Ransomware gang posts video of data stolen from Minneapolis schools

The Medusa ransomware gang is demanding a $1,000,000 ransom from the Minneapolis Public Schools (MPS) district to delete data allegedly stolen in a ransomware attack.

This ransomware gang, which is different from MedusaLocker ransomware, launched in 2021 but saw a significant spike in malicious activity in 2023.

Yesterday, Medusa listed MPS as a victim on its Tor data leak site, threatening to publish all data it allegedly stole from the public school district by March 17, 2023.

MPS entry on Medusa's extortion site (BleepingComputer)

The threat actors demand a payment of $1 million to delete all data while they accept an equal amount to give that data to interested buyers. Moreover, they offer 1-day extensions to the data publication deadline for $50,000.

This extortion attempt stands out because the threat actors created a video showing all of the data allegedly stolen from the Minneapolis Public Schools district.

The video was first spotted by Emsisoft's threat analyst Brett Callow, who tweeted that the video is ~51 minutes long and the first time he has seen this tactic used publicly.

Medusa video demonstrating file access
Source: BrettCallow

This rather unusual and bold method of providing proof of access to the victim's systems has the potential to reach a large audience compared to the standard practice of hosting screenshots on Tor sites.

MPS not paying

The Minneapolis Public School published an announcement on March 1, 2023, disclosing its suffering from an "encryption event" that caused system outages since February 21, 2023.

MPS is a public school district in Minnesota, in the United States, that enrolls 36,370 students and administers about one hundred public primary and secondary schools.

The education organization said it was not planning to pay the threat actors a ransom and instead opted to restore the data encrypted by the ransomware actors using internal backups.

Regarding the data theft possibility, MPS says that its investigation has so far not yielded evidence of unauthorized access.

"MPS has not paid a ransom and the investigation has not found any evidence that any data accessed has been used to commit fraud," reads the MPS systems outage notice.

"However, if the ongoing investigation indicates that personal information has been impacted, the impacted individuals will be notified immediately."

Considering that a whole week has passed since this announcement and Medusa has now publicly delivered its threat to leak sensitive data, MPS might provide an update on potentially stolen data soon.

Finally, the public organization warned its students and over 4,500 teachers and staff about the elevated risk of phishing attacks and scamming attempts against them due to this breach.