Skip to main content

Cyber criminals behind PYSA ransomware are targeting colleges and schools in latest double extortion efforts.

SAN RAFAEL, CALIFORNIA – The FBI has issued an official warning that the cyber criminals behind the PYSA/Mespinoza strain of ransomware are increasingly targeting schools and colleges in the United States. 

Hackers are gaining access to networks two ways: targeted phishing campaigns and compromised RDP credentials. PYSA ransomware was first recognized by the FBI in March 2020, and has also been used in successful attacks against government entities and health-care providers. Many schools and colleges have rapidly increased their reliance on Microsoft’s Remote Desktop Protocol since the outbreak of COVID-19, creating a desirable threat environment for hackers.

Traditional Ransomware vs. Double Extortion… What’s the Difference?

In traditional ransomware attacks, from the first documented attack in 1989 until 2019, attackers encrypted their victim’s files, and threatened to destroy those files if their ransom was not met.

The first known strain of “double extortion ransomware” was called Maze, discovered in the last quarter of 2019. In this strain and the multiple copy-cats which have followed, sensitive files are exfiltrated by the hackers before encrypting files on the network. This gives cyber criminals more leverage in ransom negotiations, as they threaten to leak those sensitive documents if their demand is not met. In the case of academic institutions, a leak of students’ personally identifiable information is the sum of all fears.

From the FBI’s official PYSA warning:

“Reporting has indicated a recent increase in PYSA ransomware targeting education institutions in 12 US states and the United Kingdom. These actors use PYSA to exfiltrate data from victims prior to encrypting victim’s systems to use as leverage in eliciting ransom payments.”

Related: Texas School District Falls Victim to $2.3M Email Scam

How does Evolve help its policyholders in the fight against ransomware?

Evolve policyholders receive free access to six industry-leading cybersecurity vendors, all of which bolster a business’ big-picture defense against ransomware attacks. Especially noteworthy in double extortion defense is our newest partner BlackFog, who monitors data exfiltration in real time.

What else can you do to mitigate your business’ exposure?

The FBI has made the following cybersecurity recommendations:

  • Regularly back up data, air gap, and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
  • Implement network segmentation.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud).
  • Install updates/patch operating systems, software, and firmware as soon as they are released.
  • Use multi-factor authentication where possible.
  • Regularly, change passwords to network systems and accounts, and avoid reusing passwords for different accounts. Implement the shortest acceptable timeframe for password changes.
  • Disable unused remote access/RDP ports and monitor remote access/RDP logs.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Install and regularly update antivirus and antimalware software on all hosts.
  • Only use secure networks and avoid using public WiFi networks. Consider installing and using a VPN.
  • Consider adding an email banner to messages coming from outside your organizations.
  • Disable hyperlinks in received emails.
  • Focus on awareness and training. Provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams).