When you experience a breach, time is crucial. Our 24/7 Security Operations Center responds immediately with precision to eliminate the threat and restore operations.
Your organization has cybersecurity weaknesses and vulnerabilities you don’t yet even know about. They need to be found and found immediately. If you don’t someone else will.
FBI Issues Warning on PYSA Ransomware Targeting Education Sector
SpearTip | March 16th, 2021
According to the FBI, PYSA ransomware is targeting educational institutions in the US and UK. This malware is capable of exfiltrating data and encrypting users’ critical files and data stored on systems. PYSA then uses the double extortion method of encrypting data and pressuring organizations into making a ransom payment.
Warning About PYSA Ransomware
The warning issued today, March 16, goes deeper into the technical details of how the PYSA ransomware is being deployed. After gaining unauthorized access to victim networks through compromised Remote Desktop Protocol (RDP) credentials or phishing emails, the PYSA ransomware uses scanners to conduct network reconnaissance. This allows them to install open-source tools like PowerShell Empire or Mimikatz. In an effort to evade general antivirus security tools, they execute commands that deactivate them and deploy their ransomware.
Threat actors then exfiltrate data and encrypt Windows or Linux devices to ensure the victim cannot access their files and applications. Previous evidence of the exfiltrated data includes personal identifiable information (PII) such as payroll, employment, and other data as PYSA hopes to use it as leverage for payments.
When the PYSA ransomware executes, ransom notes show up on affected machines. The threat actors lay out the steps to decrypt files. The note explains if the payment is not met by their suggested deadline, exfiltrated information will be posted on the dark web for sale.
Indicators of compromise include file extensions with .psya or malware filenames of \Users\%username%\Downloads\svchost.exe.
With remote learning still in place in some areas of the US and UK, understanding how threat actors take advantage of social circumstances to engineer their attacks is important. Educational institutions don’t always have the most robust security protocols, and vulnerabilities arise when remote access is necessary for learning.
Educational institutions can contain a substantial amount of PII due to the sheer number of students and their records. They should look to a trusted security and forensics firm, like SpearTip, in order to relieve security concerns and issues. When threat actors attempt to enter environments, we stop them with endpoint detection and response tools and our engineers respond immediately once notified. Even when school is out of session, spring break, summer, or winter break, our engineers will be defending networks from malicious threats because of our 24/7 investigative cycle.
SpearTip’s cyber experts continuously monitor environments 24/7 in our US-based Security Operations Center. Our certified engineers work in unison with our proprietary endpoint detection and response tool, ShadowSpear®. This allows your organization to have direct communication with our engineers at any moment and a completely transparent view of your risk profile.
If you think your organization has been breached, call our Security Operations Center at 833.997.7327.
View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.
ShadowSpear Platform
Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.
ShadowSpear Demo
Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.
