How Ransomware and Extortion Are Getting Personal

The moment ransomware gangs published photos of children, something fundamental broke.

Last September, a ransomware attack on a chain of early-years nurseries, operating in London and internationally, crossed a line that took even seasoned experts by surprise. While ransomware attacks often involve stolen personal data being held hostage or leaked, this time the attackers targeted the most vulnerable demographic: young children.

They published photos of children alongside names and home addresses, exposing their identities to the entire world. This wasn’t just double extortion. It was the deliberate exposure of minors as pressure points. In October, two 17-year-old males were arrested in connection with the attack, but the damage was already done. Once personal data is exposed, it cannot be undone. The trauma remains.

During ransomware incidents, we often focus on large organizations and well-known brands, treating the theft of individuals’ data as collateral damage. In reality, it is not collateral at all–it is very much the target.

What makes this case especially unsettling is how clearly it reflects a broader shift in cybercrime. With the growing variety of attacks, every possible pressure point is now being exploited. Double extortion has become more personal, more targeted, and more shameless. Today’s attackers don’t rely solely on Tor-based leak sites; they amplify pressure through mainstream platforms, where stolen data can reach the public in seconds. The goal is no longer just to harm organizations, but to inflict social, psychological, and reputational damage on the people around them.

For researchers, responders, and victims alike, this creates immense pressure. The data is visible. The harm is public. And anyone can become a target.

This nursery attack marked a line being crossed and should serve as a wake-up call. Cyber incidents are no longer purely financially motivated. They are intimate, harmful, and deeply personal, for both those targeted and those responding. Even after arrests and takedowns, the consequences remain with the affected individuals and their loved ones. That is the reality our research and reporting must continue to confront.

Anastasia Sentsova, Senior Threat Intelligence Analyst, Analyst1