Ransomware group says it stole student data from Minneapolis Public Schools

The ransomware group behind an attack on Minneapolis Public Schools posted a public video allegedly showing screenshots of stolen data after the school district said it was using backups to recover from the incident.

The school district – which serves about 34,500 students – faced disruptions last week after a ransomware attack damaged some systems. The school called the attack an “encryption event” and said it knocked out its internet, phones, cameras, badge access, printers, and building alarms.

Parent-teacher conferences were also canceled following the attack, which first began on the President’s Day holiday.

In a follow-up note last week, the school said it used backups and worked with law enforcement as well as cybersecurity experts to restore much of their systems.

“Please note, MPS has not paid a ransom and the investigation has not found any evidence that any data accessed has been used to commit fraud,” the school said last Wednesday. “However, if the ongoing investigation indicates that personal information has been impacted, the impacted individuals will be notified immediately.”

On March 7, the Medusa ransomware group added the school district to its list of victims, giving them 10 days to pay a ransom before data stolen from the school was leaked.

The group later posted a link to a heavily-produced 51-minute video, which showed the hackers sharing screenshots of the data they stole.

Emsisoft ransomware expert Brett Callow said it was the first time he recalled seeing a ransomware gang use this particular tactic during a negotiation.

Other experts shared clips of the cinematic opening the ransomware group used for the video and said it included shots of stolen emails, student grades, building layouts, payroll information and more from MPS.

The attack highlights an emerging issue facing dozens of schools across the U.S. that are hit with ransomware. Even after recovering from the immediate operational issues caused by a ransomware attack, students and employees often have to contend with the fact that their information is now widely available for anyone to access.

Last month, the mental health records of thousands of Los Angeles K-12 students were found leaked across the internet after a ransomware attack last year by the Vice Society ransomware group.

Callow said that as of the end of February, there were at least 19 reported ransomware incidents affecting colleges, universities and K-12 schools.