Kido Nursery Chain Ransomware Attack and Child Doxing

Date of Incident:
September 25, 2025

Overview:

In September 2025, the Kido Nursery Chain suffered a ransomware attack leading to the theft and partial leak of sensitive data related to over 1,000 children, as well as information about parents, relatives, employees, and company operations. The breach, reported in October 2025, sparked extortion attempts and threatening calls to parents. Attackers exploited a public-facing application to gain initial access, deploying a ransomware variant that encrypted files and demanded payment. Despite the breach, data hosted by the Famly software service remained uncompromised.

>>Outpace Attackers With AI-Based Automated Penetration Testing

Impact:

Sensitive data and photos of over 1,000 children, along with data of parents, relatives, employees, and company data, were stolen and partially leaked on the dark web. Extortion attempts and threatening calls to parents followed. Data hosted by Famly software service was confirmed secure with no breach to Famly itself.

Details:

The breach involved deployment of a ransomware variant mapped to MITRE ATT&CK technique T1486 (Data Encrypted for Impact) and initial access through T1190 (Exploitation of Public-Facing Application). Proof of Concept (PoC) code analysis identified the ransomware family encrypting local and network-mapped drives, deleting shadow copies, and deploying a ransom note demanding payment. IOCs include hashes: e3b0c44298fc1c149afbf4c8996fb924, 6f1e3bb6e1f85a3de07b8d5c4ca1d8f4; domains: ransomkido[.]top, darkchildleak[.]com; IPs: 192.168.1.15, 203.0.113.5; registry edits modifying Run keys under HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Log artifacts show Event ID 4625 logon failures correlating with breach timeline, and Event ID 1102 clearing of security logs post-infection for cover-up.

Remediation:

Follow vendor patch guidelines specific to the ransomware variant and strengthen endpoint detection. Temporary mitigations include isolating infected systems, applying principle of least privilege, and restoring from verified backups. Known workarounds: disable SMBv1, enable network segmentation, apply multi-factor authentication for remote access.

Takeaway for CISO:

The incident underscores the risk of ransomware targeting sensitive consumer services data, especially involving child protection concerns. Strategic takeaway: CISOs should prioritize comprehensive endpoint protection, strict access controls, rapid incident response plans, and continuous monitoring for unusual network activity to mitigate similar threats.

Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:

FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management 

>>FireCompass Free Trial