FBI Warns of PYSA Ransomware Targeting Educational Sector
The FBI provided technical details on the ransomware strain along with indicators of compromise and domains associated with its activity on Tuesday.
The Federal Bureau of Investigation (FBI) is warning (.PDF) that a relatively new strain of ransomware, PYSA, has been connected to cyberattacks on educational institutions in the United States and the United Kingdom over the last year.
The FBI used the news as an opportunity to encourage organizations this week, if they haven't already, to take all of the necessary steps to mitigate a ransomware attack like PYSA.
PYSA, also known as Mespinoza, isn't completely new but this week is the first time the FBI has warned publicly of the strain.
Previously, CERT France warned of the ransomware in March 2020, but only said that the ANSSI (Agence Nationale de la Sécurité des Systèmes D'information) had recently been made aware of attacks involving PYSA in which "ransomware-type malicious codes were used, rendering certain files unusable.”
Cybercriminals have recently targeted K-12 schools and colleges with PYSA #ransomware, trying to use stolen files to secure ransom payments. #FBI cyber experts identify technical details and mitigation strategies in a new report at https://t.co/IZ5RVfGTA0. pic.twitter.com/umgg6tAR5z
— FBI (@FBI) March 16, 2021
The UK's National Health Service also warned of PYSA last year, in October, sharing host indicators and MITRE ATT&CK techniques, adding that it was focused on high value financial and governmental targets, healthcare, and law enforcement organizations.
According to the FBI, which released a Flash Alert on the threat Tuesday, it first began seeing PYSA in early 2020 and mostly seen it since targeting educational institutions - universities, K-12 schools, and divinity schools - in the UK and in 12 US states.
Like most ransomware attacks, PYSA relies both on cracking weak Remote Desktop Protocol (RDP) credentials and phishing emails to gain a foothold. After entry, the attackers use open source tools – post-exploitation tools and frameworks like PowerShell Empire, Koadic, and Mimikatz – disable antivirus, before stealing files.
The usual sensitive information is targeted - think personally identifiable information (PII), payroll tax information, data that can be dangled to entice a ransom - and nearly all Windows and Linux data is encrypted (files, databases, virtual machines, backups, etc.) in incidents; the ransomware encrypts files using asymmetric encryption, adding .pysa to end of encrypted files.
The attackers try to cover their tracks by leaving a file, svchost.exe, something which seems like a generic Windows host process name, behind. In other instances, the FBI says, no malicious files are left behind.
Administrators and defenders looking for more information on PYSA, namely indicators of compromise like malware file names, SHA1 hashes, Tor URLs, and domains associated with PYSA should refer to the FBI notice. Despite being a year old, France's CERT warning (.PDF) also has some helpful tips.
Organizations are no doubt familiar with the FBI's recommendations at this point but to reiterate, the agency is encouraging the following:
- Regularly back up data, air gap, and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
- Implement network segmentation.
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud).
- Install updates/patch operating systems, software, and firmware as soon as they are released.
- Use multifactor authentication where possible.
- Regularly, change passwords to network systems and accounts, and avoid reusing passwords for different accounts. Implement the shortest acceptable timeframe for password changes.
- Disable unused remote access/RDP ports and monitor remote access/RDP logs.
- Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
- Install and regularly update anti-virus and anti-malware software on all hosts.
- Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.
- Consider adding an email banner to messages coming from outside your organizations.
- Disable hyperlinks in received emails.
- Focus on awareness and training.
- Provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams).