The Federal Bureau of Investigation’s Cyber Division has issued a flash alert to warn of an increase in PYSA ransomware attacks targeting government entities, educational institutions, private companies, and the healthcare sector in the US and the UK.

Since March 2020, the FBI has become aware of PYSA ransomware attacks against the US and foreign government entities, educational institutions, private companies, and the healthcare sector by unidentified cyber actors. PYSA typically gains unauthorized access to victim networks by compromising Remote Desktop Protocol (RDP) credentials and/or through phishing emails.Federal Bureau of Investigation, Cyber Division

The hackers responsible for PYSA ransomware attacks are known to encrypt data on compromised systems, steal information from victims, and threaten to leak it in an effort to increase their chances of getting paid.

The Health and Social Care Information Centre of England (NHS Digital) and CERTFR also issued alerts for the PYSA ransomware last year, following attacks on their governments and other types of organizations.

Although the FBI has been tracking it since March 2020, PYSA, also known as Mespinoza, has been active since at least October 2019. The threat actors are known to use phishing and RDP attacks for initial access to targeted networks, and tools such as “Advanced Port Scanner and Advanced IP Scanner to conduct network reconnaissance, and proceed to install open-source tools, such as PowerShell Empire, Koadic, and Mimikatz”.

After exfiltrating files from the victim’s network (personal and financial information), the cybercriminals start encrypting them on Windows and/or Linux devices. The agency advises organizations not to pay the ransom, as it doesn’t guarantee the recovery of files, but says that it “understands that when victims are faced with an inability to function, all options are evaluated to protect shareholders, employees, and customers.”

Preventing and Blocking PYSA Ransomware

Additionally, the FBI has provided a list of recommended mitigations to help detect and block PYSA ransomware attacks against educational organizations:

  • Regularly back up data, air gap, and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
  • Implement network segmentation.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud).
  • Install updates/patch operating systems, software, and firmware as soon as they are released.
  • Use multi-factor authentication where possible.
  • Regularly, change passwords to network systems and accounts, and avoid reusing passwords for different accounts. Implement the shortest acceptable timeframe for password changes.
  • Disable unused remote access/RDP ports and monitor remote access/RDP logs.
  • Audit user accounts with administrative privileges and configure access controls with the least privilege in mind.
  • Install and regularly update anti-virus and anti-malware software on all hosts.
  • Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.
  • Consider adding an email banner to messages coming from outside your organizations.
  • Disable hyperlinks in received emails.
  • Focus on awareness and training. Provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams).

What’s more, PYSA ransomware victims have been advised to report these incidents to their local FBI field office or the FBI’s Internet Crime Complaint Center (IC3).

Pysa Ransomware: Overview, Operation Mode, Prevention

Eight K-12 Schools Targeted by Pysa Ransomware

Leave a Reply

Your email address will not be published. Required fields are marked *