Overnight, ransomware gang SafePay claimed last month’s attack on Connecticut school district, Ridgefield Public Schools. It set the deadline for the ransom payment at just over two days, threatening to release 90 GB of data if its demands aren’t met.
Ridgefield Public Schools recently confirmed it was hit by a ransomware attack on July 24, 2025. In a statement it said:
RPS’ cybersecurity tools detected attempts to execute an encryption virus on the computer network. After identifying this activity, the computer network was taken offline to investigate what occurred.”
At the time of writing, system restoration is ongoing. But in updates posted to its website yesterday, RPS said it hoped teachers would have access to emails again from this week. Investigations into a potential data breach also remain ongoing but RPS is offering advice on how people can safeguard their data in case sensitive personal information has been stolen.
While RPS did confirm that a ransom was demanded, it hasn’t confirmed how much this was for and whether or not this was paid. However, the fact SafePay has published the school district to its website does suggest any negotiations failed–for the data theft at least. We have contacted RPS for more information on these ransom demands and also to clarify how hackers accessed its systems, what data has potentially been impacted, and how many people may have been affected. We will update this article if we receive a response.
Who is SafePay?
SafePay first started adding victims to its data leak site in November 2024. Since then, we’ve tracked 278 attacks via the group, 35 of which have been confirmed by the entity involved. The group uses LockBit-based ransomware and appears to follow a double-extortion technique whereby a ransom is demanded to decrypt systems and delete stolen data.
RPS is the sixth educational institution confirmed to have fallen victim to SafePay. This year, Harrison County Board of Education in the US and a Czech school (Gymnázium a Jazyková škola Zlín) were also targeted by the group.
Throughout 2025 so far, we’ve noted 23 confirmed and a further 207 unconfirmed attacks via SafePay across all sectors.
Ransomware attacks on US schools, colleges & universities
This year, we’ve recorded 26 confirmed attacks on the US education sector and are monitoring a further 49 unconfirmed attacks.
Like RPS, a number of other school districts have been grappling with ransomware attacks in recent months, including:
- School District 5 of Lexington and Richland Counties – this South Carolina school district was targeted by Interlock in June 2025 with 1.3 TB allegedly stolen
- Franklin Pierce Schools – hit by Medusa in June 2025, FPS faced a $400,000 ransom demand for just over 821 GB of stolen data
- Manassas Park City Schools – the Virginian school district has just confirmed it was hit by an attack in June 2025 and that various data may have been impacted, including Social Security numbers, passport numbers, and financial account details. No hackers have claimed this attack yet
- Fort Smith Public Schools – this attack in July 2025 caused disruption to various systems. Qilin claimed the attack at the start of this month
As we’re seeing in this latest attack on Ridgefield Public Schools, ransomware attacks on the education sector aim to cause mass disruption through encrypted systems in the hopes the organization has no option but to pay the ransom. But, if ransoms aren’t paid, hackers will have often “doubled up” on their chances of securing a payment by stealing data in the process. Then, if all else fails, they can sell this data on the dark web.
In 2024 alone, nearly 3 million records were breached across 83 attacks on the education sector in the US, highlighting the severe and ongoing impact these attacks can have on schools, colleges, and universities.
About Ridgefield Public Schools
Located in Ridgefield, Connecticut, RPS is home to nine schools (six elementary schools, two middle schools, and one high school) and serves around 4,500 students.
