A screenshot of the extortion page on the Medusa Blog, which is run by a hackers group. (Screenshot)
Six days are left before a hacker group threatens to release over 200 gigabytes of data pried from the Providence Public Schools Department (PPSD) if the struggling school district doesn’t pay a $1 million ransom.
The hacker group Medusa is taking credit for the alleged breach which appears to include a cache of parent emails, phone numbers and addresses, as well as drivers’ licenses and identifying information for district employees’ work cell phones as of January 2024.
The potential data dump comes a week after the district sent a Sept. 12 letter to the PPSD community, noting “irregular activity” on the school district’s network. The district enlisted a third-party IT company to determine next steps, after which internet access was shut down across the district’s schools and offices to prevent any further damage. As classrooms returned to old fashioned forms of instruction, a forensic analysis started on the suspicious activity.
“IT staff followed proper security protocols and worked to isolate the issue which has been contained,” the letter read. “School security systems and protocols remain active while classes continue.”
Superintendent Javier Montañez provided an update in a letter dated Sept. 16: “Currently, all internet-connected systems remain down as IT experts work diligently to assess the network and determine the next steps for a swift resolution. … We want to emphasize that, at this time, there is no evidence that PPSD data has been affected.”
In another Sept. 16 letter, Montañez reiterated that “initial findings did not show evidence that District data was compromised.”
GoLocal Prov and national tech news outlet Comparitech have reported the ransomware group Medusa as the culprit. And Wednesday morning, Erlin Rogel, president of the Providence School Board, released a statement that the board would meet in executive session with Montañez during a regular meeting Wednesday evening.
“The Providence Public School District has experienced a network security breach, and the school board intends to address it with urgency,” Rogel stated Wednesday morning.
“This evening, we will meet in executive session to learn from the superintendent how the breach occurred, what steps are being taken to resolve it, and how we’re supporting students and families during the outage. We also want to learn what liability resides with our network security vendor and what measures are being taken to ensure this doesn’t happen again.”
“As is standard operating procedure, the District and their professional third-party IT agency contacted RI State Police, Federal Bureau of Investigation (FBI), and Department of Homeland Security (DHS) last Wednesday,” Jay Wegimont, PPSD spokesperson, said in an email Wednesday. “Please note that this was also done out of an abundance of caution and that the analysis is ongoing.”
The Rhode Island Department of Education, which oversees Providence schools, is aware of the situation and is working closely with the district,” said spokesperson Victor Morente.
“It is our understanding that a forensic analysis of the network is underway which will provide more information on what occurred,” Morente said. “That is all that we have at this time.”
The Providence School Board is meeting in closed session with the school superintendent Wednesday night to discuss next steps after a data breach and demand from hackers for a $1 million ransom. (Alexander Castro/Rhode Island Current)
Internal memos, invoices and potentially sensitive information
Ransomware works by encrypting files into unusable formats, then forces the data’s owners to pay up, typically in a specified time frame. True to its snake-haired namesake, Medusa petrifies files into an unusable format which can only be decrypted by the attackers themselves. The group also releases the files publicly at the end of the countdown if the extortion amount isn’t paid.
A ransom landing page was posted Monday, nearly a week after the network outage was announced. It includes a set of 41 watermarked screenshots meant to preview the data dump’s contents. Some of the information was already publicly accessible, like requests for proposal and bid documents for district contractors.
But much of the data is not meant to be shared. Among the items previewed: Internal memos, invoices, computer inventories, student rosters and a meeting memo meant for the parents of a student who receives special education. Another spreadsheet appears to obscure student names but lists developmental disabilities. Some of the files appear to belong to individual teachers’ district-provided computers. The largest folder contains a number of subfolders with potentially sensitive information relating to human resources, technology, communications and special education.
Hackers appear to have given the school district three options: For $100,000, the timer can be extended by one day. For $1,000,000, the data can be deleted or downloaded. The page’s source code suggests the payment would be made in Bitcoin, the most well-known cryptocurrency.
PPSD is one of eight extortion attempts currently listed as in-progress on the Medusa blog. The most recent — Compass Group, a food services company in Australia — was posted Tuesday and has a ransom price of $2 million for nearly 800 gigabytes of data. Compass Group confirmed it is being extorted by Medusa to Cyberdaily.au on Wednesday.
The Medusa group is unusual among ransomware actors in that it maintains a presence outside the dark web, and has posted the spoils of its illicit activity on non-dark-web sites, according to cybersecurity researchers Unit 42. The group rose to prominence in 2023 and has conducted a number of ransoms this year, usually targeted at health, education, tech and manufacturing companies. The ransomware employs “living-off-the-land” techniques to successfully infiltrate targets, which means exploiting existing network infrastructure for vulnerabilities. Machines running Windows are the usual targets.
PPSD, meanwhile, still has a job posting online for a senior director of information technology. The role has been open since May. Wegimont acknowledged a request for clarification about whether the job is still open, but did not return a response by publication time Wednesday.
There were 13 full-time positions allocated for PPSD’s information services in the 2024-2025 budget.
GET THE MORNING HEADLINES DELIVERED TO YOUR INBOX