PYSA Ransomware Pillages Education Sector, Feds Warn

ransomware PYSA

A major spike of attacks against higher ed, K-12 and seminaries in March has prompted the FBI to issue a special alert.

The FBI has issued a warning about an uptick in cyberattacks on the education sector that are delivering the PYSA ransomware.

In a “Flash” alert to the cybersecurity community issued on Tuesday, the Feds said that PYSA has been seen in attacks on schools in 12 U.S. states and in the United Kingdom in March alone. The attacks have cast a wide net, hitting higher education, K-12 schools and seminaries, the alert warned.

In addition, the unknown cyber-adversaries have targeted a handful of government entities, healthcare and private companies, the FBI said.

PYSA (a.k.a. Mespinoza), like most ransomware, is capable of exfiltrating data and encrypting users’ critical files and data stored on their systems. The FBI noted that it sets about gaining initial access in the usual way: Either by brute-forcing Remote Desktop Protocol (RDP) credentials and/or through phishing emails.

Attacks Feature Wide Use of Open-Source, Legitimate Tools

The FBI researchers have also observed the attackers using Advanced Port Scanner and Advanced IP Scanner to conduct network reconnaissance. These are open-source tools that allow users to find open network computers and discover the versions of programs on those ports. From there, the attackers are installing various open-source tools for lateral movement.

According to the alert, these include Mimikatz, a post-exploitation toolkit that pulls passwords from memory, as well as hashes and other authentication credentials; and Koadic, a penetration toolkit that has several options for staging payloads and creating implants.

Another open-source lateral movement toolkit used in the attacks is PowerShell Empire, which provides the ability to run PowerShell agents without needing powershell.exe. It also provides modules ranging from keyloggers to Mimikatz, and features adaptable communications to avoid network detection.

The cyber-actors then execute commands to deactivate antivirus capabilities on the victim network and exfiltrate files, the FBI warned, sometimes using the free open-source tool WinSCP. WinSCP provides secure file transfer between local and remote computer systems.

The email addresses associated with the campaign are all Tor domains, but the adversaries have uploaded stolen data to, a cloud-storage and file-sharing service, by uploading the data through the Mega website or by installing the Mega client application directly on a victim’s computer, according to the FBI.

After all of that, PYSA then deploys the actual ransomware, appending encrypted files with the .pysa suffix.

PYSA Double-Extortion Ransom Technique

It’s capable of encrypting “all connected Windows and/or Linux devices and data rendering critical files, databases, virtual machines, backups and applications inaccessible to users,” according to the Flash warning. “In previous incidents, cyber actors exfiltrated employment records that contained personally identifiable information (PII), payroll tax information and other data that could be used to extort victims to pay a ransom.”

To encourage victims to pay, the ransomware notes warns that stolen information will be uploaded and monetized on the Dark Web.

“Observed instances of the malware showed a filename of svchost.exe, which is most likely an effort by the cyber actors to trick victims and disguise the ransomware as the generic Windows host process name,” according to the warning. “In some instances, the actors removed the malicious files after deployment, resulting in victims not finding any malicious files on their systems.”

Ransomware continues to be an escalating scourge. For instance, hackers were found last week exploiting vulnerable Microsoft Exchange servers and installing a new family of ransomware called DearCry.

And, the Monero Miner cryptocurrency ransominer, impersonating an ad blocker and OpenDNS service, has infected more than 20,000 users in less than two months.

Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:


Suggested articles