The Federal Bureau of Investigation has revealed that higher education has been hit with an influx of cyber-attacks, specifically through PYSA ransomware. Higher education organizations need to take sufficient precautions to prepare for and prevent these types of cyber-attacks.
“PYSA (a.k.a. Mespinoza), like most ransomware, is capable of exfiltrating data and encrypting users’ critical files and data stored on their systems. The FBI noted that it sets about gaining initial access in the usual way: Either by brute-forcing Remote Desktop Protocol (RDP) credentials and/or through phishing emails.” (Threat Post).
PYSA is a human-operated ransomware and cyber-actors have been increasingly targeting the education industry.
“The FBI issued an alert stating that they have observed an increase in the PYSA ransomware targeting education institutions in 12 US states and the United Kingdom. The operators of the PYSA ransomware have specifically targeted higher education, K-12 schools, and seminaries.” (Security Boulevard).
Employees of the education industry should be concerned about the threat to their data, as the ransomware could infiltrate employee records.
“It’s capable of encrypting ‘all connected Windows and/or Linux devices and data rendering critical files, databases, virtual machines, backups and applications inaccessible to users,’ according to the Flash warning. ‘In previous incidents, cyber actors exfiltrated employment records that contained personally identifiable information (PII), payroll tax information and other data that could be used to extort victims to pay a ransom.’” (Threat Post).
The ransomware is named after the types of files that it encrypts and in the notes left behind by the attacker.
“The files that are encrypted by PYSA have the .pysa filename extension. The name PYSA may be derived from the Protect your system amigo slogan or from the Zanzibari coin with the same name. The Protect your system amigo slogan can be found in the ransom note that is left by the ransomware on compromised systems.” (Security Boulevard).
The ransomware operates differently than other ransomware tactics, creating a mutex object.
“The PYSA ransomware process first detaches itself from the console, which closes the console. This allows the ransomware to operate without the console being a visual indicator of the ransomware’s operation. The PYSA ransomware then creates a mutex object named Pysa. If this mutex object already exists, the ransomware terminates. This is to ensure that only one instance of the PYSA ransomware runs at a time.” (Security Boulevard).
This mutex object could be a way for institutions to protect their data.
“The PYSA ransomware creates a mutex object named Pysa. If this mutex object already exists and is therefore locked, the ransomware terminates without encrypting any data. This is to the advantage of defenders such that a mutex object named Pysa can be locked by a legitimate process on a given system with the intention to stop any potential future execution of the PYSA ransomware on the system.” (Security Boulevard).
Following the FBI’s warning about the PYSA ransomware incidents, it’s essential for higher education institutions to safeguard their data.
“Use secure passwords, regularly rotate passwords, and use multi-factor authentication where possible. Disable unused RDP services, properly secure used RDP services, and regularly monitor RDP log data for brute force attempts and other irregular activities. Regularly backup files to a secured remote location and implement a data recovery plan. Regular data backups ensure that you can restore your data after a ransomware attack.” (Security Boulevard).
Sources:
Seals, Tara. Threat Post. “PYSA Ransomware Pillages Education Sector, Feds Warn.” March 16, 2021. https://threatpost.com/pysa-ransomware-education-feds-warn/164832/
Cybereason Global SOC Team. Security Boulevard. “Threat Analysis Report: Inside the Destructive PYSA Ransomware” September 27, 2021. https://securityboulevard.com/2021/09/threat-analysis-report-inside-the-destructive-pysa-ransomware/
