traverse city schools medusa ransomware

Ransomware group Medusa over the weekend claimed an attack that forced Traverse City, Michigan area public schools to cancel classes two week ago. On its leak site, Medusa says it stole 1.2 TB of data, and is demanding a $500,000 ransom in exchange for not selling or publicly releasing it. The school district has not confirmed the ransom.

Traverse City Area Public Schools initially called the incident a “network disruption,” and canceled classes for the first two days of April. It has not stated whether any student or staff data was stolen, and it’s not clear what data Medusa is holding for ransom.

Comparitech contacted Traverse City Area Schools for comment, and we’ll update this article if it responds.

Who is Medusa

Medusa first surfaced in September 2019 and debuted its leak site in February 2023, where it publishes stolen data of victims who don’t pay ransoms. Medusa often uses a double-extortion approach in which victims are forced to pay twice: once to decrypt their systems, and once for not selling or publishing stolen data.

Medusa has been confirmed as the gang behind nine attacks in the US so far this year. These include attacks on Water for People, Signature Performance, Inc. Henry County, Tarrant Appraisal District, the East Baton Rouge Sheriff’s Office, and John R. Wood Properties. The Signature Performance’s hack saw 7,122 people affected, and Medusa demanded $2.5 million (no confirmation on payment).

Medusa is responsible for 51 confirmed attacks since 2018, according to our data, including 12 so far this year.

About Travere City Area Public schools

Based in Traverse City, Michigan, the school district is made up of 10 elementary schools, two middle schools, two high schools, one alternative high school, and one Montessori school. It serves 8,908 students and has 932 employees, according to its website.

In 2022, we recorded 65 ransomware attacks affecting 1,436 schools and colleges in the USA, and potentially impacting more than 1 million students.