Ransomware Group: QILIN

VICTIM NAME: Mecklenburg County Public Schools

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the QILIN Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

The leak page identifies Mecklenburg County Public Schools as the claimed victim of a ransomware operation attributed to the group qilin. The page frames the incident as a data-leak event within the Education sector in the United States, rather than a purely encryption-based incident. It emphasizes the confidentiality of information related to students and staff and asserts that sensitive materials—such as financial reports, grant awards, and budget-related documents, as well as medical records—have been exposed. The narrative also alludes to concerns about sexual abuse case handling and related litigation, portraying governance and data protection practices as compromised. In essence, the post presents itself as evidence of a breach and a public data exposure rather than a simple service disruption.

The page notes the presence of multiple visual components intended as proof, including a set of 22 image attachments described as internal documents or screenshots. It also indicates the existence of a claim URL and provides contact mechanisms, including a Jabber handle that is redacted for publication and a TOX hash as an identifier. An FTP-style location is referenced as part of the data share, but credentials are redacted. The post date is 29 September 2025, and there is no explicit compromise date provided beyond the post date; consequently, the post date is treated as the publication date. No ransom amount or demand is disclosed in the available data.

Overall, the leak page underscores the risk profile for the education sector by illustrating a data-leak narrative supported by a sizeable image set—22 screenshots purportedly from internal documents. The content includes defanged contact channels and credential indicators (redacted emails and hashed identifiers) and references an onion-hosted image collection, illustrating the attackers’ use of multiple channels to disseminate material. While the victim name is clearly presented as Mecklenburg County Public Schools, the surrounding narrative leverages concerns about privacy, governance, and the broader implications for data protection within the district.