When you experience a breach, time is crucial. Our 24/7 Security Operations Center responds immediately with precision to eliminate the threat and restore operations.
ShadowSpear® is an unparalleled resource that defends your organizations against advanced cyber threats and attacks 24/7/365.
Your organization has cybersecurity weaknesses and vulnerabilities you don’t yet even know about. They need to be found and found immediately. If you don’t someone else will.
According to the FBI, PYSA ransomware is targeting educational institutions in the US and UK. This malware is capable of exfiltrating data and encrypting users’ critical files and data stored on systems. PYSA then uses the double extortion method of encrypting data and pressuring organizations into making a ransom payment.
The warning issued today, March 16, goes deeper into the technical details of how the PYSA ransomware is being deployed. After gaining unauthorized access to victim networks through compromised Remote Desktop Protocol (RDP) credentials or phishing emails, the PYSA ransomware uses scanners to conduct network reconnaissance. This allows them to install open-source tools like PowerShell Empire or Mimikatz. In an effort to evade general antivirus security tools, they execute commands that deactivate them and deploy their ransomware.
Threat actors then exfiltrate data and encrypt Windows or Linux devices to ensure the victim cannot access their files and applications. Previous evidence of the exfiltrated data includes personal identifiable information (PII) such as payroll, employment, and other data as PYSA hopes to use it as leverage for payments.
When the PYSA ransomware executes, ransom notes show up on affected machines. The threat actors lay out the steps to decrypt files. The note explains if the payment is not met by their suggested deadline, exfiltrated information will be posted on the dark web for sale.
Indicators of compromise include file extensions with .psya or malware filenames of \Users\%username%\Downloads\svchost.exe.
With remote learning still in place in some areas of the US and UK, understanding how threat actors take advantage of social circumstances to engineer their attacks is important. Educational institutions don’t always have the most robust security protocols, and vulnerabilities arise when remote access is necessary for learning.
Educational institutions can contain a substantial amount of PII due to the sheer number of students and their records. They should look to a trusted security and forensics firm, like SpearTip, in order to relieve security concerns and issues. When threat actors attempt to enter environments, we stop them with endpoint detection and response tools and our engineers respond immediately once notified. Even when school is out of session, spring break, summer, or winter break, our engineers will be defending networks from malicious threats because of our 24/7 investigative cycle.
SpearTip’s cyber experts continuously monitor environments 24/7 in our US-based Security Operations Center. Our certified engineers work in unison with our proprietary endpoint detection and response tool, ShadowSpear®. This allows your organization to have direct communication with our engineers at any moment and a completely transparent view of your risk profile.
If you think your organization has been breached, call our Security Operations Center at 833.997.7327.
Identify, neutralize, and counter cyberattacks - provide confidence in your security posture
24/7 Breach Response: US/CAN: 833.997.7327
Main Office: 800.236.6550
1714 Deer Tracks Trail, Suite 150
St. Louis, MO 63131
©2024 SpearTip, LLC. All rights reserved.