The Medusa ransomware gang is demanding a $1,000,000 ransom from the Minneapolis Public Schools District (MPS) to delete data allegedly stolen in a ransomware attack.

This ransomware gang, which is different from MedusaLocker ransomware, launched in 2021 but saw a significant spike in malicious activity in 2023.

Yesterday, Medusa listed MPS as a victim on its Tor data leak site, threatening to release any data it allegedly stole from the public school district by March 17, 2023.

The threat actors are demanding a payment of $1 million to delete all data while they agree to an equal amount to give that data to interested buyers. Additionally, they offer one-day data release time extensions for $50,000.

This extortion attempt stands out because the threat actors created a video showing all of the data allegedly stolen from the Minneapolis Public Schools District.

The video was first spotted by Emsisoft threat analyst Brett Callowwho tweeted that the video is about 51 minutes long and the first time he’s seen this tactic used publicly.

This rather unusual and audacious method of providing proof of access to victim systems has the potential to reach a large audience compared to the standard practice of hosting screenshots on Tor sites.

MPS does not pay

Minneapolis Public School posted an ad on March 1, 2023, revealing that he was suffering from an “encryption event” that caused system crashes since February 21, 2023.

MPS is a public school district in Minnesota, United States, which enrolls 36,370 students and administers approximately 100 public elementary and secondary schools.

The educational organization said it does not plan to pay a ransom to threat actors and instead opted to restore data encrypted by ransomware actors using internal backups.

Regarding the possibility of data theft, MPS says its investigation has so far failed to provide evidence of unauthorized access.

“MPS did not pay a ransom and the investigation found no evidence that the accessed data was used to commit fraud,” reads the MPS systems outage notice.

“However, if the ongoing investigation indicates that personal information has been affected, those affected will be notified immediately.”

Considering that a full week has passed since that announcement and Medusa has now publicly announced its threat to leak sensitive data, MPS may soon provide an update on the potentially stolen data.

Finally, the public organization warned its students and more than 4,500 teachers and staff of the high risk of phishing attacks and attempted scams against them due to this breach.