Ransomware gang threatens Cheyenne and Arapaho Tribes after shutting down schools

The government of the Cheyenne and Arapaho Tribes is being extorted by cybercriminals after a ransomware attack shut down its schools and critical systems in January. 

The Rhysida ransomware gang took credit for the attack this week and demanded 10 bitcoin, or about $660,000, in exchange for not leaking information stolen from the systems of the Cheyenne and Arapaho Tribes, a federally recognized government headquartered in Concho, Oklahoma.

Officials previously confirmed the ransomware attack in January. 

The tribal government said the cyberattack began on December 8, 2025, when its IT team discovered an attempted intrusion by threat actors. Systems were shut down and the tribe worked with its insurance provider on the recovery effort. 

A follow-up statement from tribal governor Reggie Wassana confirmed they dealt with a ransomware attack and federal authorities were brought in to help. 

“The criminals have targeted hundreds of notable companies such as Target, Xerox, Carnival Cruises, Blue Cross Blue Shield as well as local hospitals and airlines. Ironically, it is the high profile and financial success of our tribe that made us a prime target,” he said in a letter to the tribe. 

“Let me be clear: This was a terrorist attack, and WE DID NOT NEGOTIATE NOR SURRENDER. These criminals have not, and will not, receive one cent from the members of the Cheyenne and Arapaho Tribes.”

Wassana committed to continue paying employees of the local Lucky Star Casino as the recovery effort continued through January. The tribe governs about 12,000 residents.  

The tribe’s Department of Education also warned the attack took down its computers, email and phone system. Students were not penalized for any delays in returning assignments as a result of the internet outages. 

Tribal administrations across the U.S. were targeted by ransomware gangs in 2025. The city of Durant, just three hours away from Concho and the capital of the Choctaw Nation, was hit with a cyberattack last year, and tribes in Minnesota and Michigan were also attacked by ransomware gangs. 

The Rhysida ransomware gang has repeatedly targeted governments across the globe, including Kuwait’s Finance Ministry, as well as the transportation department of Maryland, the city of Seattle and the city of Columbus, Ohio.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

 

Total
0
Shares
Previous Post

ThreatsDay Bulletin: OpenSSL RCE, Foxit 0-Days, Copilot Leak, AI Password Flaws & 20+ Stories

Next Post

Attackers breach France’s national bank account database

Related Posts

CISA Warns of Active Spyware Campaigns Hijacking High-Value Signal and WhatsApp Users

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday issued an alert warning of bad actors actively leveraging commercial spyware and remote access trojans (RATs) to target users of mobile messaging applications. "These cyber actors use sophisticated targeting and social engineering techniques to deliver spyware and gain unauthorized access to a victim's messaging app,
Read More

Five Plead Guilty in U.S. for Helping North Korean IT Workers Infiltrate 136 Companies

The U.S. Department of Justice (DoJ) on Friday announced that five individuals have pleaded guilty to assisting North Korea's illicit revenue generation schemes by enabling information technology (IT) worker fraud in violation of international sanctions. The five individuals are listed below - Audricus Phagnasay, 24 Jason Salazar, 30 Alexander Paul Travis, 34 Oleksandr Didenko, 28, and Erick
Read More

APT28 Targets Ukrainian UKR-net Users in Long-Running Credential Phishing Campaign

The Russian state-sponsored threat actor known as APT28 has been attributed to what has been described as a "sustained" credential-harvesting campaign targeting users of UKR[.]net, a webmail and news service popular in Ukraine. The activity, observed by Recorded Future's Insikt Group between June 2024 and April 2025, builds upon prior findings from the cybersecurity company in May 2024 that
Read More