Traverse City News and Events

Ransomware Group Claims Credit for TCAPS Attack

By Beth Milligan | April 16, 2024

Medusa, a ransomware group that has claimed responsibility for numerous attacks on entities ranging from school districts to municipalities to corporations like Toyota, has claimed responsibility for a ransomware attack on Traverse City Area Public Schools (TCAPS) that forced the district to cancel classes for two days earlier this month.

Medusa added TCAPS to the victim list on its blog this weekend, according to multiple cybersecurity watchdog groups and outlets. Medusa claimed to have stolen 1.2 terabytes of information and was demanding a $500,000 ransom to not sell or release the data. TCAPS Superintendent Dr. John VanWagoner said in a letter to families Tuesday that the district is "aware that a ransomware group is claiming responsibility for the district’s recent network disruption," adding that "details have been shared with our investigators."

VanWagoner tells The Ticker he can't confirm whether Medusa is an official suspect in the investigation. "There are different accounts that are out there, and any of them we've been given have been passed on to our investigators," he says. "We don't want to speculate during an active investigation." On the advice of law enforcement and investigators, VanWagoner also couldn't comment on whether TCAPS has paid any type of ransom to date. Typically any type of significant district expenditures would be approved by the school board in a public meeting.

VanWagoner said in his letter to families that TCAPS continues to investigate "a network disruption that impacted the functionality and access of certain systems. Upon discovery of this incident, we immediately disconnected access to the network and promptly engaged a specialized third-party cybersecurity firm and IT personnel to assist with securing the environment, as well as to conduct a comprehensive investigation to determine the nature and scope of the incident. Since the forensic investigation remains ongoing, we will provide additional updates as more information becomes available."

VanWagoner continued: "At this time, we are currently investigating whether personally identifiable information was potentially impacted. Should we discover individuals’ personally identifiable information was potentially impacted, we will notify those individuals directly. I would like to again stress that to date, TCAPS has no reports of identity theft or fraud arising out of the incident." The superintendent said TCAPS will continue to share updates "as we navigate this sensitive situation."

VanWagoner tells The Ticker that the district expects a "long, ongoing investigation" into the attack. "From the professionals who do this, it takes quite a period of time to go through," he says. "We're committed to making sure our families and staff are updated as much as possible. That letter today was up-to-the-minute on what we have." VanWagoner adds that as a TCAPS staff member and parent himself, he wants to "make sure our kids and staff are as safe as possible, not just physically but with their personal information. By following the advice of the professionals, everything is being done on that account."

According to the U.S. Department of Justice, ransomware is a "type of malicious software cyber actors use to deny access to systems or data. The malicious cyber actor holds systems or data hostage until the ransom is paid. After the initial infection, the ransomware attempts to spread to shared storage drives and other accessible systems. If the demands are not met, the system or encrypted data remains unavailable, or data may be deleted." Data can also be leaked or shared online after ransomware attacks.

The U.S. Department of Justice discourages victims from paying ransoms. "Paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after having paid a ransom," according to the department. "Some victims who paid the demand have reported being targeted again by cyber actors. After paying the originally demanded ransom, some victims have been asked to pay more to get the promised decryption key." The U.S. Department of Justice also warns that "paying could inadvertently encourage this criminal business model."

Comment

New Life for GT Mall? Lormax Stern Purchases Macy’s, Ollie’s Eyeing T.J. Maxx Space

Read More >>

After Years-Long Wait, New Senior Center Set to Open February 3

Read More >>

Mother Of Eight-Year-Old Boy Killed In First-Day-Of-School Accident Brings Nine-Figure Lawsuit Against TCAPS, Others

Read More >>

GT County Updates: Commissioners Approve Budget, Protestors Demand Hentschel Resignation

Read More >>

Real Estate Sales Dip Slightly In November

Read More >>

City to Consider Future of Crooked Tree, Bijou, Other City Buildings

Read More >>

TC Man Arrested for Peninsula Township Home Invasion

Read More >>

Nittolo's Little Italy To Open In Traverse City's Warehouse District

Read More >>

Three Mile Trail Extension Set For 2025 Groundbreaking, Thanks To New State Grant

Read More >>

Who's New, Who's Next? A Look At Changing Local Leadership

Read More >>

20Fathoms Dives Deeper

Read More >>

GTRLC Closes on $19.5M Elberta Property Purchase

Read More >>

Dog Park, Mall Plan Approved for Cherryland Center

Read More >>

Ordinance Updates, Shelter Funding, More Homelessness Initiatives on City Agenda

Read More >>