IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Ransomware Group Claims It Targeted Traverse City Schools

The ransomware group Medusa claimed responsibility for a cyber attack earlier this month that disrupted the network at Traverse City Area Public Schools in Michigan and forced it to cancel classes for days.

A lock formed from lines of red code on top of a silver file folder icon. The background is lines of black code against a white backdrop.
(TNS) — A ransomware group claims it's behind the network disruption that forced Traverse City Area Public Schools to cancel class in early April.

In a letter to TCAPS families, Dr. John VanWagoner, district superintendent, acknowledged the claim without specifying who made it.

According to an article on, ransomware group Medusa posted to its site over the weekend that it stole 1.2 TB of data. One terabyte can hold roughly 6.5 million document pages (saved as Office files, PDFs, or presentations), 500 hours of high-definition video, or approximately 250,000 photos taken with a 12-megapixel camera, according to

In that article, the group says it is demanding $500,000 to prevent it from releasing the data, and $500,000 more to unencrypt it. If true, that's typical of how the group operates — and it's not the first school that has dealt with it.

VanWagoner said he couldn't comment on who might be behind the attack, on the advice of the district's attorneys. "When the investigation is complete and we get information, and we're directed and told what that is, is when we will continue to update," he said.

On March 28, TCAPS technology department experienced a "network disruption" that "impacted the functionality and access of certain systems," the district said in a letter to families. The district made the decision to disconnect access to the network, and closed school for an additional two days.

Since then, the district has been working with a third-party cybersecurity firm, law enforcement, and the IT department at the Sabin Data Center to get to the root cause of the disruption.

VanWagoner, in Tuesday's letter, again stressed that there are "no reports of identity theft or fraud arising out of the incident."

"We are currently investigating whether personally identifiable information was potentially impacted," he wrote. "Should we discover individuals' personally identifiable information was potentially impacted, we will notify those individuals directly."

VanWagoner said he's been told the firm investigating the incident for TCAPS is working with state law enforcement and the Federal Bureau of Investigation.

A spokesperson at FBI's Detroit field office responded to the Record-Eagle but couldn't provide further detail.

Detective Sgt. Sam North of the Michigan State Police's Michigan Cyber Command Center confirmed that the TCAPS district reported the incident.

The cyber center, which looks into intrusions of public institutions' networks, is investigating, but North couldn't say more. As a matter of policy, staff at the center don't talk about ongoing investigations, he said.

If Medusa's claim is legitimate, TCAPS wouldn't be the first school district it has targeted. Unit 42, a cybersecurity incident response team for Palo Alto Networks, wrote that the group is opportunistic and has hit various schools, along with high-tech companies and manufacturing — wherever it finds a vulnerability to exploit.

SonicWall, another cybersecurity firm, wrote that the group targeted Glendale Unified School District in California, one of three that were recently the focus of Medusa ransomware.

The group is also known for its double extortion technique: According to, these attacks use malware to infiltrate a target's computer network, then they steal and analyze data that could be used against the target.

A malicious actor will encrypt or lock access to systems and threaten to release data stolen during an attack. The idea is to maximize a victim's potential payout, extorting them once to unlock the data and again to delete what the criminals stole.

According to Forbes, a 2023 survey of school IT professionals with cybersecurity firm Sophos found that 80 percent of schools from 14 different countries — including the United States — were victims of ransomware attacks in 2022.

That same survey found K-12 school districts were the single most targeted industry over healthcare, government, and even colleges and universities.

In Traverse City, TCAPS' network is largely back to normal although a few minor issues remain, VanWagoner said. It was stable enough for the district to carry on with standardized testing recently, and typical teaching activities have been possible as well.

VanWagoner said, as an employee of the district where his children learn, he wants parents to know he's doing everything he can to protect employees and students as if they were his own.

"We're going through — and following — the professionals that do this work every day, and making sure that we don't do anything that would further cause complications to an investigation or any of those things and letting those professionals do their job," he said.

©2024 The Record-Eagle (Traverse City, Mich.). Distributed by Tribune Content Agency, LLC.