This report provides a comprehensive analysis of Radiant, a financially motivated e-crime group that emerged in September 2025. The group operates a double-extortion ransomware model, combining data exfiltration and encryption with public shaming via a dedicated data leak site. Radiant’s initial campaign was short-lived but impactful, compromising organizations across multiple sectors in North America and Europe.
The key judgment of this analysis is that Radiant is an operationally capable but strategically immature threat actor. While the group successfully executed multiple intrusions, their targeting choices, aggressive extortion tactics, and significant operational security (OPSEC) failures—culminating in the swift arrest of two teenage suspects following the high-profile Kido nursery breach—indicate a lack of experience inconsistent with established organized crime syndicates. Consequently, the group’s long-term viability is assessed as low to moderate.
The primary initial access vector employed by Radiant is assessed with moderate confidence to be the exploitation of compromised credentials (MITRE ATT&CK T1078). Post-compromise activities include data discovery and exfiltration, followed by impact tactics such as the deletion of volume shadow copies to inhibit system recovery (T1490) and the deployment of a crypto-ransomware payload for data encryption (T1486).
Radiant is responsible for significant data theft, financial losses, and reputational damage affecting at least seven victims. The attack against the Kido International nursery chain was particularly egregious, involving the theft and partial publication of personally identifiable information (PII) belonging to approximately 8,000 children.
It is recommended that security operations centers (SOCs) and network defenders prioritize strengthening identity and access management (IAM) controls, with a specific focus on securing infrastructure during and after merger and acquisition (M&A) activities. Furthermore, enhanced monitoring for anomalous data aggregation and exfiltration patterns is critical for early detection of similar threats.
Threat Actor Profile: Radiant Group
Emergence and Operational Tempo
The Radiant ransomware group was first observed in September 2025. Their inaugural victim, Kido Schools, was posted to their data leak site on September 24, 2025. Following this initial attack, the group executed a rapid series of compromises throughout early-to-mid October 2025, listing an additional six victims between October 6 and October 16. This highly compressed operational timeline suggests either a pre-planned campaign leveraging a set of previously acquired accesses or the opportunistic exploitation of readily available vulnerabilities or credentials.
As of October 21, 2025, the group’s leak site has been inactive for five days. This period of inactivity directly coincides with significant law enforcement action and intense public and cybercriminal community backlash following their attack on the Kido nursery chain, indicating a disruption of their operations.
Assessed Motivation and Objectives
Radiant’s motivation is assessed with high confidence as purely financial. Their entire operational model is built around coercing victims into paying a ransom. This is evidenced by their consistent use of extortion, specific ransom demands (approximately £600,000 in Bitcoin in the Kido case), and the operation of a data leak site designed to apply public pressure on non-compliant victims.
In communications regarding the Kido breach, the group claimed their actions were part of a “pentest” effort. This claim is assessed as a disingenuous and common tactic used by ransomware actors to taunt victims or create a thin, implausible veil of legitimacy for their criminal activities.
Sophistication and Attribution
While initially categorized as “Organized Crime,” substantial evidence contradicts this assessment, pointing instead to operational immaturity. The successful execution of at least seven distinct intrusions and the establishment of a functional TOR-based leak site demonstrate a degree of technical capability. However, this is overshadowed by significant failures.
The swift arrest of two 17-year-old individuals in the United Kingdom in connection with the Kido breach indicates major OPSEC failures that are uncharacteristic of experienced, well-resourced criminal syndicates. Furthermore, the group’s decision to target a nursery and leak the data of young children provoked widespread condemnation, not only from the public and law enforcement but also from other threat actors within the cybercrime community. This backlash forced the group to retract their threats and remove the data, demonstrating a profound miscalculation and a lack of understanding of the underground ecosystem’s unwritten rules. This is not the behavior of a disciplined, professional criminal enterprise; it is a strategic blunder typical of inexperienced actors. This assessment is further supported by threat intelligence analysis noting that the group’s leak site “did not appear as professionally made as those of other established ransomware groups”.
The name “Radiant” is generic and creates potential for confusion with multiple legitimate entities and other threat actors. It is critical for analysts to disambiguate this ransomware group from Radiant Capital (a DeFi platform), Radiant Logistics, Radiant Logic, the Chinese eCrime actor “RADIANT SPIDER,” and the sanctioned Russian entity “AO GK RADIANT”. There is currently no evidence linking this group to any of these entities, and their country of origin remains unknown. The evidence strongly suggests Radiant is a small, independent, and inexperienced group rather than an affiliate of a larger, more disciplined Ransomware-as-a-Service (RaaS) operation.
Victimology and Target Scope
Industry and Geographic Targeting
Radiant has demonstrated the ability to target a diverse range of industries, likely in an opportunistic fashion. Known victims operate in the Transportation/Logistics, Consumer Services, Healthcare, Agriculture/Food Production, and Education sectors. This broad targeting across both critical and non-critical infrastructure is characteristic of threat actors who exploit common, widespread vulnerabilities or rely on generally available access methods, such as credential stuffing, rather than employing specialized TTPs for a specific industry.
Geographically, the group’s victims are distributed across North America and Europe, with confirmed compromises in the United States (2), Germany (1), the Netherlands (1), Finland (1), and the United Kingdom (1). This international spread suggests their attack vectors are not region-specific and can be deployed globally.
Table: Known Radiant Group Victims (October 2025)
The following table provides a consolidated, at-a-glance view of Radiant’s confirmed targets, compiled from their data leak site. This allows for rapid correlation with internal security telemetry and helps identify potential industry-specific campaigns or trends. For a SOC analyst, this contextualizes a potential threat beyond a simple list of IOCs, allowing for more informed alert triage.
| Victim Name | Sector | Country | Leak Site Post Date | Notes from Leak Site |
| Kido Schools | Education | United Kingdom | 2025-09-24 | Data of ~8,000 children compromised. Ransom demand of ~£600,000. |
| Minnesota Hospital | Healthcare | United States | 2025-10-06 | “Contact us within 7 days or we will expose your hospitals name…” |
| Magna Foodservice | Agriculture/Food | Germany | 2025-10-06 | Leading supplier of food products. |
| Retail Texas | Consumer Services | United States | 2025-10-09 | “Contact within 7 days or we will publish your name…and begin our pressure process.” |
| UK Rail Services | Transportation | United Kingdom | 2025-10-09 | “3 Days for contact or else we will begin our process.” |
| Docurail | Transportation | Finland | 2025-10-16 | “Simplifies railway compliance…” |
| Dutch??? | Unknown | Netherlands | 2025-10-16 | “Contact within 7 days based in the Netherlands.” |
Operational Playbook: Tactics, Techniques, and Procedures (TTPs)
Initial Access
T1078 – Valid Accounts (Compromised Credentials): The most likely initial access vector used by Radiant is the exploitation of compromised credentials. This assessment is based on analysis from cybersecurity firm Palo Alto Networks following the Kido breach, which indicated that “breached credentials” were the probable entry point. This aligns with broader industry trends where credential theft and reuse remain a primary vector for ransomware intrusions.
The Kido breach may have been facilitated by security gaps created during a recent merger or acquisition. In such scenarios, the integration of a newly acquired entity can leave legacy systems and access controls inadequately secured, creating a window of opportunity for attackers. Initial speculation suggested a supply chain compromise via the “Famly” nursery management software; however, this was thoroughly investigated and publicly refuted by the software’s CEO, confirming the attack was targeted specifically at Kido’s infrastructure and not a broader platform vulnerability.
Post-Compromise Kill Chain (Inferred)
While open-source intelligence lacks specifics on Radiant’s malware loaders or persistence mechanisms, a partial attack chain can be inferred from the available evidence.
- Defense Evasion (T1490 – Inhibit System Recovery): Reporting on the Kido attack explicitly mentioned “evidence of shadow copy deletion”. This is a hallmark technique of ransomware operations, executed to prevent victims from easily restoring encrypted files from local backups, thereby increasing the pressure to pay the ransom.
- Discovery & Collection: The attackers demonstrated a clear ability to navigate compromised networks to discover and aggregate large volumes of sensitive data. This included PII, financial information, and confidential operational documents across multiple victims.
- Command and Control (C