Ransomware Group Claims Massive Data Leak But MN Files’ Whereabouts a Mystery

Help fund stories like this. Donate now!

A cyber gang claims it published what could be a startling amount of stolen Minneapolis Public School records to the internet after the district failed to meet a $1 million extortion demand, but where the actual files are now remains something of a mystery.

Early Friday morning, after the Medusa gang’s countdown clock on the ransom deadline struck zero, the files weren’t readily available for download on its dark web leak site. Instead, a “Download data now!” button directs users to contact the ransomware gang through an encrypted instant-messaging protocol. Attempts by The 74 to reach the gang have been unsuccessful.

Files from previous Medusa victims are available on a website designed to resemble a technology news blog — a front of sorts. Unlike the Medusa blog, this site is not relegated to the dark web and does not require special tools to access. Download links are also posted in a channel on Telegram, the encrypted social media service that’s been used by terror groups and far-right extremists. Yet as of Friday afternoon, the files purportedly stolen from the Minneapolis district were not available for download on either platform. 

Data breaches from previous victims appear to be uploaded to the faux technology news blog about a month after their ransom expires, suggesting that the Minneapolis files could become available online after a brief lag. 

Still, in a statement on Friday, the district said it “is aware that the threat actor has released certain MPS data on the dark web today.” 

“We are working with cybersecurity specialists to quickly and securely download the data so that we can conduct an in-depth and comprehensive review to determine the full scope of what personal information was impacted and to whom the information relates,” the district continued. “This will take some time. You will be contacted directly by MPS if our review indicates that your personal information has been impacted.” 

Early indications suggest the files contain a significant volume of sensitive information about students and staff. Leading up to the Friday deadline, Medusa posted a short-lived video to Vimeo that previewed the files in its possession and published a file tree on its dark web blog that purportedly showed the names of the compromised documents. The file tree suggests those records involve student sexual violence allegations, district finances, student discipline, special education, civil rights investigations, student maltreatment and sex offender notifications. As of Friday afternoon, the dark web blog post showing the file tree had amassed more than 3,100 page views. 

Should the files become available at some point, an analysis of the file tree points to the trove of stolen records being extensive. The file tree lists more than 172,000 individual records including large backup files. Though it’s unclear how many of the documents contain personally identifiable information and other sensitive data, the files add up to a startling 157 terabytes. 

“Yikes, that’s a lot,” said Doug Levin, an expert in K-12 cybersecurity incidents and national director of the K12 Security Information eXchange. “It’s a very significant exfiltration.” 

By comparison, last year the Los Angeles Unified School District suffered a ransomware attack and a cache of stolen district files — including thousands of current and former students’ sensitive mental health records — were uploaded to a dark web leak site. The files in that leak, which drew national attention to cybersecurity vulnerabilities in K-12 schools, total some 500 gigabytes. There are 1,000 gigabytes in one terabyte. 

The records stolen from the Los Angeles school district could fit on the hard drive of just one laptop. The scope of records stolen in Minneapolis, meanwhile, are more akin to “entire IT systems,” said Levin, who was especially concerned about the breach of district backup files. “You’re probably looking at some of the more sensitive data that the district maintains — sensitive enough that they are backing it up and maintaining those files.” 

The data leak deadline comes a little more than a week after Medusa listed the district on its dark web blog and two weeks after Minneapolis school officials attributed “technical difficulties” with its computer system to an “encryption event.” That euphemistic characterization left the public in the dark about the incident’s severity, cybersecurity analysts and community members said.

Such experts said Medusa’s pre-leak efforts were a particularly aggressive attempt to increase public attention around the attack and coerce the district to meet its ransom demand. 

Medusa’s decision to upload its stolen files to the faux technology news blog is likely a tactic to elevate the privacy risks to potential data breach victims and convince hacked organizations to pay the ransom, said Brett Callow, a threat analyst with the cybersecurity company Emsisoft. 

Despite Medusa’s extensive steps to publicize the ransomware attack prior to the Friday deadline, the group has been  “unusually uncommunicative,” since the clock struck zero and its dark web blog listed the Minneapolis records as published, Callow said. The cyber expert said he also reached out to the group Friday to inquire about the Minneapolis breach but didn’t receive a response. 

People who don’t work in cybersecurity may not know how to access dark web sites, he said, while the technology news blog is more accessible to the general public. Therefore, dark web sites “would concern organizations less than the data being released from the “clearnet” where it is easily accessible and links to it can be shared via Twitter and other social platforms. It’s much easier for people to access.”

Callow agreed the volume of data purportedly stolen from the Minneapolis district constitutes an outlier among ransomware attacks — but he offered a caution. 

“Just because they published a file tree doesn’t mean they necessarily obtained all of the data it shows in that tree,” he said, noting that organizations like school districts can shut hackers out of their systems if they’re caught in the act. 

In a March 9 statement, the district said it had “taken a stance against these criminals and has fully restored our systems without the need to cooperate with the criminal.” 

During a school board meeting Tuesday, interim Superintendent Rochelle Cox said the district’s computer network “was infected with an encryption virus that was first discovered” Feb. 18. Secure backups allowed the district to restore many of its systems, Cox said, and while sensitive data has now been released publicly, the district is unaware of any evidence that the information has been leveraged by criminals to commit fraud. Once the district identifies impacted individuals, Cox said it will provide them with credit monitoring and identity protection services. 

Yet as Cox credited the district’s technology department for responding swiftly to restore district systems after the attack, Levin, the K-12 cybersecurity expert, said the sheer volume of files purportedly stolen point to the threat actors possibly lurking around inside the MPS computer systems for weeks — if not months. 

“Exfiltrating this amount of data without detection certainly is concerning,” Levin said. “This sort of mass exfiltration is something that cybersecurity experts look for when they are defending systems and this is certainly not something that is downloaded in an hour or two.”

As the district works to analyze the scope of the attack, it’s advising district families and staff to avoid interacting with suspicious emails or phone calls, to change their passwords and warned them against downloading any data released by cyber criminals because it plays into their hands “by drawing attention to the information and increasing our community’s fear and panic.” 

Help fund stories like this. Donate now!