead to significant impact, including physical damage and disruptions.

The agency advised security teams to ensure that their organizations' attack surface is as small as possible by removing public-facing OT devices from the Internet. Threat actors can easily find and compromise them because they lack modern authorization and authentication methods that could protect against hacking attempts.

CISA also recommended changing default passwords to unique and strong ones and securing remote access to OT assets using a virtual private network (VPN) featuring phishing-resistant multifactor authentication (MFA). (Sergiu Gatlan / Bleeping Computer)

Related: CISA, The Record, Computing, GBHackers, Cyber Security News, Security Week

Researchers at Check Point say a sophisticated phishing campaign has reintroduced Inferno Drainer, a notorious crypto-draining tool that targets users through deceptive Discord interactions.

Despite claims of its shutdown in late 2023, Check Point Research (CPR) reports that Inferno Drainer remains active, employing enhanced techniques to bypass security measures and drain digital wallets.

The malware now uses single-use smart contracts and on-chain encrypted configurations, making detection and prevention more challenging. Communication with command-and-control (C2) servers has been obfuscated through proxy-based systems, further complicating tracking efforts.

These advancements allow the drainer to circumvent wallet security mechanisms and anti-phishing blacklists.

In a recent campaign, attackers exploited Discord by redirecting users from legitimate Web3 websites to counterfeit Collab.Land bots, leading them to phishing sites. Victims were tricked into signing malicious transactions, granting attackers access to their funds.

Check Point says over the past six months, Inferno Drainer has reportedly compromised more than 30,000 wallets, resulting in losses exceeding $9m. (Alessandro Mascellino / Infosecurity Magazine)

Related: Check Point

According to cyber insurance giant Coalition's 2025 Cyber Claims Report, global claims frequency decreased 7% YoY in 2024 to 1.48%, with a notable dip in the latter half of the year, while global claims severity remained stable YoY in 2024 with an average loss amount of $115,000, a significant amount for organizations of all sizes.

Business email compromise (BEC) and funds transfer fraud (FTF) comprised 60% of cyber insurance claims in 2024.

The average loss was $115,000 per claim, but it was significantly higher in Canada, where the average was $226,000. In the US, average losses per claim were about $108,000, while they were lowest in the UK, which saw just $35,000 in losses per claim on average.

BEC attacks stood out as having the most significant increase in claims severity in 2024 – a 23% increase from about $28,500 to $35,000 on average in cases that did not include FTF or ransomware. Additionally, average BEC losses reached a three-year peak in the second half of 2024, resulting in average claimed losses of about $44,500.

While the costs of BEC attacks alone rose in 2024, nearly a third (29%) of all BEC events last year resulted in FTF, where victims were tricked into transferring funds to cybercriminals. FTF attacks stemming from BEC cost an average of $106,000, and overall, FTF events resulted in average losses of $185,000, a significant 46% decrease from an all-time high of $340,000 in 2023.

Notably, fewer high six-figure and seven-figure FTF attempts were noted in the past year, potentially due to increased flagging of large transactions by financial institutions. Coalition aided in the recovery of an average of $278,000 per event through cooperation with government authorities and panel partners. According to Coalition, nearly a quarter of FTF victims achieved a partial recovery of funds, and 12% achieved complete recovery.

Ransomware attacks were the most severe incidents, accounting for about 21% of claims in 2024. The average loss claimed from a ransomware attack in 2024 was $292,000, a 7% year-over-year decrease and a significant decrease from the peak of $393,000 in the first half of 2023. Overall, ransomware claims frequency decreased by 3% in 2024. (Laura French / SC Media)

Related: Coalition, Business Wire

The UK’s National Cyber Security Centre (NCSC) says that a new digital divide is threatening UK businesses, with those that fail to keep up with AI-powered cyber crime at risk of being targeted by would-be hackers.

The agency warned that hackers use AI tools in several key areas, including vulnerability research, victim reconnaissance, malware development, and ramping up social engineering techniques.

“To 2027, this will highly likely increase the volume and impact of cyber intrusions through evolution and enhancement of existing TTPs, rather than creating novel threat vectors,” the NCSC said in a new report.

It added that while only “highly capable state actors” will have the resources to build their own offensive AI models, the remaining groups, which make up the majority of threat actors, will make use of off-the-shelf AI models to “uplift their capability." (Jane McCallion / IT Pro)

Related: NCSC, BBN Times, Computer Weekly

Google said email systems that still use 3DES to send messages to Gmail must switch to a more modern encryption method by May 30.

After the cutoff, if a server tries to connect using only 3DES, the message will not pass.

3DES is an encryption algorithm that applies the older Data Encryption Standard three times to each chunk of data. While this offered better protection than single DES, which became easier to break with faster computers, 3DES is now considered outdated. (David Uzondu / Neowin)

Related: Google, Hacker News (ycombinator)

Application security platform provider Ox announced it had raised $60 million in a Series B venture funding round.

DTCP led the round with participation from Swisscom Ventures, IBM, Evolution Equity, Microsoft, and Team 8. (Kyle Wiggers / TechCrunch)

Related: Security Week, Silicon Angle, CTech, PR Newswire, Unite.ai, FinSMEs, Globes, Ox Security

AI-powered code-fixing platform CodeAnt AI announced it had raised $2 million in a seed venture funding round.

The funding came from Y Combinator, VitalStage Ventures, Uncorrelated Ventures, DeVC, Transpose Platform, Entrepreneur First, and angel investors. (Eduard Kovacs / Security Week)

Related: eeNews, Tech Funding News

Best Thing of the Day: If Only UK Retailers Knew About These

Google's Mandiant released prioritized recommendations to protect against tactics utilized by UNC3944, a group that mostly overlaps with the group known as Scattered Spider.

Worst Thing of the Day: At Least North Korean Crypto Thieves Aren't Doing This

Crypto thieves snatched an older gentleman who got rich from his crypto investments from the streets of Paris on May 1 and demanded a multimillion-euro ransom from the man's son, cutting off the man's finger in the course of negotiations.

Closing Thought