During 2020 the healthcare sector has been constant focus of ransomware groups, but the education sector is also dealing with a rise in attacks, with the Pysa (Mespinoza) ransomware gang now aiming for the education sector.

Pysa ransomware is another strain of Mespinoza ransomware that was first seen in ransomware campaigns during October 2019. The threat group responsible for the attacks, like many other ransomware threat gangs, uses double extortion moves on targets. Files are encrypted and a ransom demand is shared for the keys to decrypt files, but to improve the chances of the ransom being paid, data is stolen before file encryption. The gang if trying to profit from selling the stolen data on the darkweb if the ransom is not paid. Many targeted groups entities have been forced to hand over the ransom demand even when they have backups to stop the sale of their data.

As of October 2019, the Pysa ransomware gang has focused on large companies, the healthcare sector, and local government bodies, but there has been a recent rise in attacks on the education sector. Attacks have been carried out on K12 schools, higher education institutions, and conference, with attacks being experienced in 12 U.S. states and the United Kingdom. The rise in attacks lead to the FBI to issue a Flash Alert in March 2020 warning the education sector about the heightened danger of attacks.

Reviews of attacks revealed the gang carries out network reconnaissance using open source tools like Advanced Port Scanner and Advanced IP Scanner. Tools including PowerShell Empire, Koadic, and Mimikatz are employed to obtain credentials, grow privileges, and move laterally inside networks. The gang spots and steals sensitive data before delivering and delivering the ransomware payload. The range of data stolen are those that can be used to force victims into paying and can easily be sold on the darkweb.

Discovering a Pysa ransomware attack in progress is tricky, so it is crucial for defenses to be hardened to prevent any access occurring. Many methods have been used to obtain access to networks, although in many cases it is not known how the attack began. In attacks on French firm and government agencies brute force tactics were used against management consoles and exposed Active Directory accounts. Some attacks have included exploitation of Remote Desktop Protocol flaws, with the gang is also known to use spam and phishing emails to obtain details to gain a foothold in databases.

As a range of methods are used for obtaining access, there is no one option that can be implemented to block attacks. Educational institutions need to use a combination of security solutions and cybersecurity best practices to improve their security measures.

Antivirus/antimalware solution is vital, as is ensuring it is kept updated. Since many attacks begin with a phishing email, an advanced email security gateway is also crucial. Picking a solution such as SpamTitan that uses dual AV engines and sandboxing will increase the chance of spotting malicious emails. SpamTitan uses machine learning methods to identify new types of email attacks.

Patches and security updates should be run quickly after they have been released to stop flaws from being targeted. You should employ the rule of least privilege for accounts, limit the use of administrative accounts as far as you can, and segment networks to limit the chance of lateral movement occurring. You should also be scanning your network for suspicious activity and create alerts to permit any potential infiltration to be quickly discovered. All redundant RDP ports should be shut down, and a VPN used for remote access.

It is crucial for backups to be created of all critical data to ensure that file recovery can take place without paying the ransom. Multiple backups of data should be set up, those backups should be tested to make sure file recovery can happen, and at least one copy should be stored safely on an air-gapped device.