Medusa, a ransomware group that has claimed responsibility for numerous attacks on entities ranging from school districts to municipalities to corporations like Toyota, has claimed responsibility for a ransomware attack on Traverse City Area Public Schools (TCAPS) that forced the district to cancel classes for two days earlier this month.

Medusa added TCAPS to the victim list on its blog this weekend, according to multiple cybersecurity watchdog groups and outlets. Medusa claimed to have stolen 1.2 terabytes of information and was demanding a $500,000 ransom to not sell or release the data. TCAPS Superintendent Dr. John VanWagoner said in a letter to families Tuesday that the district is "aware that a ransomware group is claiming responsibility for the district’s recent network disruption," adding that "details have been shared with our investigators."

VanWagoner tells The Ticker he can't confirm whether Medusa is an official suspect in the investigation. "There are different accounts that are out there, and any of them we've been given have been passed on to our investigators," he says. "We don't want to speculate during an active investigation." On the advice of law enforcement and investigators, VanWagoner also couldn't comment on whether TCAPS has paid any type of ransom to date. Typically any type of significant district expenditures would be approved by the school board in a public meeting.

VanWagoner said in his letter to families that TCAPS continues to investigate "a network disruption that impacted the functionality and access of certain systems. Upon discovery of this incident, we immediately disconnected access to the network and promptly engaged a specialized third-party cybersecurity firm and IT personnel to assist with securing the environment, as well as to conduct a comprehensive investigation to determine the nature and scope of the incident. Since the forensic investigation remains ongoing, we will provide additional updates as more information becomes available."

VanWagoner continued: "At this time, we are currently investigating whether personally identifiable information was potentially impacted. Should we discover individuals’ personally identifiable information was potentially impacted, we will notify those individuals directly. I would like to again stress that to date, TCAPS has no reports of identity theft or fraud arising out of the incident." The superintendent said TCAPS will continue to share updates "as we navigate this sensitive situation."

VanWagoner tells The Ticker that the district expects a "long, ongoing investigation" into the attack. "From the professionals who do this, it takes quite a period of time to go through," he says. "We're committed to making sure our families and staff are updated as much as possible. That letter today was up-to-the-minute on what we have." VanWagoner adds that as a TCAPS staff member and parent himself, he wants to "make sure our kids and staff are as safe as possible, not just physically but with their personal information. By following the advice of the professionals, everything is being done on that account."

According to the U.S. Department of Justice, ransomware is a "type of malicious software cyber actors use to deny access to systems or data. The malicious cyber actor holds systems or data hostage until the ransom is paid. After the initial infection, the ransomware attempts to spread to shared storage drives and other accessible systems. If the demands are not met, the system or encrypted data remains unavailable, or data may be deleted." Data can also be leaked or shared online after ransomware attacks.

The U.S. Department of Justice discourages victims from paying ransoms. "Paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after having paid a ransom," according to the department. "Some victims who paid the demand have reported being targeted again by cyber actors. After paying the originally demanded ransom, some victims have been asked to pay more to get the promised decryption key." The U.S. Department of Justice also warns that "paying could inadvertently encourage this criminal business model."