蜜桃影视

Get stories like this delivered straight to your inbox. Sign up for 蜜桃影视 Newsletter

Minneapolis Public Schools appears to be the latest ransomware target in a $1 million extortion scheme that came to light Tuesday after a shady cyber gang posted to the internet a ream of classified documents it claims it stole from the district. 

While districts nationwide have become victims in in the last several years, cybersecurity experts said the extortion tactics leveraged against the Minneapolis district are particularly aggressive and an escalation of those typically used against school systems to coerce payments.

In a dark web blog post and an online video uploaded Tuesday, the ransomware gang Medusa claimed responsibility for conducting a February cyberattack 鈥� or what Minneapolis school leaders euphemistically called an 鈥渆ncryption event鈥� 鈥� that led to . The blog post gives the district until March 17 to hand over $1 million. If the district fails to pay up, criminal actors appear ready to post a trove of sensitive records about students and educators to their dark web leak site. The gang鈥檚 leak site gives the district the option to pay $50,000 to add a day to the ransom deadline and allows anyone to purchase the data for $1 million right now.

On the video-sharing platform Vimeo, the group, calling itself the Medusa Media Team, posted a 51-minute video that appeared to show a limited collection of the stolen records, making clear to district leaders the sensitive nature of the files within the gang鈥檚 possession. 

鈥淭he video is more unusual and I don鈥檛 recall that having been done before,鈥� said Brett Callow, a threat analyst with the cybersecurity company Emsisoft. 

A preliminary review of the gang鈥檚 dark web leak site by 蜜桃影视 suggest the compromised files include a significant volume of sensitive documents, including records related to student sexual violence allegations, district finances, student discipline, special education, civil rights investigations, student maltreatment and sex offender notifications. 

The video is no longer available on Vimeo and a company spokesperson confirmed to 蜜桃影视 that it was , which prohibits users from uploading content that 鈥渋nfringes any third party鈥檚鈥� privacy rights. 

As targeted organizations decline to pay ransom demands in efforts to recover stolen files, Callow said the threat actors are employing new tactics 鈥渢o improve conversion rates.鈥�

鈥淭his is likely just an experiment, and if they find this works they will do it more frequently,鈥� Callow said. 鈥淭hese groups operate like regular businesses, in that they A/B test and adopt the strategies that work and ditch the ones that don鈥檛.鈥� 

Here鈥檚 a snippet of the video鈥檚 introduction (with all sensitive records omitted):

The Minneapolis school district hasn鈥檛 acknowledged being a ransomware victim, while Callow and other cybersecurity experts have been harshly critical of how it has disclosed the attack to the public. In , the district attributed 鈥渢echnical difficulties鈥� with its computer systems to the referenced 鈥渆ncryption event,鈥� a characterization that experts blasted as creative public relations that left potential victims in the dark about the incident鈥檚 severity. 

The district 鈥渉as not paid a ransom鈥� and an investigation into the incident 鈥渉as not found any evidence that any data accessed has been used to commit fraud,鈥� school officials said in the March 1 statement.  

In a statement to 蜜桃影视 Tuesday, the district said it 鈥渋s aware that the threat actor who has claimed responsibility for our recent encryption event has posted online some of the data they accessed.鈥� 

鈥淭his action has been reported to law enforcement, and we are working with IT specialists to review the data in order to contact impacted individuals,鈥� the statement continued.

Minnesota-based student privacy advocate Marika Pfefferkorn called on the district to be more forthcoming as it confronts the attack. 

鈥淔irst and foremost, they owe an apology to the community by not being explicit right away about what was happening,鈥� said Pfefferkorn, executive director of the Midwest Center for School Transformation. 鈥淏ecause they haven鈥檛 communicated about it, they haven鈥檛 shared a plan about, 鈥楬ow will you address this? How will you respond?鈥� Not knowing how they are going to respond makes me really nervous.鈥�

School cybersecurity expert Doug Levin, the national director of the K12 Security Information eXchange, said that district officials appear to have coined the term 鈥渆ncryption event,鈥� but available information suggests the school system was the victim of 鈥渃lassic double extortion,鈥� an exploitation technique that鈥檚 become popular among ransomware gangs in the last several years. 

With its video and dark web blog, Medusa may have spent 鈥渁 little more time and energy鈥� than other ransomware groups in presenting the stolen data in a compelling package, 鈥渂ut the tactics seem to be the same,鈥� Levin said. 鈥淣ow that we have a group coming forward with compelling evidence that they have exfiltrated data from the system and it鈥檚 actively extorting them, that鈥檚 all I would need to know to classify this as ransomware.鈥�

In double extortion ransomware attacks, threat actors gain access to a victim鈥檚 computer network, download compromising records and lock the files with an encryption key. Criminals then demand their victim pay a ransom to regain control of their files. Then, if a ransom is not paid, criminals sell the data or publish the records to a leak site. 

Such a situation recently played out in the Los Angeles Unified School district, the nation鈥檚 second-largest school system. Last year, the ransomware gang Vice Society broke into the district鈥檚 computer network and made off with some 500 gigabytes of district files. When the district refused to pay an undisclosed ransom, Vice Society uploaded the records to its dark web leak site. 

District officials have sought to downplay the attack鈥檚 effects on students. But an investigation by 蜜桃影视 found thousands of students鈥� comprehensive and highly sensitive mental health records had been exposed. The district then acknowledged Feb. 22 that some 2,000 student psychological assessments 鈥� including those of 60 current students 鈥� had been leaked.

Districts that become ransomware targets could face significant liability issues. Earlier this month, the education technology company Aeries Software a negligence lawsuit after a data breach exposed records from two California school districts. District families accused the software company of failing to implement reasonable cybersecurity safeguards. 

Federal authorities have made progress in curtailing cybercriminals. In January, authorities seized control of a prolific ransomware gang鈥檚 leak site and earlier this month officials with ties to a Russian-based ransomware group that鈥檚 known to target schools. 

At least 11 U.S. school districts have been the victims of ransomware attacks so far in 2023, according to Emsisoft research. Last year, 45 school districts and 44 colleges. 

In Minneapolis, a lack of transparency from the district could put affected students and staff at heightened risk of exploitation, Emsisoft鈥檚 Callow said. 

鈥淭here absolutely are times when districts have to be cautious about the information they release because it is the source of an ongoing investigation,鈥� he said. 鈥淏ut calling something a ransomware incident as opposed to an encryption event really isn鈥檛 problematic. Nor is telling people their personal information may have been compromised.鈥�

Pfefferkorn, the Minneapolis student privacy advocate, said she鈥檚 concerned about the amount of data the school district collects about students and worries it lacks sufficient cybersecurity safeguards to keep the information secure. She pointed to Minneapolis schools鈥� since-terminated contract with the digital student surveillance company Gaggle, which monitors students online and alerts district officials to references about mental health challenges, sexuality, drug use, violence and bullying. 

The district said it adopted the monitoring tool in a pandemic-era effort to keep kids safe online, but the unauthorized disclosure of Gaggle records maintained by the district could make them more vulnerable, she said. 

There鈥檚 little recourse, she said, for students and educators whose sensitive records were already leaked by Medusa. 

鈥淚t鈥檚 already out there and that cannot be repaired,鈥� she said. 鈥淭here鈥檚 information out there that鈥檚 going to impact them for the rest of their lives.鈥�

Did you use this article in your work?

We鈥檇 love to hear how 蜜桃影视鈥檚 reporting is helping educators, researchers, and policymakers.