A rash of ransomware attacks have hit schools in the U.S. and the U.K., the Federal Bureau of Investigation (FBI) and the Department of Homeland Security’s (DHS) cyber wing warned in a joint Flash alert.
The attackers are using the PYSA malware, also known as Mespinoza, which can exfiltrate data and encrypt files and data stored on users’ systems, as leverage to extract ransom payments from their victims. The unidentified operatives are primarily aiming at higher education, K-12 and seminaries, the bulletin said. At this point, the amounts of ransom money demanded is not known.
PYSA was first spotted in the wild in October 2019 where it was initially used against large corporate networks. The malware is regarded as a big game hunter zeroing in on entire organizations along with the better known counterparts Ryuk, Maze and Sodinokibi (REvil).
Law enforcement has been tracking PYSA ransomware attacks for a year, officials said. In addition to schools, the cyber extortionists have cast a wide net to include government agencies, private companies and healthcare facilities. The malware typically compromises Microsoft’s Remote Desktop Protocol (RDP) credentials through brute force or uses phishing ruses to gain access to victims’ networks.
The hackers first use Advanced Port Scanner and Advanced IP Scanner to conduct network reconnaissance, install open source tools such as PowerShell Empire, Koadic and Mimikatz, and then deactivate antivirus software on the victim’s network prior to deploying the ransomware.
This month alone, the bad actors have hit schools in 12 U.S. states, the alert said. PYSA is capable of encrypting “all connected Windows and/or Linux devices and data rendering critical files, databases, virtual machines, backups and applications inaccessible to users,” the Flash warning said. In prior hacks, the data kidnappers exfiltrated employment records containing “personally identifiable information (PII), payroll tax information and other data that could be used to extort victims to pay a ransom,” the alert said.
Once the malware is launched it generates a “detailed” ransom message on the victim’s login page, displays information on contacting the bad actors by email and also offers to decrypt the infected files. If the ransom is not met, the actors threaten to upload the stolen files and sell them on the underground web.
The FBI offered 13 recommendations for organizations to prevent ransomware attacks:
- Regularly back up data, air gap, and password protect backup copies offline. Ensure copies of critical data are inaccessible for modification or deletion from the system where the data resides.
- Implement network segmentation.
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (hard drive, storage device, the cloud).
- Install updates/patch operating systems, software, and firmware as soon as they are released.
- Use multifactor authentication where possible.
- Regularly change passwords to network systems and accounts, and avoid reusing passwords for different accounts. Implement the shortest acceptable timeframe for password changes.
- Disable unused remote access/RDP ports and monitor remote access/RDP logs.
- Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
- Install and regularly update anti-virus and anti-malware software on all hosts.
- Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.
- Consider adding an email banner to messages coming from outside your organizations.
- Disable hyperlinks in received emails.
- Focus on awareness and training. Provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams).
