Medusa claims Minneapolis Public Schools as victim


The Medusa ransomware gang has added Minneapolis Public Schools (MPS) to its darknet website, which member hackers use to claim and extort victims.

Threat actors added MPS, threatening to leak the stolen data if the school district doesn’t pay the ransom. MPS enrolls over 35,000 students annually and runs around a hundred schools in Minneapolis.

MPS acknowledged the cyberattack in February after the organization’s IT systems went dark. The attack garnered attention on social media due to the wording MPS used to describe the ransomware attack, in which it described the latter somewhat euphemistically as an “encryption event.”

Medusa Minneapolis School
MPS on Medusa's blog. Image by Cybernews.

“An investigation, with the assistance of an outside forensic investigation firm and legal counsel, has determined that an encryption event was the cause of technical difficulties affecting the operability of certain MPS computer systems,” the MPS statement said.

An entry on Medusa’s blog shows that hackers demand the school system pay $1 million to delete the stolen data. Malicious actors set the same price for anyone interested in downloading the stolen information.

Medusa ransomware gang began operating around the end of 2022. However, the newcomer was among the most active ransomware syndicates last month. According to deep-web watchdog Darkfeed, Medusa attacked at least 18 organizations in February, making the group the third most prolific gang that month.

Medusa ransomware is believed to be operating under the ransomware-as-a-service model, where threat actors with limited technical skill use malware devised by sophisticated developers. Affiliates later share ransom money with developers.