FBI warns of Pysa Ransomware attacks against the Education Sector

The US Federal Bureau of Investigation’s Cyber Division published an alert on March 16, 2021, warning readers that those behind the Pysa ransomware were actively targeting institution in the education sector. Institutions targeted include higher education, K-12 schools, and seminaries in 12 US states and the United Kingdom. The warning further stated, “Since March 2020, the FBI has become aware of PYSA ransomware attacks against US and foreign government entities, educational institutions, private companies, and the healthcare sector by unidentified cyber actors,”

Activity dating back to March 2020, is in line with known campaigns involving the ransomware strain. In the same month, this publication covered similar warnings issued by France’s Computer Emergency Response Team (CERT). In this instance, the warnings centered around French government departments been targeted by threat actors. Pysa named so because of the extension .PYSA added to the end of encrypted files, is seen by security researchers as a variant of Mespinoza ransomware and was first spotted in late 2019. The discovery came as several companies began reporting that they had suffered a ransomware incident from a yet unknown strain.

Typical tactics of those behind Pysa involve the use of human-operated ransomware tactics and can target both Windows and Linux devices. These involve targeting large organizations and deploying the ransomware manually to help avoid detection and cause the most damage in the shortest possible time. This was done via either gaining initial access to the network via phishing emails or abusing Remote Desktop Protocol (RDP) connections. To discover vulnerable targets, threat actors will use tools like Advanced Power Scanner or Advanced IP Scanner.

fbi warns about pysa ransomware targeting education sector

Further, threat actors will also make use of a wide variety of open-source tools, including PowerShell Empire, Koadic, and Mimikatz to help grant initial access to the target's network. Before encryption begins, the threat actors have developed a reputation for disabling anti-virus suites and other security software packages before encryption to better reduces the chances of being detected.

In terms of encryption, the Pysa encryption routine is very secure making use of both AES encryption and RSA encryption algorithms. To the best of the writer’s knowledge, no decryptor is available, free or otherwise, for the ransomware leaving victims to either pay the ransom or restore from backups. To make matters worse, Pysa’s operators also steal data and threaten to release it if the ransom is not paid. In the past, the threats proved to be more with threat actors releasing data via uploaded MEGA.nz files.

In the past data stolen and subsequently leaked included personally identifiable information, payroll information, as well as confidential tax documents. As is now the norm for ransomware gangs, once encryption is completed a custom ransom note is dropped which displays contact email addresses, typically from Proton Mail servers, intended for victims to open lines of communications and a list of frequently asked questions.

K-12 Organisation under continued Attack

In the US, K-12 organizations are schools in the public school system that caters to students from kindergarten through to the 12th grade. In December of last year, the FBI also warned of malicious threat actors targeting said organizations. Ransomware, malware, and DDoS attacks formed the main cybersecurity incidents suffered by K-12 schools. Further, schools were threatened with the leaking of sensitive data if ransoms were not paid. Today’s warning included a list of mitigation tactics that should be adopted by said schools if not done so already. These include:

Regularly back up data, air gap, and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.

  • Implement network segmentation.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud).
  • Install updates/patch operating systems, software, and firmware as soon as they are released.
  • Use multi-factor authentication where possible.
  • Regularly, change passwords to network systems and accounts, and avoid reusing passwords for different accounts. Implement the shortest acceptable timeframe for password changes.
  • Disable unused remote access/RDP ports and monitor remote access/RDP logs.
  • Audit user accounts with administrative privileges and configures access controls with the least privilege in mind.
  • Install and regularly update anti-virus and anti-malware software on all hosts.
  • Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.
  • Consider adding an email banner to messages coming from outside your organizations.
  • Disable hyperlinks in received emails.
  • Focus on awareness and training. Provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams).

For many readers, the mitigation listed above will have been encountered many times before. There is a good reason for this; they prevent a vast array of cyber-attacks including ransomware attacks. Further, the FBI has recommended that victims not pay the ransom demanded by Pysa operators as the funds may be used to fund other illegal activities. That being said, the FBI understands the damages educational institutions face following such attacks and urges them to report the attacks as soon as possible to the local FBI field office or the Internet Crime Complaint Center (IC3), regardless of their decision to pay for a decryptor or not. One of the main reasons for this attitude is that by reporting incidents, law enforcement agencies can gain valuable insight and evidence that may lead to arrests further down the line. 2021 has already seen several arrests of individuals associated with ransomware distribution and attacks.

Educational Institutions still provide a tempting Target

Educational institutions have been targeted by ransomware gangs in nothing new. In 2017, the University College of London was one of the first high-profile WannaCry incidents. There are several reasons as to why such institutions are still tempting targets. First, students often engage in risky online behaviors that expose them to ransomware attacks, such as treating email attachments without appropriate wariness, and visiting websites trafficking in pirated entertainment or pirated textbooks and other study material.

Second, the highly open and interconnected nature of campuses opens multiple points of malware infiltration. This helps threat actors to find a weak spot more easily. Then ransomware can spread quickly from student to faculty to staff PCs and servers. Third, cost pressures have made it difficult for some institutions to fund IT security investments; the education sector generally lags well behind industries like finance, retail, healthcare, energy, and government in the resilience of its tech infrastructure.

The cost of investment in secure IT infrastructure is becoming more of a problem for educational institutions during the current pandemic. This is due in part to increased costs as organizations scramble to provide secure remote learning facilities. These have led to increased costs being placed on the IT infrastructure, let alone securing the infrastructure. Given that there has been a steep rise with regards to the associated costs of ransomware, including the ransom, recovery costs, and downtime costs, organizations in the education sector may feel they are in a no-win situation.

This places a greater need for organizations to adopt the above-mentioned mitigation tactics as a matter of urgency. Many of those listed above do not require a massive capital injection or cost outlay to carry out effectively. Good security hygiene measures, like segmenting networks to make it harder for ransomware to spread from system to system, keeping endpoint anti-malware software up-to-date, and patching known vulnerabilities in operating systems, may require a little staff training and an enforced policy but as has been seen can save an organization millions in the event of a ransomware incident.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal