editorially independent. We may make money when you click on links
to our partners.
Learn More
England Hockey is investigating a potential cyberattack after a ransomware group claimed to have stolen sensitive data from its systems and threatened to publish it online.
The AiLock ransomware gang recently listed the organization on its public data leak site, claiming to have exfiltrated large volumes of internal data as part of the attack.
“We are aware of an incident involving England Hockey and are currently investigating the matter as a priority,” the organization said in a statement provided to BleepingComputer.
Inside the Alleged England Hockey Ransomware Attack
England Hockey is the national governing body responsible for overseeing and developing the sport of field hockey across England.
The organization manages a large national ecosystem that includes more than 800 affiliated clubs, roughly 150,000 registered club players, and approximately 15,000 coaches, umpires, and officials.
Because the organization manages systems supporting membership records, club operations, and administration, a cyberattack could expose sensitive information related to athletes, staff, and affiliated organizations depending on the data accessed.
According to reporting by BleepingComputer, the AiLock ransomware group claims it stole approximately 129GB of data from England Hockey’s systems and has threatened to publish the files on its data leak site if a ransom demand is not met.
England Hockey has not confirmed whether data was actually exfiltrated, stating that the investigation is ongoing and being conducted with the assistance of external cybersecurity specialists and law enforcement authorities.
Who Is the AiLock Ransomware Group?
AiLock is a relatively new ransomware operation that first came to the attention of security researchers in 2025, when analysts at cybersecurity firm Zscaler documented the group’s activity targeting enterprise networks.
Like many modern ransomware operations, AiLock employs a double-extortion model designed to maximize pressure on victims.
How AiLock’s Double-Extortion Ransomware Works
In a typical double-extortion attack, threat actors first gain access to a victim’s network — often through compromised credentials, phishing campaigns, or software vulnerabilities.
After establishing a foothold, the attackers move laterally through the network and exfiltrate sensitive data before deploying ransomware to encrypt systems and disrupt operations.
Victims are then threatened with both operational disruption and the public release of stolen information if they refuse to negotiate or pay the ransom.
Researcher analysis of the malware used by this threat actor group indicates that the AiLock ransomware encrypts files using ChaCha20 encryption combined with NTRUEncrypt, a post-quantum cryptographic algorithm designed to resist certain advanced attacks.
Once encryption is complete, the malware appends a .AILock file extension to affected files and drops ransom notes in impacted directories containing instructions for contacting the attackers.
The group’s leak site messaging suggests it uses aggressive negotiation timelines, reportedly giving victims 72 hours to respond to initial demands and about five days to make payment.
If the organization does not engage with the attackers within that window, the group threatens to publish the stolen data and interfere with recovery efforts.
At the time of publication, England Hockey said its investigation into the incident remains ongoing as officials work to determine the nature and scope of the potential breach.
How Organizations Can Reduce Ransomware Risk
Organizations should take steps to strengthen defenses against ransomware and similar cyber threats.
- Maintain offline and immutable backups to ensure systems and data can be restored without paying ransom demands.
- Deploy ransomware protection solutions and EDR solutions to detect malicious activity such as unauthorized encryption or data exfiltration attempts.
- Enforce multi-factor authentication and strong identity protections for administrative accounts, remote access services, and critical systems.
- Segment networks and apply least-privilege access controls to limit lateral movement if attackers gain access to internal systems.
- Implement robust patch and vulnerability management programs to reduce exploitable weaknesses across servers, endpoints, and network devices.
- Monitor network traffic and centralized logs for unusual outbound data transfers or suspicious activity that may indicate intrusion or data theft.
- Test incident response and disaster recovery plans regularly to ensure teams can rapidly detect, contain, and recover from ransomware attacks.
Because these attacks often involve credential theft, unpatched vulnerabilities, and lateral movement within networks, layered security controls can help reduce risk and limit potential impact.
The Growing Ransomware Risk for Nonprofits
The alleged attack on England Hockey reflects a broader trend of ransomware groups increasingly targeting sports associations, nonprofits, and other organizations with more limited cybersecurity resources than large enterprises.
These organizations often store personal data related to athletes, volunteers, and staff, making them attractive targets for cybercriminals seeking financial gain or sensitive information.
This growing risk is one reason organizations are turning to zero trust to help protect sensitive data and limit the material impact of breaches.
