The FBI warns about an increase in attacks against US and UK schools in which attackers use ransomware to steal data to later demand a ransom.
FBI and the Cybersecurity and Infrastructure Security Agency (DHS-CISA) issued a flash industry alert (PDF) this week. In the alert, they warn about a recent increase in attacks leveraging PYSA ransomware, also known as Mespinoza, on both US and UK educational institutions.
“The unidentified cyber actors have specifically targeted higher education, K-12 schools, and seminaries,” the alert reads. “These actors use PYSA to exfiltrate data from victims prior to encrypting victim’s systems to use as leverage in eliciting ransom payments.”
PYSA ransomware has been around since 2019. But the FBI says it was aware of it only since 2020.
“Since March 2020, the FBI has become aware of PYSA ransomware attacks against the US and foreign government entities, educational institutions, private companies, and the healthcare sector,” law enforcement added.
PYSA works by encrypting compromised systems and appending the .locked or .pysa extensions. The malware has been linked to Ransomware-as-a-Service (RaaS) offerings in which cybercriminals rent their malware for money.
To gain initial entry into a target system attackers operating PYSA use various tactics like phishing emails, social engineering, and the compromise of Remote Desktop Protocol (RDP) credentials through theft or brute-force attacks.
In the same way as many other ransomware operators do, attackers behind PYSA steal data from their victims, then encrypt it, and then offer to decrypt it for payment or threaten to make it public unless the victims pay a ransom.
In March 2019, France’s CERT team reported PYSA operators targeted local government entities. And earlier this month, the K12 Security Information Exchange and K-12 Cybersecurity Resource Center study revealed that 2020 was a “record-breaking” year for cybersecurity incidents that included data breaches, infrastructure compromise, “Zoombombing” incidents, and hacks of school IT systems.
The report concluded there were “significant gaps and critical failures in the resiliency and security of the K-12 educational technology ecosystem.”