Reports from the Cyber Division of the FBI warn of an uptick in PYSA ransomware attacks that have been targeting the education sector in recent months. The actors behind the ransomware have also targeted foreign and domestic government entities, private companies, and healthcare in the past. In March 2020 alone, schools in 12 US states as well as the UK have been hit by PYSA. Payloads are deployed by way of phishing emails or compromised RDP credentials while also disabling antivirus and anti-malware solutions in the process. Once inside the network the malware will look for files that include important information and can be used as leverage to get the target to pay the ransom. After running its processes and dropping executables, a ransom note is added that links to the threat group’s hidden website on Tor, also known as the Dark Web.
Analyst Notes
The FBI has released their recommended mitigation tactics for educational organizations, including:
• Regularly back up data, air gap, and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
• Implement network segmentation.
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud).
• Install updates/patch operating systems, software, and firmware as soon as they are released.
• Use multi-factor authentication where possible.
• Regularly change passwords to network systems and accounts, and avoid reusing the same passwords for different accounts. Implement the shortest acceptable timeframe for password changes.
• Disable unused remote access/RDP ports and monitor remote access/RDP logs.
• Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
• Install and regularly update anti-virus and anti-malware software on all hosts.
• Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.
• Consider adding an email banner to messages coming from outside your organizations.
• Disable hyperlinks in received emails.
• Focus on awareness and training. Provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams).
Sources: https://threatpost.com/pysa-ransomware-education-feds-warn/164832/
https://assets.documentcloud.org/documents/20514564/pysa-ransomware-bc.pdf
