FBI warns of PYSA Ransomware attacks against Education Institutions in US and UK

The FBI has issued an alert to warn about an increase in PYSA ransomware attacks on education institutions in the US and UK.

The FBI has issued Tuesday an alert to warn about an increase in PYSA ransomware attacks against education institutions in the United States and the United Kingdom.

In March 2020, CERT France cyber-security agency warned about a new wave of ransomware attack that was targeting the networks of local government authorities. Operators behind the attacks were spreading a new version of the Mespinoza ransomware (aka Pysa ransomware).

According to the experts, the first infections were observed in late 2019, victims reported their files were encrypted by a strain of malware. The malicious code appended the extension .locked to the filename of the encrypted files.

The Mespinoza ransomware evolved over time, and in December a new version appeared in the threat landscape. This new version used the .pysa file extension that gives the name to this piece ransomware.

The variant was initially used to target big enterprises in the attempt of maximizing the operators’ efforts, but the alert issued by the French CERT warns that the Pysa ransomware is targeting French organizations, especially local government agencies.

CERT-FR’s alert states that the Pysa ransomware code based on public Python libraries.

According to the report issued by the CERT-FR, operators behind the Pysa ransomware launched brute-force attacks against management consoles and Active Directory accounts.

Once compromised the target network, attackers attempt to exfiltrate the company’s accounts and passwords database.

Operators behind the Pysa ransomware, also employed a version of the PowerShell Empire penetration-testing tool, they were able to stop antivirus products.

One of the incidents handled by CERT-FR sees the involvement of a new version of the Pysa ransomware, which used the .newversion file extension instead of .pysa.

According to the FBI Flash alert, unidentified threat actors are targeting higher education, K-12 schools, and seminaries. The attackers implement a double extortion model using the PYSA ransomware to exfiltrate data from victims prior to encrypting their files.

“FBI reporting has indicated a recent increase in PYSA ransomware targeting education institutions in 12 US states and the United Kingdom. PYSA, also known as Mespinoza, is a malware capable of exfiltrating data and encrypting users’ critical files and data stored on their systems.” reads the FBI’s alert. “The unidentified cyber actors have specifically targeted higher education, K-12 schools, and seminaries. These actors use PYSA to exfiltrate data from victims prior to encrypting victim’s systems to use as leverage in eliciting ransom payments.”

Since March 2020, the PYSA ransomware was involved in attacks against US and foreign government entities, educational institutions, private companies, and the healthcare sector. Threat actors deploy the ransomware by gaining unauthorized access to victim networks by compromising Remote Desktop Protocol (RDP) credentials and/or through phishing campaigns. The attackers use Advanced Port Scanner and Advanced IP Scanner to conduct network reconnaissance, then they install open-source post-exploitation tools, including PowerShell Empire, Koadic, and Mimikatz. The attackers are also able to deactivate antivirus on the victim network before delivering the ransomware.

“The cyber actors then exfiltrate files from the victim’s network, sometimes using the free open source tool WinSCP5, and proceed to encrypt all connected Windows and/or Linux devices and data, rendering critical files, databases, virtual machines, backups, and applications inaccessible to users. In previous incidents, cyber actors exfiltrated employment records that contained personally identifiable information (PII), payroll tax information, and other data that could be used to extort victims to pay a ransom.” continues the alert.

In recent attacks, threat actors uploaded the stolen data to the file sharing service MEGA.NZ, in some cases they also installed the MEGA client software directly on the victim’s computer.

The FBI’s alert contains indicators of compromise (IoCs) for these attacks.

Over the past year, the FBI also issued flash alerts and PIN alerts to warn organizations about attacks involving DoppelPaymer, Egregor, and NetWalker ransomware.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, FBI)

[adrotate banner=”5″]

[adrotate banner=”13″]