PYSA Ransomware Operators Targeting Healthcare, Education and Government Institutions, FBI Warns
The Federal Bureau of Investigation has issued a flash alert warning of an increase in PYSA ransomware attacks targeting government entities, educational institutions, private companies and the healthcare sector in the US and the UK.
PYSA, also known as Mespinoza, is capable of exfiltrating and encrypting critical files and data, with the criminals specifically targeting higher education, K-12 schools and seminaries, the bureau warns.
“These actors use PYSA to exfiltrate data from victims prior to encrypting victim”s systems to use as leverage in eliciting ransom payments,” according to the advisory.
The FBI has been tracking PYSA ransomware attacks “by unidentified cyber actors” against US and foreign government entities, educational institutions, private companies and the healthcare sector for over a year.
The group typically gains access to victim networks by compromising Remote Desktop Protocol (RDP) credentials and/or through phishing emails, the FBI notes. The cyber actors conduct network reconnaissance and execute commands to deactivate antivirus capabilities on targeted systems before deploying the ransomware.
“The cyber actors then exfiltrate files from the victim”s network, sometimes using the free opensource tool WinSCP5, and proceed to encrypt all connected Windows and/or Linux devices and data, rendering critical files, databases, virtual machines, backups, and applications inaccessible to users,” according to the advisory.
The document describes various indicators of compromise and offers a list of flagged domains associated with this malicious activity.
The notice also includes mitigation steps like:
- Regularly back up data, air gap and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
- Implement network segmentation.
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud).
- Install updates/patch operating systems, software, and firmware as soon as they are released. Use multifactor authentication where possible.
â€¦ and others.
In typical fashion, the FBI does not encourage paying ransom, as “payment does not guarantee files will be recovered [and] may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.”
However, the bureau says it “understands that when victims are faced with an inability to function, all options are evaluated to protect shareholders, employees and customers.”
Whatever victims choose to do, the FBI urges them to report ransomware attacks to their local field office or the FBI”s Internet Crime Complaint Center (IC3) at https://ic3.gov.
“Doing so provides the FBI with critical information needed to prevent future attacks by identifying and tracking ransomware attackers and holding them accountable under U.S. law,” the agency notes.
The Holiday Guide to Tech Support: Fixing the Family Computer
November 24, 2021
Bitdefender Celebrates 20 Years of Cybersecurity Leadership
November 04, 2021
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords
October 26, 2021
What are drive-by download attacks and how do you prevent them?
October 25, 2021
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks
October 22, 2021
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals
October 20, 2021