FBI: Pysa Ransomware Attacks Target SchoolsHackers Threaten to Leak Exfiltrated Data
The Pysa ransomware strain is increasingly targeting educational institutions in the U.S. and U.K., the FBI warns in a new flash alert.
The alert released on Tuesday notes the hackers behind the Pysa strain have been targeting higher education institutions, K-12 schools and seminaries. In earlier campaigns, the ransomware, also known as Mespinoza, targeted government organizations, private organizations and the healthcare sector in the U.S. and U.K., the FBI notes.
The malware campaign exfiltrates sensitive data from victims, and the hackers then threaten to leak the stolen data in darkweb forums if a ransom is not paid, according to the alert. The initial ransom note, however, does not specify a ransom amount.
The Steps in the Campaign
A Pysa infection begins when the hackers compromise a victim's Remote Desktop Protocol via a phishing email, the alert notes. The hackers then use an advanced port scanner and IP scanner to conduct network reconnaissance and install open-source tools PowerShell Empire, Koadic and Mimikatz, according to the FBI.
The threat actors then deactivate antivirus programs in the victim's network and deploy the ransomware. That malware encrypts files, such as backups, databases and applications, in the victim's Windows or Linux devices.
Once the files have been encrypted, a ransom note is displayed in the victims' device. It contains information on how to contact the threat actors and an offer to decrypt the affected files if a ransom is paid. The hackers upload the exfiltrated data directly to Mega.NZ, a cloud storage and file-sharing service, for potential use in further extortion.
In the last stage of the attack, the ransomware is dropped to the victim's download folder to trick the users into believing the malware is a Windows process name, the alert notes.
Pysa, which has been active since October 2019, has been tied to a number of earlier attacks internationally (see: Ransomware 2020: A Year of Many Changes).
In January 2021, the hackers behind Pysa published stolen data of Hackney Council, a local U.K. government body, after hacking its network in October 2020 and rendering its IT systems inoperable.
In March 2020, the Computer Emergency Response Team - France said Pysa was targeting local governments in France for ransomware attacks.
A report last month by security firm Digital Shadows found that Pysa was among the latest ransomware strains to adopt the hack-and-leak model (see: Ransomware Newcomers Include Pay2Key, RansomEXX, Everest).
Since the pandemic forced schools to switch to online learning, there has been surge in ransomware attacks against vulnerable educational institutions. A recent report by security firm Emsisoft found that schools were the most targeted ransomware victims in 2020, with 1,681 hacks against colleges and universities (see: Fueled by Profits, Ransomware Persists in New Year).
"Schools across the country are facing more complex cyberthreats as the need for data monitoring and contact tracing become key factors in students returning to in-person classes," says Heather Paunet, a senior vice president at the security firm Untangle. "For those maintaining databases about student transportation, attendance and temperature, encrypting this data or using a tokenization system may help network administrators secure the database and leave personal identifiable information secured in a different place."
Hank Schless, a senior manager at the IT security firm Lookout, says schools are a high-priority target for ransomware actors because they're more likely to pay ransoms.
"Threat actors know that continuing education for all students is a key focus for public school districts and private institutions alike," Schless says. "This makes schools a high-priority target for ransomware attacks. Education is an essential function, and schools have incorporated various strategies of remote and hybrid learning to make this work. With so much effort put into planning and strategizing, administrators might be more likely to pay the threat actors behind ransomware attacks in order to minimize the disruption they cause."