This story was produced by The 74, a non-profit, independent news organization focused on education in America.
Minneapolis Public Schools appears to be the latest ransomware target in a $1 million extortion scheme that came to light Tuesday after a shady cyber gang posted to the internet a ream of classified documents it claims it stole from the district.
While districts nationwide have become victims in a rash of devastating ransomware attacks in the last several years, cybersecurity experts said the extortion tactics leveraged against the Minneapolis district are particularly aggressive and an escalation of those typically used against school systems to coerce payments.
In a dark web blog post and an online video uploaded Tuesday, the ransomware gang Medusa claimed responsibility for conducting a February cyberattack — or what Minneapolis school leaders euphemistically called an “encryption event” — that led to widespread digital disruptions. The blog post gives the district until March 17 to hand over $1 million. If the district fails to pay up, criminal actors appear ready to post a trove of sensitive records about students and educators to their dark web leak site. The gang’s leak site gives the district the option to pay $50,000 to add a day to the ransom deadline and allows anyone to purchase the data for $1 million right now.
On the video-sharing platform Vimeo, the group, calling itself the Medusa Media Team, posted a 51-minute video that appeared to show a limited collection of the stolen records, making clear to district leaders the sensitive nature of the files within the gang’s possession.
“The video is more unusual and I don’t recall that having been done before,” said Brett Callow, a threat analyst with the cybersecurity company Emsisoft.
A preliminary review of the gang’s dark web leak site by The 74 suggest the compromised files include a significant volume of sensitive documents, including records related to student sexual violence allegations, district finances, student discipline, special education, civil rights investigations, student maltreatment and sex offender notifications.
[image_credit]Screenshot[/image_credit][image_caption]A file purportedly stolen from Minneapolis Public Schools and uploaded to the Medusa ransomware gang’s dark web leak site references a sexual assault incident involving several students.[/image_caption]
As targeted organizations decline to pay ransom demands in efforts to recover stolen files, Callow said the threat actors are employing new tactics “to improve conversion rates.”
“This is likely just an experiment, and if they find this works they will do it more frequently,” Callow said. “These groups operate like regular businesses, in that they A/B test and adopt the strategies that work and ditch the ones that don’t.”
Here’s a snippet of the video’s introduction (with all sensitive records omitted):
The Minneapolis school district hasn’t acknowledged being a ransomware victim, while Callow and other cybersecurity experts have been harshly critical of how it has disclosed the attack to the public. In a March 1 statement, the district attributed “technical difficulties” with its computer systems to the referenced “encryption event,” a characterization that experts blasted as creative public relations that left potential victims in the dark about the incident’s severity.
The district “has not paid a ransom” and an investigation into the incident “has not found any evidence that any data accessed has been used to commit fraud,” school officials said in the March 1 statement.
In a statement to The 74 Tuesday, the district said it “is aware that the threat actor who has claimed responsibility for our recent encryption event has posted online some of the data they accessed.”
“This action has been reported to law enforcement, and we are working with IT specialists to review the data in order to contact impacted individuals,” the statement continued.
[image_credit]Screenshot[/image_credit][image_caption]A file uploaded to the Medusa ransomware gang’s dark web leak site lists personal information of Minneapolis Public Schools administrators who serve as campus emergency contacts.[/image_caption]
“First and foremost they owe an apology to the community by not being explicit right away about what was happening,” said Pfefferkorn, executive director of the Midwest Center for School Transformation. “Because they haven’t communicated about it, they haven’t shared a plan about, ‘How will you address this? How will you respond?’ Not knowing how they are going to respond makes me really nervous.”
School cybersecurity expert Doug Levin, the national director of the K12 Security Information eXchange, said that district officials appear to have coined the term “encryption event,” but available information suggests the school system was the victim of “classic double extortion,” an exploitation technique that’s become popular among ransomware gangs in the last several years.
With its video and dark web blog, Medusa may have spent “a little more time and energy” than other ransomware groups in presenting the stolen data in a compelling package, “but the tactics seem to be the same,” Levin said. “Now that we have a group coming forward with compelling evidence that they have exfiltrated data from the system and it’s actively extorting them, that’s all I would need to know to classify this as ransomware.”
In double extortion ransomware attacks, threat actors gain access to a victim’s computer network, download compromising records and lock the files with an encryption key. Criminals then demand their victim pay a ransom to regain control of their files. Then, if a ransom is not paid, criminals sell the data or publish the records to a leak site.
Such a situation recently played out in the Los Angeles Unified School district, the nation’s second-largest school system. Last year, the ransomware gang Vice Society broke into the district’s computer network and made off with some 500 gigabytes of district files. When the district refused to pay an undisclosed ransom, Vice Society uploaded the records to its dark web leak site.
District officials have sought to downplay the attack’s effects on students. But an investigation by The 74 found thousands of students’ comprehensive and highly sensitive mental health records had been exposed. The district then acknowledged Feb. 22 that some 2,000 student psychological assessments — including those of 60 current students — had been leaked.
Districts that become ransomware targets could face significant liability issues. Earlier this month, the education technology company Aeries Software agreed to pay $1.75 million to settle a negligence lawsuit after a data breach exposed records from two California school districts. District families accused the software company of failing to implement reasonable cybersecurity safeguards.
Federal authorities have made progress in curtailing cybercriminals. In January, authorities seized control of a prolific ransomware gang’s leak site and earlier this month officials announced sanctions against seven men with ties to a Russian-based ransomware group that’s known to target schools.
At least 11 U.S. school districts have been the victims of ransomware attacks so far in 2023, according to Emsisoft research. Last year, ransomware victims included 45 school districts and 44 colleges.
[image_credit]Screenshot[/image_credit][image_caption]The Medusa ransomware gang’s leak site suggests the Minneapolis school district has until March 17 to pay a $1 million ransom or have their sensitive files published online. The district can pay $50,000 to add a day to the ransom deadline.[/image_caption]
“There absolutely are times when districts have to be cautious about the information they release because it is the source of an ongoing investigation,” he said. “But calling something a ransomware incident as opposed to an encryption event really isn’t problematic. Nor is telling people their personal information may have been compromised.”
Pfefferkorn, the Minneapolis student privacy advocate, said she’s concerned about the amount of data the school district collects about students and worries it lacks sufficient cybersecurity safeguards to keep the information secure. She pointed to Minneapolis schools’ since-terminated contract with the digital student surveillance company Gaggle, which monitors students online and alerts district officials to references about mental health challenges, sexuality, drug use, violence and bullying.
The district said it adopted the monitoring tool in a pandemic-era effort to keep kids safe online, but the unauthorized disclosure of Gaggle records maintained by the district could make them more vulnerable, she said.
There’s little recourse, she said, for students and educators whose sensitive records were already leaked by Medusa.
“It’s already out there and that cannot be repaired,” she said. “There’s information out there that’s going to impact them for the rest of their lives.”
This is the same district that was nearly conned out of $500K by someone who simply called in and had them change where payments were being sent.
https://www.fox9.com/news/minneapolis-public-schools-was-nearly-conned-out-of-500k
Maybe the taxpayers should be demanding some accountability from the school district? Seems like they don’t take security very seriously there.
The challenge for MPS, or any entity, is that it is basically impossible to stay up to date with security patches. For an entity like MPS, which is always running a tight budget, it’s more difficult. I imagine their IT staff is payed below market rates & probably has higher than avreage workload.
We don’t know how the hackers gained system access. While it could have been due to incompetence, we don’t have that info yet. In that regard, MPS should be more forthcoming about what happened & what steps they’re taking to prevent this in the future.
Perhaps a good use of the surplus would be a statewide hardening of IT infrastructure, including grants to school districts and local governments.
Yeah, I agree. I have no sympathy for MPS administration who have bungled the response from day one–I’m sure they were hoping that they’d get systems back up while we were having our snow issue and then they’d be able to sweep it under the rug.
However, I have a lot of sympathy for the IT organization. The State of MN pays less for a CTO role than a lot of people can earn as a lead software engineer, and I’m sure MPS technology pays even less, which means that people are probably underqualified and overworked.
Having each school district in the state inventing enterprise-grade IT systems on their own doesn’t seem like a great plan, but I’m not sure how we go about fixing that so districts can focus on education spend instead of IT spend.
It does seem like security – and transparency – are not top priorities for MSD. At the same time, I’d be skeptical of anything that came from Fox “News,” regardless of topic.
I’m a former MPS teacher, former student, parent of two MPS grads and the parent of one student. I have deep ties to this district and a deep love for all of its students and staff. I say this to clarify my point of view, as I don’t want my words to be misinterpreted as being somehow hostile to the people who put their hearts and souls into caring for the wonderful kids in Minneapolis. I have nothing but love for this community. But. My god. The poor communication, obfuscation and absolute lack of details, instructions, possibilities and accountability has been ABYSMALLY BAD. I’m honestly shocked at the anemic attempts at communications – each sentence gummed up with passive construction, nonspecific jargon and vague worries. WHO IS WRITING THESE THINGS AND WHY ARE THEY SO TERRIBLE AT THEIR JOBS? And, even worse, why are they refusing to be forthcoming with the families and staff members? With each day that passes, my confidence in the people in the Davis Center drops even further. They have offered no hotlines to offer more information (just try getting anyone in that building to answer their phone!), no meetings where parents can ask questions, no forums, and have brought in no experts to explain things to the public. There’s not even a FAQ page to get ahead of commonly asked questions in an obvious, accessible place. These are basic things!
Look, it’s important to remember that no one wants to be hacked and the people at fault here are the hackers themselves, and not the cash-strapped district. The reason why so many districts got hacked last year (42! That’s so many! And it’s going to be more this year!) is because criminals are lazy. They go after easy targets who are less likely to have the best guardrails in place – so schools, small colleges, small businesses, the elderly and likely churches too. These are entities who can’t afford the latest in cyber security. But it’s important to not let shame and embarrassment get in the way of good communication and rallying the support of the community to help to problem-solve. There are parents in this community who are cyber security experts who can and would be willing to share their expertise with the district, but that can’t happen if the district won’t even admit the scope of the problem, or the details that led to this disaster. The people who committed this crime are not only bad people, but cowardly to boot. They have gone after an organization that cares for vulnerable children, and are therefore putting those children at risk. We need everyone – everyone in our whole community – working together to keep those kids safe, and to prevent anything like this from happening again. It’s time to come clean, MPS. Full transparency. A fully detailed accounting. Even the things that you wish we didn’t know. Because when it’s clear that things are worse than you’re letting on, it makes us wonder what ELSE you’re not telling us. That’s no way to lead.