There has been an significant increase in PYSA ransomware targeting education institutions in 12 U.S. states and the U.K., according to a joint Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) flash industry alert. 

PYSA, also known as Mespinoza, is a malware capable of exfiltrating data and encrypting users’ critical files and data stored on their systems. The unidentified cyber actors have specifically targeted higher education, K-12 schools, and seminaries. These actors use PYSA to exfiltrate data from victims prior to encrypting victim’s systems to use as leverage in eliciting ransom payments. 

PYSA typically gains unauthorized access to victim networks by compromising Remote Desktop Protocol (RDP) credentials and/or through phishing emails. The cyber actors use Advanced Port Scanner and Advanced IP Scanner1 to conduct network reconnaissance, and proceed to install open source tools, such as PowerShell Empire2 , Koadic3 , and Mimikatz4 . The cyber actors execute commands to deactivate antivirus capabilities on the victim network prior to deploying the ransomware.

The cyber actors then exfiltrate files from the victim’s network, sometimes using the free opensource tool WinSCP5 , and proceed to encrypt all connected Windows and/or Linux devices and data, rendering critical files, databases, virtual machines, backups, and applications inaccessible to users. In previous incidents, cyber actors exfiltrated employment records that contained personally identifiable information (PII), payroll tax information, and other data that could be used to extort victims to pay a ransom. Upon malware execution, a detailed ransom message is generated and displayed on the victim’s login or lock screen.

The ransom message contains information on how to contact the actors via email, displays frequently asked questions (FAQs), and offers to decrypt the affected files. If the ransom is not met, the actors warn that the information will be uploaded and monetized on the darknet. Additionally, the malware is dropped in a user folder, such as C:\Users\%username%\Downloads\. Observed instances of the malware showed a filename of svchost.exe, which is most likely an effort by the cyber actors to trick victims and disguise the ransomware as the generic Windows host process name. In some instances, the actors removed the malicious files after deployment, resulting in victims not finding any malicious files on their systems. The cyber actors have uploaded stolen data to MEGA.NZ, a cloud storage and file sharing service, by uploading the data through the MEGA website or by installing the MEGA client application directly on a victim’s computer. However, in the past actors have used other methods of exfiltrating data that leaves less evidence of what was stolen. 

Oliver Tavakoli, CTO at Vectra, explains, “The main factor governing any ransomware campaign is purely economic: how hardened is the target (this drives cost) and how likely is the victim to pay the ransom (this drives income). Educational institutions are generally not hard targets (their mission often precludes them from locking down their environment) and ransoms may be paid by the institution itself or by individuals who happen to have machines on the target network at the time of the attack (possibility of large and small payments). A secondary factor is that the same group can only be targeted so many times before “ransom fatigue” (victims stubbornly refuse to pay) sets in. So the mere fact that there hasn’t been a recent ransomware campaign against a particular group moves it further up the list of potential targets for the next campaign. The choice of which campaign to pursue next is made based on these factors – like most businesses, the attackers operate on the data they have.”

Hank Schless, Senior Manager, Security Solutions at Lookout, notes, “Threat actors understand that continuing education for students is a main focus for educational institutions. This makes schools a high-priority target for ransomware attacks. Education is a vital function, and over the past year, schools have incorporated several strategies of remote and hybrid learning to make this work. With so much effort put into planning and strategizing, administrators might be more likely to pay the threat actors behind ransomware attacks in order to diminish the disruption they cause. Most ransomware attacks start with phishing, which targets users on any device and within any messaging application (email, SMS, and social media) that allows cybercriminals to send malicious links to unsuspecting users. A successful phishing campaign can open the door to a threat actor by stealing login credentials or delivering malware to the device itself.”

Heather Paunet, Senior Vice President of Product Management at Untangle, explains, “Schools are facing more complex cyber threats as the need for data, monitoring and contact tracing become key factors in students returning to in person classes. For those maintaining databases about student transportation, attendance, temperature, encrypting this data or using a tokenization system may help network administrators secure the database and leave personal identifiable information secured in a different place."

Paunet adds, "Administrators who are working with students remotely must confirm that both students and teachers are accessing their eLearning platforms through VPN connections or other secure login portals. These logins should have two-factor authentication (2FA) when available, and ongoing training for teachers and administrators should be considered, so phishing emails, suspicious activity, or unauthorized updates to their credentials can be avoided or identified. Schools, such as the Hartford Public School system which became victim to a ransomware attack last September, struggled with security due to the speed at which they needed to adapt to remote learning. While prominent industries, such as education, had attacks over the past year which made news headlines, it’s not an issue that is industry specific, or specific to any size of business.  Companies in the small to medium business category remain particularly vulnerable due to not having dedicated IT or IT security staff with enough knowledge to put the right protections in place for the business.”

Commenting on the news, Eddy Bobritsky, CEO, Minerva Labs, says, "This is yet another example on how attackers create malicious software that easily penetrates organizations, deploys the beachhead, stays undetected long enough to gain a significant foothold and then pulls the trigger to encrypt the data. Detection and Response solutions were never built to prevent threats from execution - they build to detect them first. In the past 10 years, more money has been invested in endpoint security and yet, year after year the number of successful ransomware attacks increase, as well as the time and money spent to detect and contain the breach while the shortage in cyber security experts increases as well. The industry should adopt a new approach and technologies that are scalable and built to prevent modern threats before any damage has been done, at the beachhead stage, that will enable organizations of any size to deal with modern cyber threats regardless of their team’s size, skillset and toolset."