Ransomware gang Qilin over the weekend took credit for a September 2025 data breach at Mecklenburg County Public Schools.
The southern Virginia school district first notified parents of a cybersecurity incident on September 2, 2025. Without internet access, teachers resorted to pen, paper, and white boards in the classroom. Systems were restored a week later.
Qilin says it stole 305 GB of data from the school. To prove its claim, Qilin posted sample images of what it says are documents stolen from MCPS. On its leak website, Qilin said the stolen data includes financial reports, grant awards, budgets, and children’s medical records.
MCPS superintendent Scott Worner confirmed Qilin was the attacker, but said he could not verify what data was compromised until authorities and the school’s insurance company complete their investigation.
Worner said Qilin’s ransom demand frequently changed. “We don’t intend to move forward with payment at this time,” he said, but that the final decision depends on the findings of the investigation and what files were encrypted and/or stolen.
Warner gave a word of warning to other school districts facing the threat of cyber attacks. “It’s not if. It’s when,” he said. “Whoever your insurance company is, make sure your cybersecurity coverage is up to date.”
Who is Qilin?
Qilin is a ransomware gang that began taking credit for attacks on its data leak site in late 2022. Based in Russia, Qilin mainly targets victims through phishing emails to spread its ransomware. It runs a ransomware-as-a-service business in which affiliates pay to use Qilin’s malware to launch attacks and collect ransoms.
Qilin is the most active ransomware group so far this year. In 2025 to date, it has take credit for 103 confirmed ransomware attacks, plus 470 unconfirmed attack claims that haven’t been publicly acknowledged by the targeted organizations.
Besides MCPS, Qilin claimed responsibility for four other attacks on schools and colleges in 2025:
- Qilin hijacked and defaced Western New Mexico University’s website in April 2025
- Botetourt County Public Schools (VA) reported a May 2025 breach claimed by Qilin
- Fort Smith Public Schools (AR) reported a July 2025 data breach claimed by Qilin
- Belmont Christian College (Australia) reported a July 2025 data breach claimed by Qilin
Qilin also made recent claims against Ville de Saint-Claude in Guadeloupe, France and Shamir Medical Center in Israel.
Ransomware attacks on US education
Comparitech researchers have logged 33 confirmed ransomware attacks on US schools, colleges, and universities in 2025 to date. Another 62 attacks have been claimed by ransomware gangs but not acknowledged by the targeted schools.
Uvalde Consolidated Independent School District in Texas also confirmed a ransomware attack last month, though no ransomware group has claimed it yet.
Also in September, Madison Elementary School District in Arizona notified 35,000 people of a data breach claimed by Interlock in April 2025.
The education sector takes longer than any other to report data breaches to victims: 4.8 months on average.
Ransomware attacks on schools and colleges can disrupt day-to-day operations such as taking attendance, submitting grades, phone and email communications, billing, payroll, assignments, and more. Ransomware attacks are often two-pronged: they lock down computer systems and steal data. Schools that refuse to pay a ransom face extended downtime, data loss, and putting students and faculty at increased risk of fraud.
About Mecklenburg County Public Schools
Located on Virginia’s southern border, Mecklenburg County Public Schools enrolls about 4,000 students across six schools: Chase City Elementary, Clarksville Elementary, La Cross Elementary, South Hill Elementary, Mecklenburg County Middle, and Mecklenburg County High.
