Extortionists target schools following last year's PowerSchool hack.

Summary

By the CyberWire staff

At a glance.

Extortionists target schools following last year's PowerSchool hack.
LockBit ransomware operation hacked.
South African Airways discloses disruptive cyberattack.

Extortionists target schools following last year's PowerSchool hack.

Education software provider PowerSchool has confirmed that a threat actor is attempting to extort individual schools using data stolen from the company during a December cyberattack. Following the attack, PowerSchool paid a ransom to prevent the threat actor from publishing the stolen data. It's unclear if the latest extortion attempts are being launched by the same threat actor or if another group obtained a copy of the data.

The company told the Register in a statement, "PowerSchool is aware that a threat actor has reached out to multiple school district customers in an attempt to extort them using data from the previously reported December 2024 incident. We do not believe this is a new incident, as samples of data match the data previously stolen in December. We have reported this matter to law enforcement both in the United States and in Canada and are working closely with our customers to support them. We sincerely regret these developments – it pains us that our customers are being threatened and re-victimized by bad actors."

PowerSchool added, "As is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us."

Stop Identity-Based Cybercrime with SpyCloud’s Holistic Identity Threat Protection

Stolen identity data is the hot commodity for cybercriminals. With the full scope of your users’ digital footprints at risk for exposure, traditional account-centric security is no longer enough to protect your business from cyberattacks. SpyCloud helps security teams correlate and automatically remediate individuals' hidden identity exposures from breaches, malware, and phishing across their many online personas. Eliminate identity-based cyber threats and proactively defend against account takeover, fraud, and ransomware with SpyCloud.

LockBit ransomware operation hacked.

The LockBit ransomware gang was hacked by an unknown actor who defaced the group's affiliate panels with a link to a MySQL database containing information dumped from the affiliates, BleepingComputer reports. The database includes just under 60,000 unique bitcoin addresses, configurations for builds created by affiliates for attacks, and several thousand negotiation messages between the group and its victims.

It's not clear who carried out the hack, but BleepingComputer notes that the defacement message, "Don't do crime CRIME IS BAD xoxo from Prague," matches the one used in the recent hack of the Everest ransomware's leak site.

South African Airways discloses disruptive cyberattack.

South African Airways (SAA) has disclosed that it sustained a "significant cyber incident" on May 3rd that "disrupted access to the airline’s website, mobile application, and several internal operational systems." The airline added, "Normal system functionality across all affected platforms was restored later the same day."

The nature of the incident is unclear; the Record says the airline didn't respond to questions for comment about whether the attack involved ransomware. SAA said in its statement, "Regarding the potential impact on data, the preliminary investigation is currently assessing the full extent of the incident and actively working to determine if any data was accessed or exfiltrated. SAA is committed to notifying any affected parties directly, in accordance with regulatory requirements, should the investigation confirm a data breach."

Notes.

Today's issue includes events affecting , and South Africa the United States.

Attacks, Threats, and Vulnerabilities

New Noodlophile Stealer Distributes Via Fake AI Video Generation Platforms (Morphisec) As artificial intelligence (AI) surges into mainstream adoption, millions of users turn daily to AI-powered tools for content creation—from generating art and music to transforming photos into videos. But amid this excitement, cybercriminals have uncovered a potent new lure: fake AI platforms promising cutting-edge content generation in exchange for user uploads.

Russian state-linked Coldriver spies add new malware to operation (The Record) A Russian cyber-espionage group tracked as Coldriver by Google researchers has updated its malware toolset.

Fake AI Tools Push New Noodlophile Stealer Through Facebook Ads (Hackread) Follow us on Bluesky, Twitter (X), Mastodon and Facebook at @Hackread

Marketplace

accessiBe Appoints Robert Lopez as Chief Executive Officer (PR Newswire) /PRNewswire/ -- Web accessibility market leader accessiBe, today announced that it has appointed Robert Lopez as Chief Executive Officer. With decades of...

Legislation, Policy, and Regulation

Industry Events

For a complete running list of events, please visit the Event Tracker.

Events

CYSAT (Paris, France, May 14 - 15, 2025) In today’s society, we heavily rely on space-based assets, and considering the continuously evolving cyber threats in the current geopolitical environment, securing space data is a major challenge. Since 2021, CYSEC has been organizing CYSAT to bring together all the players in the space cybersecurity domain.

CyberWiseCon Europe 2025 (Vilnius and virtual, Lithuania, May 21 - 23, 2025) CyberWiseCon is a premier IT security conference that brings together cybersecurity experts, industry leaders, and IT professionals from around the Europe.

NICE Conference (Denver, Colorado, USA, Jun 1 - 4, 2025) The NICE Conference is the annual convening of community members and thought leaders from education, government, industry, and non-profits to explore ways of developing a skilled cybersecurity workforce ready to meet the challenges of the future. This event provides an opportunity to share best practices from around the world and across sectors in order to build the workforce we need to confront cybersecurity risks today and in years to come.

2025 Space Regulatory Bootcamp (Albuquerque and Virtual, New Mexico, USA, Jun 10 - 11, 2025) ACSP's Bootcamps educate new and established space professionals on must-know fundamentals and arm them for success. The 2025 Space Regulatory Bootcamp, hosted in Albuquerque, New Mexico, is a two day comprehensive industry deep dive with advanced training and meaningful networking. Learn directly from leading subject matter experts on topics including space law, export controls, space telecommunications, government contracting, and more.

AWS re:Inforce 2025 (Philadelphia, Pennsylvania, USA, Jun 16 - 18, 2025) AWS re:Inforce is our annual, immersive, cloud-security learning event delivering hands-on training and collaboration with AWS experts. It’s your opportunity to learn about the latest AWS security innovations, get direct access to the AWS teams and partners who build the security tools you rely on, and connect with cloud security peers from around the world. You’ll leave with actionable next steps to raise your security posture.

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust the CyberWire to get the message out. Learn more.

Daily Briefing for 05.08.25

At a glance.

Extortionists target schools following last year's PowerSchool hack.

LockBit ransomware operation hacked.

South African Airways discloses disruptive cyberattack.

Notes.

Attacks, Threats, and Vulnerabilities

Marketplace

Legislation, Policy, and Regulation

Events