The year 2020 proved record-breaking in many ways. Millions of teachers and students migrated to online learning. The remote instruction provoked a variety of different kinds of conversations. One of the big ones–Could the education sector spiral due to gaps in cyber security?

Pysa ransomware has recently disrupted schools and seminaries in twelve different US states. The cyber attackers behind the ransomware have also targeted a limited number of government groups and private enterprises. On behalf of the US and the UK, the FBI recently released a security alert concerning Pysa.

Pysa ransomware, what to know

As with most forms of ransomware, Pysa can exfiltrate data and encrypt users’ critical files. The malware gains access to systems through brute-force Remote Desktop Protocols (RDP) credentials or via phishing messages.

To conduct network reconnaissance ahead of attacks, this group of cyber attackers commonly leverages Advanced Port Scanner and Advanced IP Scanner. Both of these tools are open-source. They allow hackers to easily identify open network computers and programs on ports. Once in the systems, hackers install tools that allow for lateral network movement.

The lateral tools that Pysa uses

  • Mimikatz: A toolkit that lifts passwords from memory and that captures other authentication credentials.
  • Koadic: A versatile toolkit that provides several options for payload creation and more.
  • PowerShell Empire: This enables hackers to run PowerShell agents without powershell.exe.

Once lateral tools have been loaded, the hackers can command computers to stop running antivirus programs. Files can be transferred between local and remote computer systems using WinSCP. After this process is complete, Pysa ransomware is deployed to take over victims’ systems.

Pysa’s double-extortion technique

The Pysa ransomware can impact any/all Windows and Linux devices. When the ransomware hits machines, it comes with a note warning that stolen information will be transferred to the dark web and monetized. This is the hack-and-leak model.

“In some instances, the actors removed the malicious files after deployment, resulting in victims not finding any malicious files on their systems,” reported the FBI.

Pysa’s encryption history

This form of ransomware was first observed in 2019. In March of 2020, CERT-FR warned government agencies of the threat posed by Pysa. The Pysa ransomware has appeared on multiple continents and largely appears to threaten organizations rather than individuals. This approach is sometimes referred to as ‘big-game hunting’. Other forms of ransomware used in ‘big-game hunting’ include REvil (Sodinokibi), LockerGoga, DoppelPaymer, Maze and more.

FBI recommendations

The FBI’s flash alert provides security experts with information that can assist in preventing and mitigating cyber attacks. The FBI recommends that organizations pursue the following security measures:

  • Ensure that your system is backed up and that at least one copy of critical data is disconnected from your network.
  • Consider network segmentation.
  • Establish and maintain a disaster recovery plan.
  • Provide users with appropriate administrative privileges while configuring access control so that it complies with Zero Trust principles.
  • Install updates and patch operating systems, software and firmware in a timely manner.
  • Implement multi-factor authentication where feasible.
  • Regularly change passwords to network admin accounts and avoid recycling passwords.
  • Disable hyperlinks in received emails.
  • Provide your employees with cyber security awareness training.

and more.

Has your organization recently addressed a Pysa ransomware attack? The FBI is requesting reports from affected organizations. Report Pysa to your local FBI field office or to the FBI’s Internet Crime Complaint Center.

For more on Pysa ransomware, visit ThreatPost.