U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

FBI warns of PYSA Ransomware attacks against Education Institutions in US and UK

The FBI has issued an alert to warn about an increase in PYSA ransomware attacks on education institutions in the US and UK. The FBI has issued Tuesday an alert to warn about an increase in PYSA ransomware attacks against education institutions in the United States and the United Kingdom. In March 2020, CERT France cyber-security […]

FBI surveillance

The FBI has issued an alert to warn about an increase in PYSA ransomware attacks on education institutions in the US and UK.

The FBI has issued Tuesday an alert to warn about an increase in PYSA ransomware attacks against education institutions in the United States and the United Kingdom.

In March 2020, CERT France cyber-security agency warned about a new wave of ransomware attack that was targeting the networks of local government authorities. Operators behind the attacks were spreading a new version of the Mespinoza ransomware (aka Pysa ransomware).

According to the experts, the first infections were observed in late 2019, victims reported their files were encrypted by a strain of malware. The malicious code appended the extension .locked to the filename of the encrypted files.

The Mespinoza ransomware evolved over time, and in December a new version appeared in the threat landscape. This new version used the .pysa file extension that gives the name to this piece ransomware.

The variant was initially used to target big enterprises in the attempt of maximizing the operators’ efforts, but the alert issued by the French CERT warns that the Pysa ransomware is targeting French organizations, especially local government agencies.

CERT-FR’s alert states that the Pysa ransomware code based on public Python libraries.

According to the report issued by the CERT-FR, operators behind the Pysa ransomware launched brute-force attacks against management consoles and Active Directory accounts.

Once compromised the target network, attackers attempt to exfiltrate the company’s accounts and passwords database.

Operators behind the Pysa ransomware, also employed a version of the PowerShell Empire penetration-testing tool, they were able to stop antivirus products.

One of the incidents handled by CERT-FR sees the involvement of a new version of the Pysa ransomware, which used the .newversion file extension instead of .pysa.

According to the FBI Flash alert, unidentified threat actors are targeting higher education, K-12 schools, and seminaries. The attackers implement a double extortion model using the PYSA ransomware to exfiltrate data from victims prior to encrypting their files.

“FBI reporting has indicated a recent increase in PYSA ransomware targeting education institutions in 12 US states and the United Kingdom. PYSA, also known as Mespinoza, is a malware capable of exfiltrating data and encrypting users’ critical files and data stored on their systems.” reads the FBI’s alert. “The unidentified cyber actors have specifically targeted higher education, K-12 schools, and seminaries. These actors use PYSA to exfiltrate data from victims prior to encrypting victim’s systems to use as leverage in eliciting ransom payments.”

Since March 2020, the PYSA ransomware was involved in attacks against US and foreign government entities, educational institutions, private companies, and the healthcare sector. Threat actors deploy the ransomware by gaining unauthorized access to victim networks by compromising Remote Desktop Protocol (RDP) credentials and/or through phishing campaigns. The attackers use Advanced Port Scanner and Advanced IP Scanner to conduct network reconnaissance, then they install open-source post-exploitation tools, including PowerShell Empire, Koadic, and Mimikatz. The attackers are also able to deactivate antivirus on the victim network before delivering the ransomware.

“The cyber actors then exfiltrate files from the victim’s network, sometimes using the free open source tool WinSCP5, and proceed to encrypt all connected Windows and/or Linux devices and data, rendering critical files, databases, virtual machines, backups, and applications inaccessible to users. In previous incidents, cyber actors exfiltrated employment records that contained personally identifiable information (PII), payroll tax information, and other data that could be used to extort victims to pay a ransom.” continues the alert.

In recent attacks, threat actors uploaded the stolen data to the file sharing service MEGA.NZ, in some cases they also installed the MEGA client software directly on the victim’s computer.

The FBI’s alert contains indicators of compromise (IoCs) for these attacks.

Over the past year, the FBI also issued flash alerts and PIN alerts to warn organizations about attacks involving DoppelPaymerEgregor, and NetWalker ransomware.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, FBI)

[adrotate banner=”5″]

[adrotate banner=”13″]