FBI warns of PYSA Ransomware attacks against schools in the U.S. and U.K.

FBI warns of PYSA Ransomware attacks against schools in the U.S. and U.K.

The Federal Bureau of Investigation (FBI) has warned of PYSA Ransomware attacks against schools located in the United States and United Kingdom.

The FBI described the latest PYSA threat in the alert published March 16:

“FBI reporting has indicated a recent increase in PYSA ransomware targeting education institutions in 12 US states and the United Kingdom. PYSA, also known as Mespinoza, is a malware capable of exfiltrating data and encrypting users’ critical files and data stored on their systems. The unidentified cyber actors have specifically targeted higher education, K-12 schools, and seminaries. These actors use PYSA to exfiltrate data from victims prior to encrypting victim’s systems to use as leverage in eliciting ransom payments.”

According to the alert, the FBI first spotted in March 2020 PYSA ransomware attacks against governments, education institutions, and private enterprises.

The cyber actors primarily use PYSA to gain unauthorized access to victims’ networks by compromising Remote Desktop Protocol (RDP) credentials, as well as via phishing emails. Moreover, the actors use scanners (such as Advanced Port Scanner and Advanced IP Scanner1) to conduct reconnaissance. They then pivot to other victim systems to install open source tools (e.g., Mimikatz4, Koadic3, PowerShell Empire2) to then cause further havoc, such as deactivating anti-malware software and then deploy the PYSA ransomware.

“The cyber actors then exfiltrate files from the victim’s network, sometimes using the free opensource tool WinSCP5, and proceed to encrypt all connected Windows and/or Linux devices and data, rendering critical files, databases, virtual machines, backups, and applications inaccessible to users,” the FBI explained.

Once the systems are completely compromised and PYSA malware is executed to encrypt files, the hackers will then leave a detailed ransom message on the victim’s login screen with instructions and FAQs on how to contact the actors and decrypt the files after the ransom is paid.

Readers may recall similar ransomware attacks against 23 towns and universities in Texas, as well as multiple schools in Louisiana back in 2019.

Of course the most famous of ransomware attacks was the WannaCry ransomware attacks that crippled entities all over the world back in 2017.


Organizations are highly encouraged to implement these safeguards to help combat ransomware attacks:

  • Backup data and keep copies offline (such as external hard drive or in cloud storage).
  • Secure backups to prevent unauthorized changes to data.
  • Run up to date anti-malware programs on all hosts.
  • Use VPNs and avoid using public wifi.
  • Use multi-factor authentication and strong passwords.
  • Keep all devices up to date and patched.
  • Disable unused remote access/RDP ports and monitor remote access/RDP logs.
  • Audit user and administrator accounts
  • Consider adding an email banner to messages coming from outside your organizations.
  • Disable hyperlinks in received emails.
  • Focus on security awareness and training for ransomware and phishing attacks.

Finally, he FBI urges organizations and users to report ransomware incidents to their local FBI field office or
the FBI’s Internet Crime Complaint Center (IC3) (https://ic3.gov).

Related Articles