Lee University Medusa ransomware

Ransomware group Medusa is demanding $1 million for the safe return of data it says it stole from Lee University in Tennessee. The University yesterday announced it was investigating a “potential security incident” that it discovered on March 22, 2024.

The announcement stated, “Lee University became aware of a potential security incident early Friday morning, March 22, 2024. With assistance from external resources, Lee University’s IT team took immediate measures to contain the suspected incident and secure Lee’s environment. Classes have continued as scheduled.”

Lee University didn’t share what data or systems were affected, and hasn’t confirmed Medusa’s claims. Medusa says it stole 387.5 GB of data from the school.

Some of the school website’s pages were unavailable as of time of writing. We don’t know if the downtime is related to the attack.

Kendra Gray, administrative assistant to the University’s director of communications, told Comparitech in an email, “The investigation is still ongoing, and we are unable to share specific information on the nature of the incident or extent of its impact.”

Who is Medusa?

Medusa first surfaced in September 2019 and debuted its leak site in February 2023, where it publishes stolen data of victims who don’t pay ransoms. Medusa often uses a double-extortion approach in which victims are forced to pay twice: once to decrypt their systems, and once for not selling or publishing stolen data.

Medusa has been confirmed as the gang behind 14 attacks in the US so far this year. These include attacks on Water for People, Signature Performance, Inc. Henry County, Traverse City Area Public Schools, Tarrant Appraisal District, the East Baton Rouge Sheriff’s Office, and John R. Wood Properties.

Medusa is responsible for 53 confirmed attacks since it began operating, according to our data.

About Lee University

Lee University in Cleveland, TN is a private Christian school founded in 1918. It has about 4,000 students and 1,200 employees, according to external sources.

Ransomware attacks on US education

Ransomware attacks are a growing concern for schools and colleges worldwide. They take down key systems, shut schools for days on end, and prevent teachers from accessing lesson plans and student data.

Comparitech has recorded 10 confirmed attacks on US education organizations this year so far. We saw 100 confirmed in total last year, affecting 2,109,942 records. The average ransom over the last year and four months on confirmed attacks has been just over $450,000.

Additionally, we’ve recorded 25 unconfirmed attacks on US education organizations so far this year.