FBI Issues Warnings of PYSA Ransomware Attacks


Saturday, March 20th, 2021 | , ,

The US FBI has issued a warning about an increase in cyberattacks on the education sector that are delivering the PYSA ransomware.

In a “Flash” alert to the cybersecurity community issued on Tuesday, the FBI said that PYSA has been seen in attacks on schools in 12 U.S. states and in the United Kingdom in March alone. The attacks have cast a wide net, hitting higher education, K-12 schools and seminaries, the alert warned.

In addition, the unknown cyber-adversaries have targeted a handful of government entities, healthcare and private companies, the FBI said.

PYSA, also known as Mespinoza, is capable of exfiltrating data and encrypting users’ critical files and data stored on their systems. The FBI noted that it sets about gaining initial access in the usual way: either by brute-forcing Remote Desktop Protocol (RDP) credentials and/or through phishing emails.

The FBI researchers have also observed the attackers using Advanced Port Scanner and Advanced IP Scanner to conduct network reconnaissance. These are open-source tools that allow users to find open network computers and discover the versions of programs on those ports. From there, the attackers are installing various open-source tools for lateral movement.

According to the alert, these include Mimikatz, a post-exploitation toolkit that pulls passwords from memory, as well as hashes and other authentication credentials; and Koadic, a penetration toolkit that has several options for staging payloads and creating implants.

Another open-source lateral movement toolkit used in the attacks is PowerShell Empire, which provides the ability to run PowerShell agents without needing powershell.exe. It also provides modules ranging from keyloggers to Mimikatz, and features adaptable communications to avoid network detection.

The email addresses associated with the campaign are all Tor domains, but the adversaries have uploaded stolen data to Mega.nz, a cloud-storage and file-sharing service, by uploading the data through the Mega website or by installing the Mega client application directly on a victim’s computer, according to the FBI.

To encourage victims to pay, the ransomware notes warns that stolen information will be uploaded and monetized on the Dark Web.

Further Reading:

Share this: