According to the FBI, PYSA ransomware is targeting educational institutions in the US and UK. This malware is capable of exfiltrating data and encrypting users’ critical files and data stored on systems. PYSA then uses the double extortion method of encrypting data and pressuring organizations into making a ransom payment.

The warning issued today, March 16, goes deeper into the technical details of how the ransomware is being deployed. After gaining unauthorized access to victim networks through compromised Remote Desktop Protocol (RDP) credentials or phishing emails, PYSA uses scanners to conduct network reconnaissance. This allows them to install open source tools like PowerShell Empire or Mimikatz. In effort to evade general antivirus security tools, they execute commands that deactivate them and deploy their ransomware.

Threat actors then exfiltrate data and encrypt windows or linux devices to ensure the victim cannot access their files and applications. Previous evidence of the exfiltrated data includes personal identifiable information (PII) such as payroll, employment, and other data as PYSA hopes to use it as leverage for payments.

When the ransomware executes, ransom notes show up on affected machines. The threat actors lay out the steps to decrypt files. The note explains if the payment is not met by their suggested deadline, exfiltrated information will be posted on the dark web for sale.

Indicators of compromise include file extensions with .psya or malware filenames of \Users\%username%\Downloads\svchost.exe.

With remote learning still in place is some areas of the US and UK, understanding how threat actors take advantage of social circumstances to engineer their attacks is important. Educational institutions don’t always have the most robust security protocols, and vulnerabilities arise when remote access is necessary for learning.

Educational institutions can contain a substantial amount of PII due to the sheer number of students and their records. They should look to a trusted security and forensics firm, like SpearTip, in order to relieve security concerns and issues. When threat actors attempt to enter environments, we stop them with endpoint detection and response tools and our engineers respond immediately once notified. Even when school is out of session, spring break, summer, winter break, our engineers will be defending networks from malicious threats because of our 24/7 investigative cycle.

SpearTip’s cyber experts continuously monitor environments 24/7 in our US based Security Operations Center. Our certified engineers work in unison with our proprietary endpoint detection and response tool, ShadowSpear®. This allows your organization to have a direct communication with our engineers at any moment and a completely transparent view of your risk profile.

If you think your organization has been breached, call our Security Operations Center at 833.997.7327.