FBI warns of rise in PYSA ransomware operators targeting US, UK schools

Data is being stolen ahead of encryption in extortion attempts.
Written by Charlie Osborne, Contributing Writer

The FBI has warned of a surge in attacks against schools in which ransomware operators are stealing data to pile on the pressure for payment. 

In a joint FBI and DHS-CISA flash industry alert (.PDF) this week, law enforcement said a recent increase in attacks leveraging PYSA ransomware, also known as Mespinoza, has been traced to both US and UK educational institutions. 

"The unidentified cyber actors have specifically targeted higher education, K-12 schools, and seminaries," the alert reads. "These actors use PYSA to exfiltrate data from victims prior to encrypting victim's systems to use as leverage in eliciting ransom payments."

First spotted in 2019, PYSA ransomware encrypts compromised systems through the extensions .locked or .pysa and has been linked to Ransomware-as-a-Service (RaaS) offerings

Phishing emails, social engineering, and the compromise of Remote Desktop Protocol (RDP) credentials through theft or brute-force are some of the tactics used to gain initial entry into a target system. 

In the same way as REvil and Netwalker ransomware operators, among many others,  PYSA users may steal data from their victims ahead of encryption and then threaten to publish it on leak sites unless ransom demands are met. 

"Since March 2020, the FBI has become aware of PYSA ransomware attacks against US and foreign government entities, educational institutions, private companies, and the healthcare sector," law enforcement added. 

In March last year, France's CERT team warned that local government entities were being targeted by PYSA operators. 

Earlier this month, the K12 Security Information Exchange and K-12 Cybersecurity Resource Center published a study on the state of cybersecurity in US schools. 

The research says that 2020 was a "record-breaking" year for cybersecurity incidents including data breaches, infrastructure compromise, and now -- due to COVID-19 -- the disruption of online learning by way of Zoombombing, as well as outright school closures caused by impacted record systems. 

According to the report, there are "significant gaps and critical failures in the resiliency and security of the K-12 educational technology ecosystem."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards