Earlier this year, the Federal Bureau of Investigation (FBI) reported that there has been an increase in PYSA ransomware attacks, targeting K-12 schools and higher educational institutions in the United States. So far, 12 states have been affected by the data breaches. PYSA, also known as Mespinoza, is ransomware that exfiltrates data and encrypts users’ critical files and data stored on systems. Operators use this stolen information as leverage to extract ransom payments.
The BlackBerry Threat Research and Intelligence Team has been tracking a Golang (Go) remote access Trojan (RAT), called ChaChi, that is recently targeting educational organizations. Since Go is a newer programming language, it is more difficult for organizations to keep up with analysis processes. Instead of automated attacks, PYSA campaigns are human-orchestrated, controlled attacks on a target. These attackers are using knowledge of organizations, their networks, and security misconfigurations to laterally move and gain access to environments.
Education institutions are at risk of attacks because of the information contained in their systems. Often, educational organizations do not have established security infrastructures or robust security, so they are more susceptible to attacks. Additionally, the amount of sensitive information that is on educational networks is valuable to threat actors. The vulnerable networks lead to the exploitation of files through these ransomware attacks. Students are also at risk from these attacks since they often have little to no security awareness training. Attacks can enter the educational organization’s networks as the result of a student’s inability to recognize questionable websites, identify suspicious emails, and the resulting likelihood that they will download malicious programs onto their personal devices while connected to the institution’s network.
The number of malicious actors using PYSA ransomware to target educational institutions is growing rapidly. It’s important for organizations to educate all users, including students, to avoid falling victim to these ransomware attacks. The FBI advises organizations to not pay ransoms and to report attacks to dissuade hackers from targeting other organizations.
To learn more about the recent PYSA ransomware attacks, click here.