skip to Main Content

Cybercrime, PYSA ransomware targets education institutions in US-UK

The FBI: PYSA ransomware is targeting education institutions in US-UK

PYSA ransomware is targeting education institutions in the United States and the United Kingdom. It has been denounced by an FBI alert. According the cybersecurity experts, the malware (aka Mespinoza) is capable of exfiltrating data and encrypting users’ critical files and data stored on their systems. The unidentified cybercrime actors have specifically targeted higher education, K-12 schools, and seminaries. These use PYSA to exfiltrate data from victims prior to encrypting victim’s systems to use as leverage in eliciting ransom payments. Since March 2020, the FBI has become aware of PYSA ransomware attacks against US and foreign government entities, educational institutions, private companies, and the healthcare sector by unidentified cyber actors. In previous incidents, cyber actors exfiltrated employment records that contained personally identifiable information (PII), payroll tax information, and other data that could be used to extort victims to pay a ransom.

The cybersecurity experts: The malware (aka Mespinoza) typically gains unauthorized access to victim networks by compromising RDP credentials and/or through phishing emails

According the cybersecurity experts, PYSA typically gains unauthorized access to victim networks by compromising Remote Desktop Protocol (RDP) credentials and/or through phishing emails. The cybercrime actors use Advanced Port Scanner and Advanced IP Scanner1 to conduct network reconnaissance, and proceed to install open source tools, such as PowerShell Empire2, Koadic3, and Mimikatz4. They execute commands to deactivate antivirus capabilities on the victim network prior to deploying the ransomware. Then, they exfiltrate files from the victim’s network, sometimes using the free open- source tool WinSCP5, and proceed to encrypt all connected Windows and/or Linux devices and data, rendering critical files, databases, virtual machines, backups, and applications inaccessible to users. The ransom message contains information on how to contact the actors via email, displays FAQs and offers to decrypt the affected files. If the ransom is not met, the actors warn that the information will be uploaded and monetized on the darknet.


Back To Top