The FBI has issued an alert to education sector organizations in the US and UK of an uptick in multi-stage double extortion attacks using the Pysa ransomware variant.
Also known as Mespinoza, Pysa has been detected targeting higher education institutions, K-12 schools and seminaries in 12 US states and the UK.
The variant has been tracked by the FBI since March 2020 in attacks on multiple sectors including US and foreign governments, healthcare and private sector firms.
The initial threat vector is either phishing emails or RDP endpoints hijacked via compromised credentials.
Open source Advanced Port Scanners and Advanced IP Scanners are then used for network reconnaissance, before the installation of more open source tools such as PowerShell Empire, Koadic and Mimikatz to upload additional malware, grab passwords and more.
The threat actors also seek to disable anti-virus capabilities on the victim’s network before deploying the ransomware, the FBI warned.
“The cyber-actors then exfiltrate files from the victim’s network, sometimes using the free opensource tool WinSCP, and proceed to encrypt all connected Windows and/or Linux devices and data, rendering critical files, databases, virtual machines, backups and applications inaccessible to users,” the alert continued.
“In previous incidents, cyber-actors exfiltrated employment records that contained personally identifiable information (PII), payroll tax information and other data that could be used to extort victims to pay a ransom.”
Any exfiltrated data is uploaded to cloud storage site Mega.nz.
The news comes as a college in the UK’s second city of Birmingham reported a major ransomware attack which forced the closure of its campus buildings to students.
South and City College said some students were expected to return today after a ransomware incident last weekend “had made certain computer systems on our network inaccessible.”
The average ransom payment last year increased 171%, according to Palo Alto Networks.