U.S. agencies are warning of an uptick in ransomware targeting educational institutions in 12 states and the U.K., spanning K-12, higher education and seminaries, according to a new FBI alert.
Specifically, federal investigators are singling out PYSA ransomware, also known as Mespinoza, which the FBI says is capable of exfiltrating and encrypting data on a victim’s system in pursuit of a ransom payment for that data.
Officials have been aware of PYSA ransomware attacks since at least March 2020 and have observed threat actors targeting government, education, healthcare and other private sector industries, typically by gaining access to victim networks through compromised Remote Desktop Protocol credentials or phishing attacks.
According to the FBI, the cyber actors use Advanced Port Scanner and Advanced IP Scanner to conduct network reconnaissance and proceed to install open-source tools including PowerShell Empire, Koadic and Mimikatz. They use execute commands to deactivate antivirus capabilities on victim networks before deploying the ransomware.
“The cyber actors then exfiltrate files from the victim’s network, sometimes using the free opensource tool WinSCP5 , and proceed to encrypt all connected Windows and/or Linux devices and data, rendering critical files, databases, virtual machines, backups, and applications inaccessible to users,” according to the alert.
In prior cases, the ransomware operators exfiltrated employee records with personal information, payroll tax information and other data to extort victims.
When the malware is executed, a ransom message displaying information about how to contact the actors via email, offers to decrypt the files and other information appears on the victim’s login or lock screen. The actors warn that if the ransom is not met, the information will be uploaded and sold on the dark web.
“Additionally, the malware is dropped in a user folder, such as C:\Users\%username%\Downloads\. Observed instances of the malware showed a filename of svchost.exe, which is most likely an effort by the cyber actors to trick victims and disguise the ransomware as the generic Windows host process name,” the alert said.
The FBI also warned that the actors have removed the malicious files after deployment, resulting in IT teams being unable to locate malicious files on the system. The actors have been observed uploading stolen data to MEGA.NZ, a cloud storage and file sharing service.
These are the FBI’s recommendations:
- Regularly back up data, air gap, and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
- Implement network segmentation.
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud).
- Install updates/patch operating systems, software, and firmware as soon as they are released.
- Use multifactor authentication where possible.
- Regularly, change passwords to network systems and accounts, and avoid reusing passwords for different accounts. Implement the shortest acceptable timeframe for password changes.
- Disable unused remote access/RDP ports and monitor remote access/RDP logs.
- Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
- Install and regularly update anti-virus and anti-malware software on all hosts.
- Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.
- Consider adding an email banner to messages coming from outside your organizations.
- Disable hyperlinks in received emails.
- Focus on awareness and training. Provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.
Read the alert for more information, including indicators of compromise.