Back to Blog
high severity May 05, 2026 · scope unconfirmed

Colegio María Inmaculada (CMI) Listed by medusalocker Ransomware Group

Catholic school in Moravia, Costa Rica. Domain cmi.local / mariainmaculada.ed.cr. Servers: CMI-DC01, CMI-APP, CMI-HTTP2, main-server1/2.

⚠ Were you affected?
Free email scanner — we check your address against 15.4B+ leaked records in 15 seconds.
Run free scan →
Severity High
Disclosed May 05, 2026
Affected Unconfirmed
Data exposed Internal files exfiltrated in ransomware attack

On May 5, 2026, the MedusaLocker ransomware group added Colegio María Inmaculada, a Catholic school in Moravia, Costa Rica, to its public leak site, confirming that internal files had been exfiltrated from the school’s servers.

Confirmed Facts from Reporting

Public reporting indicates the school’s internal domain is cmi.local and its public domain is mariainmaculada.ed.cr. The compromised systems include servers named CMI-DC01, CMI-APP, CMI-HTTP2, and main-server1/2. Available reporting describes the data as internal files exfiltrated during a ransomware attack; the exact number of people affected remains unknown. The listing appeared on the MedusaLocker leak site, hosted on an onion address and tracked by ransomware.live.

Why This Matters for You and Your Family

When a school is hit, the information exposed often includes details about students, parents, staff, and alumni. Names, addresses, dates of birth, contact information, and sometimes family financial or medical notes can appear in internal spreadsheets or documents. If your child attends or attended Colegio María Inmaculada, or if you work there, your family’s personal information may now sit on a dark-web leak site. Once that data is public, it rarely disappears on its own.

Credential leaks from one organization frequently cascade into other accounts. A reused password taken from a school system can open the door to email, banking, or social-media profiles belonging to you or your children.

The Doxxing and Identity-Chain Implications

Ransomware groups do not always publish everything at once. They may release small samples first, then demand payment to prevent full disclosure. Even partial leaks can give attackers enough threads to map your online handles to your real identity. A parent’s email linked to a child’s gaming username, for example, can lead to doxxing that follows the family across platforms. Gaming accounts are especially vulnerable because children often reuse simple passwords and share devices at home. The same breach that exposes school records can therefore become the starting point for account takeovers that affect your entire household.

MedusaLocker’s Publicly Known Track Record

Public reporting attributes MedusaLocker with emerging in late 2019. The group has targeted hospitals, schools, municipalities, and small businesses worldwide. Its typical playbook involves gaining initial access through vulnerable remote desktop protocol connections or phishing, exfiltrating data before encrypting systems, and then publishing samples on a leak site if the victim does not pay. Extortion demands are usually accompanied by countdown timers, after which additional data is released in batches.

What to do

  • Run a DoxxScan to map every link between your emails, phone numbers, usernames, and real identity so you can see exactly what this breach connects to.
  • Rotate any password you used at mariainmaculada.ed.cr or the school’s internal systems, and enable 2FA through an authenticator app everywhere that password was reused.
  • Enable continuous DoxxScan monitoring across 15.4B+ breach records and 100+ platforms so the next leak exposing you or your family is caught in hours rather than months.
  • Cover the household with DoxxScan family protection, which extends to dependents and children’s gaming accounts that often chain back to the same address or parent email.
  • Let remediation specialists handle takedown requests and broker removals for you while you focus on securing accounts at home.

The incident at Colegio María Inmaculada shows how quickly a single organization’s breach can ripple into your daily life. Taking concrete steps now limits how far attackers can travel down the identity chain. DoxxScan by GalaxyWarden delivers continuous monitoring across 15.4 billion breach records and more than 100 platforms, AI-powered identity-chain mapping, hands-on remediation by specialists, and full household coverage that includes children’s gaming accounts. Start your DoxxScan trial today to close the gaps this leak has opened.

Share this Post on X Reddit Email
Why this isn’t just another breach checker

A breach leaks your credentials. Then hackers chain those credentials to your address, family, phone, and employer using public broker sites. We’re the only tool built around that chain.

Free checker Tells you the breach happened. End of story. You’re still on 800+ broker sites.
$129+/yr Broker-removal services scrub the address but don’t see the breach — next leak re-exposes you.
GalaxyWarden Maps the chain. Cleans both halves. $19 one-shot. Closed loop.

⚠ Were you in this breach?

Free email scanner. We check your address against 15.4B+ leaked records in 15 seconds — then show you the $19 cleanup that removes you from the broker sites aggregating leaked data.

Check my email — free →
Close the chain attack

Both halves of the chain, cleaned once.

A breach put your credentials in 15.4B+ leaked records. Hackers chain that data to your address on 800+ broker sites. GalaxyWarden closes both halves for $19 once — no subscription required.

Clean both halves — $19 →
Free breach scan + 800+ broker letters + 30-day proof · one payment, no subscription
W Warden Plus — ongoing monitoring $9.99/mo
Warden Plus ($9.99/mo or $99/yr): weekly re-scans, breach alerts, AI Concierge, auto re-files on relisted brokers.