In a bulletin posted in March of 2021 on its ic3.gov website, the Federal Bureau of Investigation warned of an increase in the number of PYSA ransomware attacks being perpetrated against K-12 schools, seminaries, and universities in the U. S. and the United Kingdom.
What is PYSA Ransomware?
PYSA, also known as Mespinoza, is a type of malware composed of tools used to scan networks, then exfiltrate and encrypt their targets’ critical data. Attackers then demand payment to restore their victims’ access to the information. PYSA attacks have also been used to target governmental agencies, private industry, and healthcare providers. The FBI first became aware of this ransomware variant in March of 2020.
Attackers typically use social engineering, particularly phishing, as well as other tactics to obtain Remote Desktop (RDP) credentials they then leverage to access their targets’ systems. Once inside a victim’s network, they analyze the environment using port scanning and open source tools including Advanced Port Scanner, Mimikatz, Koadic, and PowerShell Empire.
These applications allow the attackers to find open ports they can use to access servers, identify programs, stage their malicious payloads, capture passwords from volatile memory, run scripts, and perform other operations in preparation for data exfiltration and encryption. They may also run commands to deactivate malware protection on their victims’ networks.
Once the prep work is completed, the cybercriminals will use the secure file transfer application component of the PYSA malware package, WinSCP in many cases, to exfiltrate copies of the critical files they’ve identified, then use an encryption algorithm to encrypt the original data on the victims’ systems.
Next, the malware will cause ransom demand messages to be displayed on victims’ login/lock screens. These messages may be very detailed, even including frequently asked questions sections. The messages will provide email addresses victims’ can use to contact the attackers along with specific ransom demands that, if met, will supposedly result in restoration of access to the encrypted files. The messages usually include threats to sell the exfiltrated data on the dark web if ransom demands are not met. Anonymous, encrypted email accounts, most obtained from ProtonMail.com and OnionMail.org, are used by the perpetrators of these attacks, thus concealing their identities and making it more difficult to track them down.
Forensic investigations of these attacks have revealed that the PYSA malware package is typically placed in a user folder on the C: drive of compromised systems. The malware file is sometimes given a name like svchost.exe, the name used for generic Windows processes, in an attempt to disguise it. Attackers sometimes remove the malware installation files after the applications are deployed. After encryption, the victims’ files typically have a .pysa file extension.
Types of data and systems typically targeted
The FBI bulletin does not indicate why the number of these attacks targeting educational institutions is on the rise, but it does provide information about the type of data attackers are targeting. They typically look for applications not accessible to average users, thus indicating to attackers that the data being accessed by these applications is sensitive or confidential. They also seek out backup files and databases where high-value data is stored. Per the FBI, attackers have focused on employment records and other files containing personally identifiable information (PII), payroll tax files, and anything else that, if stolen or rendered inaccessible, could provide victims with a great deal of incentive to pay a ransom.
Payment of ransoms is not recommended
In general, the FBI does not recommend that victims of ransomware attacks pay their attackers. In some cases, the attackers simply disappear with the ransom without restoring their victims’ access to the encrypted data. Additionally, an organization’s willingness to pay may identify it as an easy mark for future attacks by the same or other cybercriminals. Although not recommended, the payment of ransoms is also not prohibited. Organizational managers must evaluate each situation and make the decision regarding payment based on operational continuity, what is best for their employees and shareholders, and other pertinent factors relating to that particular attack.
Basic security measures help ward off PYSA attacks and mitigate their impacts
Many of the same security controls used to protect against other attacks and malware also work to prevent PYSA attacks from succeeding or at least mitigate the resulting damages.
Antivirus and anti-malware applications should be installed and regularly updated. Installing operating system and application security patches and updates as soon as possible to ensure any known vulnerabilities are eliminated is recommended. Configuring email systems to disable hyperlinks and include a warning banner on messages received from external senders will reduce the possibility that employees will inadvertently download malware from malicious sites or be taken in by phishing attempts (often the first step in PYSA attacks).
Multi-factor authentication should be implemented wherever available. Requiring strong passwords and regular mandatory password resets for all users is a must. Password sharing and reuse should be prohibited and user account privileges need to be regularly reviewed. Role-based access privileges should be applied, thus ensuring that users have only the minimum level of access required to perform their duties.
Because PYSA attackers routinely utilize Remote Desktop Protocol to access targeted systems, disabling RDP wherever possible is recommended. Any unnecessary remote access ports should be disabled as well. Remote access logs should be monitored to identify and investigate any suspicious activity.
Segmenting networks to the extent possible will make it more difficult for attackers to freely traverse the environment if access is gained. Regular data backups are recommended, as is storing backups on air-gapped storage systems separated from the rest of the environment.
Because phishing and other forms of social engineering are often used in these attacks, user training is critical. Simulation and role-playing are effective training methods because they require user participation. Consider utilizing a service that can actually send simulated phishing emails to users and track their responses.
Finally, if all else fails, organizations should have an enterprise continuity and recovery plan in place to aid in the recovery from a successful attack. The plan needs to be tested regularly and updated when necessary to ensure that it is continuously improved and remains current.
The number one way to mitigate the damage from any attack to your system is to prevent it from happening in the first place. It’s vital to protect your organization from all points of entry, and ensure that organizations are aware of all the points of entry that are being utilized by employees.
With CybriantXDR, you will have increased visibility along with the right technology, and security analysts watching that technology around the clock. With machine learning and artificial intelligence, our team is able to stop any bad actors before they execute.
Foreign and domestic cybercriminals are, according to the FBI, responsible for a growing number of PYSA ransomware attacks targeting educational institutions in the U.S. and U.K. These attacks have also been directed at governmental agencies, the healthcare sector, and private companies. Because they often begin with phishing and other forms of social engineering, training your organization’s user community to recognize the signs of a potential attack is critical. Beyond that, implementing many of the same technical controls used to prevent other forms of attack will also help to prevent PYSA attacks from being successful. Placing special emphasis on running regular backups and isolating and protecting backup files along with implementing continuity and recovery plans could significantly mitigate the impacts should a successful attack occur.
The FBI requests that any suspected or verified attacks be reported via their site at ic3.gov or by contacting a local FBI office.