FBI Cyber Division has issued a alert to warn of an increase in PYSA ransomware attacks targeting government entities, educational institutions, private companies, and the healthcare sector in the US and the UK. The FBI has become aware of PYSA ransomware attacks against the US and foreign government entities, educational institutions, private companies, and the healthcare sector by unidentified cyber actors. PYSA typically gains unauthorized access to victim networks by compromising RDP credentials and through phishing emails.

The hackers responsible for PYSA ransomware attacks are known to encrypt data on compromised systems, steal information from victims, and threaten to leak it in an effort to increase their chances of getting paid.

FBI has been tracking it since March 2020, PYSA, also known as Mespinoza, has been active since at least October 2019. The threat actors are known to use phishing and RDP attacks for initial access to targeted networks, and tools such as “Advanced Port Scanner and Advanced IP Scanner to conduct network reconnaissance, and proceed to install open-source tools, such as PowerShell Empire, Koadic, and Mimikatz”.

After exfiltrating files from the victim’s network,the cybercriminals start encrypting them on Windows or Linux devices. The agency advises organizations not to pay the ransom, as it doesn’t guarantee the recovery of files, but says that it “understands that when victims are faced with an inability to function, all options are evaluated to protect shareholders, employees, and customers.”

Preventing and Blocking PYSA Ransomware

Additionally, the FBI has provided a list of recommended mitigations to help detect and block PYSA ransomware attacks against educational organizations:

  • Regularly back up data, air gap, and password-protect backup copies offline.
  • Implement network segmentation.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location
  • Install updates/patch operating systems, software, and firmware as soon as they are released.
  • Use multi-factor authentication where possible.
  • Regularly, change passwords to network systems and accounts, and avoid reusing passwords for different accounts.
  • Disable unused remote access/RDP ports and monitor remote access/RDP logs.
  • Audit user accounts with administrative privileges and configure access controls with the least privilege in mind.
  • Install and regularly update anti-virus and anti-malware software on all hosts.
  • Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.
  • Consider adding an email banner to messages coming from outside your organizations.
  • Disable hyperlinks in received emails.
  • Focus on awareness and training.