Medusa ransomware gang publishes school students' mental health records after failing to secure a ransom

News04 May 2023

Threat actors who published the personal data of students stolen from Minneapolis Public School, also published students’ mental health reports to mount further pressure on the US school district.Minneapolis Public School said in an official notice on its website that on February 21, it suffered an “encryption event” that affected internal IT systems and disrupted several systems including its internet, phones, cameras, badge access, printers, building alarms, and more.On March 7, the infamous Medusa ransomware group listed Minneapolis Public Schools as its latest victim on its data leak site. The group said it gave the school district a deadline of March 17 to pay a ransom of $1 million in exchange for deleting all data or $50,000 to extend the deadline by another day. The group also said that it was willing to sell all stolen data to anyone willing to pay a million dollars.Once the deadline was over, on March 17, the Medusa ransomware group published the data stolen from MPS. Ian Coldwater, a cybersecurity expert and an MPS parent, said that the leaked data included current and former student records, parent contacts, home addresses, IDs with pictures, grades, sensitive disciplinary and health records, budgets, contracts, grant information, building layouts, payroll, and human resources information.Recently, NBC News reported that the leaked files contained even more sensitive data about students and teachers, including allegations of teacher abuse and students’ mental health reports. The files reviewed by the media group include details of students’ behavioural issues and social security numbers of teachers.In an incident update posted on the school district’s website, MPS Interim Superintendent Rochelle Cox said, “I want to reassure the MPS community that we continue to move forward to notify individuals who have been impacted by our recent data breach – and also extend our support to Rochester Public Schools who are this week grappling with the same criminal act within their IT system.”“This week, we’re seeing an uptick in reports of messages – sometimes multiple messages – sent to people in our community stating something like “your social security number has been posted on the dark web.“I want to remind everyone to NOT interact with such messages unless you KNOW the sender. These messages are not from MPS. Our messages notifying impacted individuals will include our name and logo,” Cox added.MPS has been working closely with the FBI and external cyber security specialists and assessing the data published on the dark web after March 17.