A ransomware attack that disrupted operations at Mecklenburg County Public Schools (MCPS) in early September has been claimed by the Russian cybercrime group Qilin.
The gang said it stole 305 GB of sensitive data from the southern Virginia district, including financial records, grant documents, budgets and children’s medical files.
Cyber-Attack Shuts Down Schools
MCPS first alerted families to a cybersecurity incident on September 2 2025. The attack forced teachers offline, leaving them relying on pen, paper and whiteboards for instruction. Internet systems were restored about a week later.
Qilin later published sample images online, which it claimed were part of the stolen files. Superintendent Scott Worner confirmed that the group was behind the attack but stated that the school district is still assessing the extent of the breach.
“We don’t intend to move forward with payment at this time,” Worner said.
“The final decision depends on the findings of the investigation and what files were encrypted and/or stolen.”
He also urged other districts to prepare for cyber-threats.
“It’s not if. It’s when,” he said.
“Whoever your insurance company is, make sure your cybersecurity coverage is up to date.”
Qilin’s Expanding Ransomware Reach
Qilin is a ransomware operation that surfaced in late 2022 and runs as a ransomware-as-a-service network. Affiliates use its malware to launch attacks and share ransom proceeds. The group primarily spreads its malware through phishing emails.
So far in 2025, Qilin has claimed responsibility for 103 confirmed ransomware incidents and 470 unverified ones. Educational institutions have been frequent targets.
Other victims this year include:
-
Western New Mexico University
-
Botetourt County Public Schools in Virginia
-
Fort Smith Public Schools in Arkansas
-
Belmont Christian College in Australia
Read more on ransomware threats to schools: ICO Warns of Student-Led Data Breaches in UK Schools
Rising Impact on Education
Data from Comparitech shows at least 33 confirmed ransomware attacks on American schools, colleges and universities in 2025, with another 62 claimed but unverified.
In September alone, districts in Texas and Arizona disclosed new incidents.
The education sector faces unique challenges in responding to breaches, taking an average of 4.8 months to notify affected individuals.
These attacks often cripple essential operations, from attendance and grading to payroll and communication systems, while exposing staff and students to potential identity fraud.
