Three states, three school districts, one Medusa ransom gang

The Medusa ransomware gang has laid claim to three separate school districts in less than a week, compromising the personal information of thousands of students and teachers.

Coast to coast, the educational systems include the Glendale Unified School District (GUSD) in California, the Hinsdale School District (HNHSD) in New Hampshire, and the Campbell County Schools (CCS) in Kentucky.

Along with the claims, Medusa posted dozens of highly sensitive documents for each school district, chock full of personal details of students, parents, and teachers information that could easily be used by cybercriminals for future targeted attacks.

Glendale Unified, the largest district among the three victims and the third largest school district in Los Angeles County, was the fist of two victims listed Monday, December 11th.

The district serves over 20,000 students and more than 2,500 teachers and staff spread across 20 elementary schools, four middle and four high schools.

Medusa Glendale website
Glendale Unified School District. Medusa leak site. Image by Cybernews.

Glendale Unified was the only district to acknowledge a cyberattack, providing a full dossier on its website depicting what happened.

“On December 6th, 2023, GUSD detected a ransomware cybersecurity incident that impacted our systems,” district wrote.

The district said it is still waiting for more information from cyber forensic experts to determine “what systems were impacted and how.”

Although all 28 schools and in-person classes are still operating as normal, the school has asked all students and teachers not to use any school computers or try to log into any school accounts from personal devices while the investigation continues.

Medusa started a countdown clock of roughly 10 days (December 21st) and a ransom demand of exactly $1 million (to be paid in Bitcoin) to either delete or download the alleged stolen files – with a $10K charge for each extra day of negotiations.

Medusa Glendale dark leak site
Medusa leak site. Image by Cybernews.

Brian Boyd, head of technical delivery at cybersecurity firm i-confidential, said that when groups like Medusa show this level of capability, their claims should be taken seriously and investigated accordingly.

“Ransomware attacks are continuing to surge, and if this year has taught us anything, it’s that no organization is immune to the threat, Boyd explained.

“Criminals understand the potential to make money from ransomware, as it’s a business to them, and this will continue in the year ahead, especially with advances in generative AI,” he said.

Also claimed December 11th and given a 11-day deadline was Hinsdale School District in southern New Hampshire.

It is by far the smallest district with just over 500 students and only one primary and one high school, which could explain why Medusa is only asking for a $200,000 ransom demand.

Cybernews found Hinsdale’s website unresponsive at the time of this report, while the others district websites were loading normally.

Medusa  Hinsdale  website down
Image by Cybernews.

Finally, Campbell County Schools, located in the greater Cincinnati area of Alexandria, Kentucky, was claimed by the gang December 6th.

With 10 schools and a working budget of approximately $50 million, the number of students and faculty total more than 8000 thousand people, according to the CCS website.

Medusa is asking a $600,000 ransom for its data, with a 8-day deadline.

Medusa Hinsdale Campbell County Schools dark leak site
Medusa leak site. Image by Cybernews.

Sensitive samples

Cybernews was able to look through the leak samples that Medusa posted on their victim blog and can confirm that the cache of more than 90 documents between the trio is quite extensive.

The gang posted various databases from each school containing student details, including names, year grade, school attended, student ID numbers, assigned advisors, special education needs, and files of official class pictures, among other random school event photos.

Parents names, addresses, and emails, student assessments, after school care schedule, and even student health records of positive Covid-19 tests were also listed for some schools.

Faculty and teacher's information was just as plentiful. Besides names, addresses, etc, the samples contained social security numbers, copies of driver's licenses and passports, as well as individual salaries, timesheets, and disciplinary letters.

Medusa samples Glendale Hinsdale  Campbell County Schools
Medusa leak site. Image by Cybernews.

Other district financial information, such as operations and budgets was also included in all three troves.

Each sample piece is marked with its own QR code, which opens a message from Medusa listing it's onion address, and a warning, “Don’t believe the scammers.”

Medusa's education spree

The Medusa ransomware gang began operating around the end of 2022 and has been consistently active.

Medusa claimed two other school districts last month; the Hopewell Area School District and Great Valley School District, both in Pennsylvania,

The Minneapolis Public Schools in Minnesota was also hit this spring and presented with a $1 million ransom demand.

The Medusa leak blog shows all three school districts have had their files published since.

Additionally in November, the threat actors hit Toyota’s Financial Services, affecting operations in Europe and Africa, forcing the company to take some systems offline for days.

Medusa ransomware is believed to be operating under the Ransomware-as-a-Service (RaaS) model.

This is when other leeds skilled threat actors pay a cut of their profits to Medusa in exchange for use of the gang’s signature malware variant.

According to Ransomlooker, a Cybernews ransomware monitoring tool, Medusa has attacked at least 119 organizations over the past 12 months.

Boyd said to counter these kinds of threats, organizations must improve their defenses against ransomware to make it harder for attackers to reach their data.

“This can be accomplished by practicing good cyber hygiene, where systems are up to date, backups are stored on premise and in the cloud, and employees are regularly trained on how to recognise phishing emails,” he said.

Additionally all systems and devices should be inventoried and secured, while recovery processes are documented and practiced regularly, Boyd said.