PYSA Ransomware

SpearTip | March 16th, 2021


According to the FBI, PYSA ransomware is targeting educational institutions in the US and UK. This malware is capable of exfiltrating data and encrypting users’ critical files and data stored on systems. PYSA then uses the double extortion method of encrypting data and pressuring organizations into making a ransom payment.

Warning About PYSA Ransomware

The warning issued today, March 16, goes deeper into the technical details of how the PYSA ransomware is being deployed. After gaining unauthorized access to victim networks through compromised Remote Desktop Protocol (RDP) credentials or phishing emails, the PYSA ransomware uses scanners to conduct network reconnaissance. This allows them to install open-source tools like PowerShell Empire or Mimikatz. In an effort to evade general antivirus security tools, they execute commands that deactivate them and deploy their ransomware.

Threat actors then exfiltrate data and encrypt Windows or Linux devices to ensure the victim cannot access their files and applications. Previous evidence of the exfiltrated data includes personal identifiable information (PII) such as payroll, employment, and other data as PYSA hopes to use it as leverage for payments.

When the PYSA ransomware executes, ransom notes show up on affected machines. The threat actors lay out the steps to decrypt files. The note explains if the payment is not met by their suggested deadline, exfiltrated information will be posted on the dark web for sale.

Indicators of compromise include file extensions with .psya or malware filenames of \Users\%username%\Downloads\svchost.exe.

With remote learning still in place in some areas of the US and UK, understanding how threat actors take advantage of social circumstances to engineer their attacks is important. Educational institutions don’t always have the most robust security protocols, and vulnerabilities arise when remote access is necessary for learning.

Educational institutions can contain a substantial amount of PII due to the sheer number of students and their records. They should look to a trusted security and forensics firm, like SpearTip, in order to relieve security concerns and issues. When threat actors attempt to enter environments, we stop them with endpoint detection and response tools and our engineers respond immediately once notified. Even when school is out of session, spring break, summer, or winter break, our engineers will be defending networks from malicious threats because of our 24/7 investigative cycle.

SpearTip’s cyber experts continuously monitor environments 24/7 in our US-based Security Operations Center. Our certified engineers work in unison with our proprietary endpoint detection and response tool, ShadowSpear®. This allows your organization to have direct communication with our engineers at any moment and a completely transparent view of your risk profile.

If you think your organization has been breached, call our Security Operations Center at 833.997.7327.


Connect With Us

Featured Articles

Cybersecurity Health Checks
Cybersecurity Health Checks: Why Companies Need Them
22 April 2024
New Loop DoS Attack
New Loop DoS Attack Affecting Linux Systems
19 April 2024
Possible Cyberattack
Possible Cyberattack During 2024 Summer Olympics
15 April 2024
Tabletop Exercises
Tabletop Exercises: Transformative Impact on Companies
12 April 2024

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.