During 2020, the healthcare sector has been constant focus of ransomware gangs, but the education sector is also dealing with a rise in attacks, with the Pysa (Mespinoza) ransomware gang now extensively targeting the education sector.

Pysa ransomware is another strain of Mespinoza ransomware that was first seen in ransomware campaigns during October 2019. The threat group responsible for the attacks, like many other ransomware gangs, uses double extortion tactics. Files are encrypted and a ransom demand is issued that must be paid to obtain the keys to decrypt files, but to improve the chances of the ransom being paid, data is stolen before file encryption. The gang threatens to sell the stolen data on the darkweb if the ransom is not paid. Many targeted healthcare organizations have been forced to pay the ransom demand even when they have backups, solely to prevent the sale of their data.

Since October 2019, the Pysa ransomware gang has focused on large companies, the healthcare sector, and local government bodies, but there has been a recent rise in attacks on the education sector. Attacks have been carried out on K12 schools, higher education institutions, and colleges, with attacks being reported in 12 U.S. states and in the United Kingdom. The rise in attacks led the FBI to issue a Flash Alert in March 2020 warning the education sector about the heightened risk of Pysa ransomware attacks.

Reviews of attacks revealed the gang carries out network reconnaissance using open source tools like Advanced Port Scanner and Advanced IP Scanner. Tools including PowerShell Empire, Koadic, and Mimikatz are employed to obtain credentials and elevate privileges and move laterally inside networks. The gang looks for sensitive data that can be easily monetized and exfiltrates the data before delivering the ransomware payload.

Discovering a Pysa ransomware attack in progress is tricky, so it is crucial for defenses to be hardened to prevent attackers from gaining access to networks. In attacks on French firms and government agencies, brute force tactics were used against management consoles and exposed Active Directory accounts. Some attacks have included exploitation of Remote Desktop Protocol flaws, with the gang also known to use spam and phishing emails to obtain credentials to gain a foothold in education networks.

As a range of methods are used for obtaining access, there is no one option that can be implemented to block attacks. Educational institutions need to use a combination of security solutions and cybersecurity best practices to improve their security posture and block attacks. Antivirus/antimalware solutions are vital, as is ensuring they are kept updated. Since many attacks begin with a phishing email, an advanced email security gateway is also crucial. Picking a solution such as SpamTitan that uses dual AV engines and sandboxing will increase the probability of malware being installed, which is used by ransomware gangs for persistent access to networks. SpamTitan also blocks phishing emails containing links to websites where credentials are harvested. SpamTitan uses machine learning methods to identify new types of email attacks.

Patches and security updates should be implemented quickly after they have been released to stop software and operating system vulnerabilities from being exploited. You should employ the rule of least privilege for accounts, limit the use of administrative accounts as far as you can, and segment networks to hamper efforts to move laterally once access has been gained. You should also be scanning your network for suspicious activity and investigate alerts to ensure infiltrations are quickly discovered. All redundant RDP ports should be closed, and a VPN used for remote access.

It is crucial for backups to be created of all critical data to ensure that file recovery can take place without paying the ransom. Multiple backups of data should be created, those backups should be tested to make sure file recovery is possible, and at least one copy should be stored on an air-gapped device.