On March 16, the Federal Bureau of Investigation (FBI) issued a "Flash" alert on PYSA ransomware after an uptick on attacks this month against institutions in the education sector, particularly higher ed, K-12, and seminaries. According to the alert [PDF], the United Kingdom and 12 states in the US have already affected by this ransomware family.
PYSA, also known as Mespinoza, was first spotted in the wild in October 2019 where it was initially used against large corporate networks.
CERT France issued an alert a year ago about PYSA widening its reach to include French government organizations, and other governments and institutions outside of France. PYSA was categorized as one of the big-game hunters, joining the ranks of Ryuk, Maze, and Sodinokibi (REvil). "Big-game" ransomware attacks target entire organizations, with threat actors operating their ransomware manually, after spending time breaking into and an organization's networks and conducting reconnaissance.
PYSA/Mespinoza can arrive on victims' networks either via phishing campaigns or by brute-forcing Remote Desktop Protocol (RDP) credentials to gain access.
Before downloading and detonating the ransomware payload, threat actors behind this ransomware were also found to conduct network reconnaissance using open-source tools like Advanced Port Scanner and Advanced IP Scanner. They also install other such tools, such as Mimikatz, Koadic, and PowerShell Empire (to name a few), to escalate privileges and move laterally.
The threat actors deactivate security protection on the network, exfiltrate files, and upload the stolen data to Mega.nz, a cloud-storage and file-sharing service. After this, PYSA is then deployed and executed. All encrypted files in Windows and Linux, the two platforms this ransomware primarily targets, will have the
The FBI report also reveals a possible double extortion tactic that might occur against victims: "In previous incidents, cyber actors exfiltrated employment records that contained personally identifiable information (PII), payroll tax information, and other data that could be used to extort
victims to pay a ransom."
In the last six months, the FBI and other law enforcement organizations have been warning the education sector about increased threat activity against them. And this isn't just limited to ransomware attacks. Phishing campaigns and domain typosquatting also come into play.
The FBI's "Flash" alert includes these recommended mitigations for potential targets.
To prevent attacks:
- Install security updates for operating systems, software, and firmware as soon as they are released.
- Use multi-factor authentication wherever possible.
- Avoid reusing passwords for different accounts and implement the shortest acceptable timeframe for password changes.
- Disable unused RDP ports and monitor remote access/RDP logs.
- Audit user accounts with administrative privileges and configure access controls with the lowest privileges you can.
- Use up-to-date anti-virus and anti-malware software on all hosts.
- Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.
- Consider adding an email banner to messages coming from outside your organization.
- Disable hyperlinks in received emails.
- Provide users with training on information security principles and techniques as well as emerging cybersecurity risks.
To mitigate the effects of an attack:
- Back up data and use air gaps and passwords to make them inaccessible to attackers.
- Use network segmentation to make lateral movement harder.
- Implement a recovery plan and keep multiple copies of sensitive or proprietary data in physically separate, segmented, secure locations.