When Criminals Cross the Line: The Kido Nursery Attack and the Limits of Cyber Extortion

The Attack That Shocked Even Hackers

In late September 2025, a relatively unknown ransomware group called Radiant committed what cybersecurity experts described as a "new low" in cybercrime. The hackers infiltrated Kido International nurseries, stealing sensitive data on approximately 8,000 children including photographs, names, addresses, dates of birth, medical records, and safeguarding information. (For comprehensive coverage of the initial attack, see our earlier analysis: When Cybercriminals Target Our Children: The Kido International Ransomware Attack.)

But what happened next revealed something unprecedented in the ransomware ecosystem: even criminals have boundaries they're unwilling to cross—or at least, boundaries they can't afford to ignore.

The criminals began posting profiles of children to their darknet website, adding another 10 children days later and vowing to continue until Kido Schools paid a ransom. They also took the disturbing step of calling parents directly, urging them to pressure the nursery chain to pay the ransom or face having their child's data leaked.

Then came the backlash. And it was fierce enough to make the criminals do something rarely seen in ransomware operations: they completely reversed course.

The Unprecedented Retreat

Following widespread public revulsion, the Radiant group removed all information online, claimed to have deleted the stolen data, and apologized for their actions, stating "We are sorry for hurting kids". It's understood that Kido refused to pay the ransom, which was thought to be around £600,000, meaning the criminals actually lost money on this attack after paying an initial access broker for entry to the system.

Cybersecurity expert Jen Ellis noted that "this is more about pragmatism than morality," adding that "these criminals are clearly shocked and worried by the attention their hack has caused and they are trying to protect themselves or their brand".

The skepticism is warranted. Past cases have shown that hackers often claim to have deleted stolen data only for it to resurface later or be sold on. When UK's National Crime Agency dismantled the LockBit gang, they discovered vast amounts of data still on servers despite victims having paid for deletion.

A Pattern of Moral Boundaries—Or Calculated PR?

This isn't the first time ransomware criminals have appeared to recognize they've crossed an invisible line. The history of such "ethical" retreats reveals a complex picture of criminal pragmatism dressed in moral language.

The German Hospital Death (2020)

In 2020, the DoppelPaymer ransomware gang attacked Düsseldorf University Hospital in Germany, causing a 78-year-old woman requiring emergency care to be rerouted to a hospital 30 kilometers away, where she later died. Upon learning they had hit a hospital rather than their intended target (the University), the gang provided the decryption key free of charge—though too late to save the patient.

German authorities opened a negligent homicide investigation, and arrest warrants were eventually issued for three suspected masterminds of the group, with raids conducted in Germany and Ukraine. The incident became known as potentially the first death directly attributed to a ransomware attack.

The Irish Health Service Debacle (2021)

On May 14, 2021, Ireland's Health Service Executive suffered a massive Conti ransomware attack that shut down IT systems nationwide across 54 hospitals and 4,000 locations, with a $20 million ransom demand. Ireland's government refused to pay the ransom, and the Conti group eventually provided the decryption key for free, claiming they had not deliberately targeted hospitals.

The attack had devastating consequences: patient care was disrupted for weeks, cancer treatments were delayed, and data on 94,800 patients and 18,200 staff were compromised. The incident reportedly caused internal fractures within the Conti group, with some members disturbed by the severity of the attack's impact.

DarkSide's "Robin Hood" Charade (2020-2021)

The DarkSide ransomware group attempted to cultivate a "Robin Hood" image by posting receipts for Bitcoin donations of $10,000 each to Children International and The Water Project in October 2020. Both charities rejected the donations, with Children International stating they had "no intention of keeping" money linked to hacking activity.

DarkSide claimed to avoid targeting healthcare centers, schools, and non-profits, focusing instead on "large profitable corporations". Yet this supposed ethical stance didn't prevent them from executing the Colonial Pipeline attack in May 2021, which caused fuel shortages across the U.S. East Coast.

Why This Backlash Matters

The Kido nursery attack and the subsequent retreat reveal several critical dynamics in the ransomware ecosystem:

1. Public Attention is a Double-Edged Sword

Cybersecurity expert analysis suggests that "from a negotiation standpoint, this attack effectively burns a bridge for the entire ransomware industry" because engaging with groups that demonstrate "such blatant disregard for human decency is now an intolerable risk for any organization".

The intense media coverage and public outrage created operational risks for the Radiant group that outweighed any potential financial gain. In an ecosystem that relies on anonymity and operates in legal grey zones, becoming the focus of international law enforcement attention is existential threat.

2. Ransomware Groups Care About Their "Brand"

Radiant was described as a "newly emergent" group with a barebones darknet presence. For a fledgling operation trying to establish itself in the competitive ransomware-as-a-service market, being universally condemned as the group that targeted toddlers is catastrophic for future business.

Established ransomware groups operate with a degree of calculated professionalism. They often try to differentiate themselves through victim selection, negotiation tactics, or PR efforts to appear more "reasonable". Radiant destroyed any possibility of this by attacking such vulnerable targets.

3. The Healthcare and Education Sectors Remain Prime Targets Despite Claims

Healthcare experienced the largest share of ransomware attacks among 16 critical infrastructure sectors in 2023, with security experts noting that hospitals are viewed as "perfect prey" because "they have terrible security and they'll pay".

Research from the University of Minnesota estimates that ransomware attacks killed 42 to 67 Medicare patients between 2016 and 2021. Studies show that patients admitted to hospitals during ransomware attacks face a 20-35% increase in mortality risk.

Despite periodic claims by various groups that they avoid healthcare targets, the reality is that the decision by cybercriminals to launch large-scale campaigns attacking hospitals "shows how unbound by moral considerations they are when selecting their targets".

4. The "Initial Access Broker" Economy Complicates Moral Lines

The Radiant hackers claimed they bought access to Kido's systems from an "initial access broker" who had separately compromised a staff computer. This fragmented criminal ecosystem means that groups may not always know their ultimate target until they're already inside the network.

This raises uncomfortable questions: Is ignorance of the target a valid excuse? The Kido case suggests that even if a group didn't intentionally target children, once they discovered what they had, proceeding with the attack crossed a bright red line.

The Broader Implications

For Organizations

The Kido attack underscores critical vulnerabilities in sectors serving vulnerable populations. As we detailed in our initial coverage of the attack, the breach exposed not just technical failures but systemic weaknesses in how organizations handle children's data.

Anne Cutler of Keeper Security emphasized that "this case is particularly concerning because it involves one of the most sensitive categories of data—children's personal information," noting that "unlike a credit card, which can be cancelled, a child's name, photograph and home address cannot be replaced".

Experts argue that smaller organizations like nurseries often lack the budget for robust cybersecurity, creating dangerous gaps that hackers eagerly exploit.

For Law Enforcement

At a UN Security Council briefing in November 2024, U.S. officials stated that "ransomware attacks on hospitals and healthcare systems are a serious threat to international peace and security" that "jeopardize lives" and "destabilize societies".

The briefing noted that the U.S. government was aware of over 1,500 ransomware-related incidents in 2023 alone, generating over $1.1 billion in payments.

Russia was specifically called out for allowing ransomware actors to "operate from their territory with impunity, even after they have been asked to rein it in".

For the Criminal Ecosystem

The Kido backlash may represent a recalibration of what targets are considered "acceptable" within criminal circles—not for moral reasons, but for pragmatic ones.

As one security expert noted, "this action will likely harden the stance of both victims and law enforcement, making productive negotiations, even in extreme circumstances, almost impossible".

When criminals can't operate with impunity, when they face genuine reputational damage even within their underground networks, and when attacks generate sufficient outrage to mobilize international law enforcement, the cost-benefit calculation changes.

The Uncomfortable Truth

While the Radiant group's retreat offers some comfort to affected families, it exposes an uncomfortable reality: cybercriminals will push boundaries until they face consequences severe enough to force retreat. Public revulsion alone, without enforcement action, may not be sufficient deterrent for future attacks on vulnerable populations.

The question isn't whether these groups have discovered morality—clearly they haven't, given they still engaged in the attack and only retreated when facing backlash. The question is whether the cybersecurity community, law enforcement, and society can maintain sufficient pressure to make such attacks consistently too risky to attempt.

Radiant appears to be a new and possibly inexperienced group. Their miscalculation may serve as a lesson to others in the ransomware ecosystem: some targets are toxic enough to destroy even a criminal operation. Whether that lesson holds depends on what happens next—both in terms of pursuing this group legally and in protecting the sectors that serve our most vulnerable populations.

Conclusion

The Kido nursery attack and its aftermath represent a rare moment of accountability in the ransomware world, however hollow that accountability may be. The UK's National Cyber Security Centre described the incident as "deeply distressing" and noted that "cyber criminals will target anyone if they think there is money to be made, and going after those who look after children is a particularly egregious act".

The unprecedented backlash forced criminals to retreat, but it shouldn't have taken attacking children to establish where the line is drawn. Every hospital patient denied treatment, every medical record exposed, every school system disrupted represents the same fundamental violation: using technology to harm the most vulnerable for profit.

If there's any silver lining to this disturbing incident, it's proof that even in the darkest corners of the internet, there are limits—and when those limits are crossed, the consequences can be severe enough to make even hardened criminals think twice. The challenge now is making those consequences consistent and strong enough to prevent such attacks before they happen, not just punish them after children's lives have been disrupted.

Article based on reporting from BBC, CNN, Malwarebytes, The Register, Cybernews, and multiple cybersecurity sources documenting the Kido attack and historical ransomware incidents.