The Federal Bureau of Investigation (FBI) has issued a warning notifying of an increase in PYSA ransomware attacks targeting educational institutions. While singling out educational institutions, the FBI notes the PYSA ransomware surge is also targeting government bodies, private firms, and the healthcare department in the US and the UK.
PYSA, also known as Mespinoza was first discovered in October 2019. It has the capability of exfiltrating and encrypting files and data, with the threat actors specifically targeting higher education, K-12 schools, and seminars.
The advisory issued by the FBI stated: “These actors use PYSA to exfiltrate data from victims prior to encrypting victim’s systems to use as leverage in eliciting ransom payments. The cyber actors then exfiltrate files from the victim’s network, sometimes using the free opensource tool WinSCP5, and proceed to encrypt all connected Windows and/or Linux devices and data, rendering critical files, database, virtual machines, backups, and applications inaccessible to users.”
The attackers often use phishing and Remote Desktop Control (RDP) attacks for initial access to targeted networks and then use tools such as PowerShell Empire, Mimikatz, and Koadic to gain further access. They also gather and exfiltrate sensitive files from the victims’ networks, including personally identifiable information (PII), payroll tax information, and other types of data that could be used to force the victims to pay a ransom under the threat of leaking the stolen info.
The FBI researchers have also discovered Advanced Port Scanner and Advanced IP Scanner used by the attackers to conduct network reconnaissance. These are open-source tools that allow users to identify open network computers and discover the versions of programs on those ports. From there, threat actors are deploying various open-source tools for lateral movement.
“Educational institutions are big targets for hackers as thousands of people’s sensitive information is potentially involved, and the substantial shift towards e-learning has made them even more appealing to hackers and ransomware. These attacks on schools can bring education to a halt while potentially exposing every student and teacher’s personal data within the organization. Parents are also targeted and may be coerced into paying ransom for personal information or school assignments if information falls into bad actors’ hands,” James Carder, CSO at LogRhythm stated.