Leaking private data to embarrass victims into paying a ransom is probably the least organizations should expect from ransomware criminals in 2023.
Looking back over the last decade, it’s surprising criminals didn’t think of this tactic earlier. Encrypting files is hugely inconvenient but at least these can usually be restored with some effort.
At some point, it dawned on ransomware groups that the real prize was the data in the files and not the files themselves. This realization has had far-reaching consequences in ways that have transformed the nature of modern cybercrime. Unlike file encryption, data has a long shelf life and once stolen can’t be retrieved. Data loss is forever.
These potentially serious long-term effects of data loss were brought into focus by the aftermath of the upsetting ransomware attack on Minneapolis Public Schools (MPS) by the Medusa ransomware group in February.
During that incident, Medusa published a slickly produced 51-minute video to showcase the nature of the sensitive data they’d stolen. The first time this tactic has been used, according to someone who watched the video, the haul comprised 300,000 files, including student records going back to 1995, parental contacts, addresses, grades achieved, payroll data, and building layouts.
But that wasn’t all. According to a recent report by AP, the cache also included data on “sexual assaults, psychiatric hospitalizations, abusive parents, truancy—even suicide attempts.”
That’s in addition to health information and details of disciplinary steps against students. AP’s analysis offers an important glimpse into the effect this incident had on some of its young victims:
“Please do something,” begged a student in one leaked file, recalling the trauma of continually bumping into an ex-abuser at a school in Minneapolis. Other victims talked about wetting the bed or crying themselves to sleep.”
The data was ostensibly released because MPS refused to pay the $1 million ransom demand made by Medusa shortly after the attack, although there is no evidence paying would have made any difference.
In the Crosshairs
This incident is only the latest in an increasingly sophisticated targeting of schools in the United States and beyond. Others include a January attack on Des Moines Public Schools and the Vice Society’s campaign targeting schools last fall.
According to figures from Comparitech, there were at last 65 attacks against U.S. schools and colleges during 2022, affecting 1,435 institutions serving 1 million students. The figures for 2023 so far have added another 37 attacks to that total.
How much did all this cost a sector not noted for being flush with money? Unfortunately, it’s hard to tell. Schools remain reluctant to discuss their experiences, especially when a ransom has been paid.
Governments have become increasingly concerned to control the negative effects of digital media on young people, especially the distribution of child sexual abuse material (CSAM).
All very laudable but damage is also being done through ransomware data breaches in ways that could haunt the victims for decades to come. Ransomware is not always just about money and convenience; people’s lives are also at stake.