Ransomware Group: SINOBI

VICTIM NAME: Stewart Home School

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the SINOBI Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

On August 9, 2025, the leak page publicly identifies Stewart Home School as a ransomware victim. The institution is described as a residential school in Franklin County, Kentucky, United States, serving individuals with intellectual or developmental disabilities. The post frames the incident as an encrypted data event and lists a ransom demand of $23,300,000. The publication date shown in the leak’s metadata matches August 9, 2025. A claim URL is present on the page, and six image attachments accompany the post; these appear to be internal documents or screenshots, though their exact contents are not disclosed in the available excerpt. The presentation aligns with common ransomware leak pages that announce intrusions and pressure payment.

The page’s content includes a high-level description of the victim’s operations, painting Stewart Home School as a long-established educational institution serving residents with developmental disabilities. The body excerpt explicitly notes that data has been encrypted and references a monetary ransom figure, with a dated marker of 09/08/2025 in the text. While the page indicates there is a claim URL and six image attachments, it provides no detailed breakdown of the specific data types or files affected. The six attachments appear to be screenshots or internal documents, but their contents are not described in the accessible summary. No direct compromise date beyond the post date is provided within the excerpt, and no personal contact information or addresses are shown. The available content focuses on public attribution, encryption status, and the stated ransom amount.