This report provides a comprehensive analysis of Radiant, a financially motivated e-crime group that emerged in September 2025. The group operates a double-extortion ransomware model, combining data exfiltration and encryption with public shaming via a dedicated data leak site. Radiant’s initial campaign was short-lived but impactful, compromising organizations across multiple sectors in North America and Europe.

The key judgment of this analysis is that Radiant is an operationally capable but strategically immature threat actor. While the group successfully executed multiple intrusions, their targeting choices, aggressive extortion tactics, and significant operational security (OPSEC) failures—culminating in the swift arrest of two teenage suspects following the high-profile Kido nursery breach—indicate a lack of experience inconsistent with established organized crime syndicates. Consequently, the group’s long-term viability is assessed as low to moderate.

The primary initial access vector employed by Radiant is assessed with moderate confidence to be the exploitation of compromised credentials (MITRE ATT&CK T1078). Post-compromise activities include data discovery and exfiltration, followed by impact tactics such as the deletion of volume shadow copies to inhibit system recovery (T1490) and the deployment of a crypto-ransomware payload for data encryption (T1486).

Radiant is responsible for significant data theft, financial losses, and reputational damage affecting at least seven victims. The attack against the Kido International nursery chain was particularly egregious, involving the theft and partial publication of personally identifiable information (PII) belonging to approximately 8,000 children.

It is recommended that security operations centers (SOCs) and network defenders prioritize strengthening identity and access management (IAM) controls, with a specific focus on securing infrastructure during and after merger and acquisition (M&A) activities. Furthermore, enhanced monitoring for anomalous data aggregation and exfiltration patterns is critical for early detection of similar threats.

Threat Actor Profile: Radiant Group

Emergence and Operational Tempo

The Radiant ransomware group was first observed in September 2025. Their inaugural victim, Kido Schools, was posted to their data leak site on September 24, 2025. Following this initial attack, the group executed a rapid series of compromises throughout early-to-mid October 2025, listing an additional six victims between October 6 and October 16. This highly compressed operational timeline suggests either a pre-planned campaign leveraging a set of previously acquired accesses or the opportunistic exploitation of readily available vulnerabilities or credentials.

As of October 21, 2025, the group’s leak site has been inactive for five days. This period of inactivity directly coincides with significant law enforcement action and intense public and cybercriminal community backlash following their attack on the Kido nursery chain, indicating a disruption of their operations.

Assessed Motivation and Objectives

Radiant’s motivation is assessed with high confidence as purely financial. Their entire operational model is built around coercing victims into paying a ransom. This is evidenced by their consistent use of extortion, specific ransom demands (approximately £600,000 in Bitcoin in the Kido case), and the operation of a data leak site designed to apply public pressure on non-compliant victims.

In communications regarding the Kido breach, the group claimed their actions were part of a “pentest” effort. This claim is assessed as a disingenuous and common tactic used by ransomware actors to taunt victims or create a thin, implausible veil of legitimacy for their criminal activities.

Sophistication and Attribution

While initially categorized as “Organized Crime,” substantial evidence contradicts this assessment, pointing instead to operational immaturity. The successful execution of at least seven distinct intrusions and the establishment of a functional TOR-based leak site demonstrate a degree of technical capability. However, this is overshadowed by significant failures.

The swift arrest of two 17-year-old individuals in the United Kingdom in connection with the Kido breach indicates major OPSEC failures that are uncharacteristic of experienced, well-resourced criminal syndicates. Furthermore, the group’s decision to target a nursery and leak the data of young children provoked widespread condemnation, not only from the public and law enforcement but also from other threat actors within the cybercrime community. This backlash forced the group to retract their threats and remove the data, demonstrating a profound miscalculation and a lack of understanding of the underground ecosystem’s unwritten rules. This is not the behavior of a disciplined, professional criminal enterprise; it is a strategic blunder typical of inexperienced actors. This assessment is further supported by threat intelligence analysis noting that the group’s leak site “did not appear as professionally made as those of other established ransomware groups”.

The name “Radiant” is generic and creates potential for confusion with multiple legitimate entities and other threat actors. It is critical for analysts to disambiguate this ransomware group from Radiant Capital (a DeFi platform), Radiant Logistics, Radiant Logic, the Chinese eCrime actor “RADIANT SPIDER,” and the sanctioned Russian entity “AO GK RADIANT”. There is currently no evidence linking this group to any of these entities, and their country of origin remains unknown. The evidence strongly suggests Radiant is a small, independent, and inexperienced group rather than an affiliate of a larger, more disciplined Ransomware-as-a-Service (RaaS) operation.

Victimology and Target Scope

Industry and Geographic Targeting

Radiant has demonstrated the ability to target a diverse range of industries, likely in an opportunistic fashion. Known victims operate in the Transportation/Logistics, Consumer Services, Healthcare, Agriculture/Food Production, and Education sectors. This broad targeting across both critical and non-critical infrastructure is characteristic of threat actors who exploit common, widespread vulnerabilities or rely on generally available access methods, such as credential stuffing, rather than employing specialized TTPs for a specific industry.

Geographically, the group’s victims are distributed across North America and Europe, with confirmed compromises in the United States (2), Germany (1), the Netherlands (1), Finland (1), and the United Kingdom (1). This international spread suggests their attack vectors are not region-specific and can be deployed globally.

Table: Known Radiant Group Victims (October 2025)

The following table provides a consolidated, at-a-glance view of Radiant’s confirmed targets, compiled from their data leak site. This allows for rapid correlation with internal security telemetry and helps identify potential industry-specific campaigns or trends. For a SOC analyst, this contextualizes a potential threat beyond a simple list of IOCs, allowing for more informed alert triage.

Operational Playbook: Tactics, Techniques, and Procedures (TTPs)

Initial Access

T1078 – Valid Accounts (Compromised Credentials): The most likely initial access vector used by Radiant is the exploitation of compromised credentials. This assessment is based on analysis from cybersecurity firm Palo Alto Networks following the Kido breach, which indicated that “breached credentials” were the probable entry point. This aligns with broader industry trends where credential theft and reuse remain a primary vector for ransomware intrusions.

The Kido breach may have been facilitated by security gaps created during a recent merger or acquisition. In such scenarios, the integration of a newly acquired entity can leave legacy systems and access controls inadequately secured, creating a window of opportunity for attackers. Initial speculation suggested a supply chain compromise via the “Famly” nursery management software; however, this was thoroughly investigated and publicly refuted by the software’s CEO, confirming the attack was targeted specifically at Kido’s infrastructure and not a broader platform vulnerability.

Post-Compromise Kill Chain (Inferred)

While open-source intelligence lacks specifics on Radiant’s malware loaders or persistence mechanisms, a partial attack chain can be inferred from the available evidence.

• Defense Evasion (T1490 – Inhibit System Recovery): Reporting on the Kido attack explicitly mentioned “evidence of shadow copy deletion”. This is a hallmark technique of ransomware operations, executed to prevent victims from easily restoring encrypted files from local backups, thereby increasing the pressure to pay the ransom.
• Discovery & Collection: The attackers demonstrated a clear ability to navigate compromised networks to discover and aggregate large volumes of sensitive data. This included PII, financial information, and confidential operational documents across multiple victims.
• Command and Control (C2): No specific C2 infrastructure has been identified beyond the group’s TOR-based leak site. The group is known to communicate with victims via the Tox protocol for negotiation purposes.
• Exfiltration: The theft of data from approximately 8,000 individuals in the Kido breach implies a systematic and large-scale exfiltration process. The exact method, such as transferring data to a cloud account (T1537), is unknown.
• Impact (T1486 – Data Encrypted for Impact): The core of Radiant’s operation is a crypto-ransomware attack involving file encryption. In the Kido incident, “encrypted file extensions consistent with Radiant ransomware family” were noted, although the specific file extension has not been publicly documented. The ransom demand for the Kido attack was specified in Bitcoin, a common practice for financial extortion (T1657).

Multi-Faceted Extortion

Radiant employs a standard double-extortion model, where data is first exfiltrated and then encrypted, using the threat of public data release as additional leverage. The group operates a TOR-based leak site titled “Radiant – Leaks” on an NGINX server, where they post victim names and often include a countdown (typically 3-7 days) to establish contact.

However, the group’s extortion tactics are disproportionately aggressive and unethical relative to their assessed technical sophistication. This suggests a strategy of leveraging psychological shock-and-awe to compensate for other shortcomings. This behavior includes:

• Direct Stakeholder Harassment: In the Kido breach, attackers made threatening phone calls directly to parents, urging them to pressure the nursery into paying the ransom.
• Inciting Legal Action: The group posted messages on their leak site actively encouraging parents to sue the nursery and even provided a link to a joint legal claim page.
• Staged Data Releases: The group published a “data leakage roadmap” on their site, detailing their plan to release stolen data in stages to maximize psychological pressure on the victim organization.

These chaotic, emotionally charged tactics are not the actions of a group confident in its technical leverage alone. They generate significant public and law enforcement attention, which experienced criminal groups actively avoid. This approach makes the group highly unpredictable but also more prone to making critical OPSEC mistakes under the pressure of the spotlight they create, as the subsequent arrests demonstrate.

Table: Radiant Group MITRE ATT&CK® Mapping

The following table translates Radiant’s observed and inferred behaviors into the MITRE ATT&CK® for Enterprise framework. This provides a structured, actionable blueprint for SOC analysts to validate security control coverage, develop detection rules, and create tailored threat hunting playbooks.

Case Study: The Kido International Nursery Breach

Attack Deconstruction

In September 2025, the Radiant group gained initial access to the network of Kido International, a UK-based nursery chain, likely through the use of compromised credentials. The attackers proceeded to exfiltrate a vast trove of highly sensitive data, including the PII of approximately 8,000 children (names, addresses, photos, dates of birth), parent and guardian contact details, employee records (National Insurance numbers, addresses), and confidential documents such as safeguarding and accident reports.

Following data exfiltration, Radiant initiated an aggressive extortion campaign. They demanded a ransom of approximately £600,000 in Bitcoin. To apply pressure, they published the profiles of 10 to 20 children on their dark web leak site and made direct, threatening phone calls to parents, a highly unusual and cruel tactic.

A Breach of Criminal Ethics and Subsequent Reversal

The attack’s targeting of young children drew immediate and widespread condemnation from cybersecurity professionals, law enforcement, and the general public. Crucially, it also triggered a backlash from within the cybercriminal community itself. The Nova ransomware operation publicly chastised Radiant on the RAMP hacking forum for violating unwritten rules against targeting such organizations.

This peer pressure, combined with intense media scrutiny, appears to have forced Radiant to reverse course. The group first blurred the images of the children on their leak site before removing the data entirely. They later issued a public statement claiming all child-related data had been permanently deleted. This sequence of events offers a rare insight into the social dynamics and reputational pressures that exist even within the ransomware ecosystem.

Law Enforcement Intervention and Impact

The high-profile and egregious nature of the attack prompted a swift and effective investigation by the London Metropolitan Police’s Cyber Crime Unit. On October 7, 2025, authorities arrested two 17-year-old males in Bishop’s Stortford, Hertfordshire, on suspicion of computer misuse and blackmail in connection with the breach.

Law enforcement officials described the arrests as a “significant step forward” in an ongoing investigation to identify all responsible parties. The speed and success of the police response strongly suggest the actors made critical OPSEC errors, further reinforcing the assessment that Radiant is not a sophisticated or well-disciplined criminal organization.

Indicators of Compromise (IOCs)

The following table provides actionable IOCs associated with the Radiant group’s operations. These indicators can be used directly in security tools such as SIEMs, EDRs, and firewalls for detection and blocking.

Analyst Assessment and Outlook

Current Threat Level: LOW

The current threat level posed by the Radiant group is assessed as low. The public exposure, community backlash, and decisive law enforcement action following the Kido breach have likely disrupted their operations significantly. The group has been publicly inactive since the arrests were made.

Future Potential:

The group’s future is highly uncertain and hinges on factors such as the scope of the ongoing law enforcement investigation.

• Dissolution (High Likelihood): The arrests and public shaming may cause the group, in its current form, to dissolve permanently.
• Rebranding (Low Likelihood): Given their demonstrated lack of sophistication and the profoundly negative reputation they have garnered, a simple rebrand is unlikely to be successful. Experienced actors rebrand to shed law enforcement attention while retaining their technical capabilities and affiliate networks; Radiant appears to possess neither in abundance.
• Splintering (Moderate Likelihood): If other members were involved beyond the two individuals arrested, they may attempt to form new, smaller groups. However, they will likely lack the full capability of the original cell and may struggle to establish credibility.

Key Intelligence Gaps:

• The specific ransomware payload used by Radiant, including its capabilities, encryption methods, and origin (custom-coded, variant of a known family, or RaaS kit), remains unknown.
• The full scope of the group’s membership, hierarchy, and structure is not publicly known.
• The precise methods used to obtain the initial compromised credentials for their attacks have not been confirmed.

Recommendations for Defenders

Strategic Recommendations

• Strengthen Identity and Access Management (IAM): Prioritize the implementation of phishing-resistant Multi-Factor Authentication (MFA) across all external-facing services, including VPNs, cloud applications, and remote desktop protocols. Enforce strong, unique password policies and consider passwordless solutions to mitigate risks from credential stuffing and reuse.
• Audit M&A Security Gaps: For organizations undergoing mergers or acquisitions, it is imperative to conduct immediate and thorough security assessments of the acquired entity’s environment. Create a clear roadmap for harmonizing security policies, consolidating identity stores, and decommissioning insecure legacy access controls to close this common window of vulnerability.
• Data Minimization and Classification: Review data collection and retention policies to ensure that sensitive data, especially the PII of vulnerable populations like children, is not retained longer than is strictly necessary for business or legal purposes. Classify and segregate highly sensitive data with additional access controls.

Tactical Recommendations for SOC Teams

• Threat Hunting – Credential Abuse: Actively hunt for signs of brute-force and password spraying attacks against remote access infrastructure. Develop analytics to detect anomalous login patterns, such as logins from unusual geolocations, impossible travel scenarios, or multiple failed logins from one IP address followed by a success from another.
• Threat Hunting – Recovery Inhibition: Create high-fidelity detection rules for the execution of commands associated with inhibiting system recovery. Specifically, monitor for the execution of vssadmin.exe delete shadows or wmic.exe shadowcopy delete. These actions are strong indicators of pre-encryption activity by a ransomware actor.
• Monitor for Data Staging and Exfiltration: Implement detection rules for anomalous data aggregation and exfiltration. Look for large quantities of files being compressed (e.g., using 7-Zip, WinRAR) on servers or endpoints where this is not normal behavior. Monitor for high-volume data transfers to external cloud storage providers or over non-standard protocols.
• Ingest IOCs: Add the provided network and communication IOCs to relevant security tool watchlists and blocklists to prevent communication with known-bad infrastructure.

Incident Response Preparedness

• Develop a Double-Extortion Playbook: Ensure the organization’s incident response plan specifically addresses the threat of data leakage in addition to system encryption. This playbook should include pre-drafted communications for customers, regulators, and stakeholders; a clear policy on ransom payment negotiations (including legal and regulatory notification requirements); and established relationships with external legal counsel and cyber insurance providers.
• Maintain and Test Offline Backups: The single most effective defense against the impact of ransomware is the ability to restore critical systems and data from clean, offline, and immutable backups. These backups must be regularly tested to ensure their integrity and the viability of the restoration process.