A secondary school in Antwerp, Belgium, has found itself at the center of a troubling cybercrime episode that has shifted from corporate ransom demands to direct appeals to families.

Late last month, cybercriminals breached the internal network of OLV Pulhof, a high school in the Berchem district, shortly after students returned from the winter break. The attackers demanded a ransom payment of €15,000 (about $17,800) from the school, claiming they had accessed sensitive information related to students and staff.

When school officials refused to negotiate or pay, the hackers took a more disturbing step: they began contacting parents individually, urging them to intervene or to make payments of their own — in some cases as little as €50 per child — or risk having personal data leaked or sold online.

The school has not provided a detailed public statement about the incident, but authorities in Antwerp have confirmed that an investigation is underway. Officials from the prosecutor’s office declined to share further details.

Unusual Tactics Raise Concerns

In messages allegedly sent by the attackers, the group identified itself as “Lock-Bit.” But security analysts say there are inconsistencies with the name and signature ransom behavior of the well-known LockBit ransomware group — notably that this threat actor chose email outreach instead of the typical encrypted system ransom note and negotiation portal.

The shift from targeting the institution to directly targeting families is unusual. Most ransomware schemes aim for a single, large payout from an organization, not many small payments from individuals. This could signal the attackers are struggling to profit from the data they obtained and are experimenting with a new method of extraction.

School’s Response: Don’t Pay

In line with best cybersecurity practices, the school has urged parents not to pay any ransom. Experts warn that paying could encourage further extortion and does not guarantee the data won’t still be leaked. Cooperation with law enforcement and specialized cyber incident response teams remains the recommended course of action.

The incident highlights a broader trend: cyber threats against educational institutions are rising, and the sensitive nature of student and staff data — including financial records and health or disciplinary information — makes schools attractive targets for attackers looking to profit.