Skip to content

EFSA - Protecting your rights as an ecommerce business and expressing your needs to the relevant government departments and opinion formers

PYSA Ransomware linked to school cyber-attacks across the UK and US

Over the last few months, the education industry has been hit by a wave of cybersecurity attacks. In March 2021, the FBI issued an alert reporting an increase in ‘PYSA’ ransomware attacking a number of institutions across the UK and US, particularly universities, seminaries and schools. The FBI reported that 12 states across the US have already been affected by this malware.

PYSA is a variant of the Mespinoza ransomware and is known to use the double-extortion technique of exfiltrating data from user’s systems and later encrypting the files and data stored on those systems, which is used to demand a ransom. PYSA was first seen in October 2019, and initially attacked government entities, educational institutions, large organisations and the healthcare sector.

PYSA is a ransomware-as-a-service (RaaS) tool, indicating that the developer of this malware capitalised off this malware by selling it to other threat actors, who aren’t skilled enough to create their own and allow them to customise it accordingly.

PYSA has been ranked among the most dangerous threat actors including Ryuk, Maze and Revil. In March 2020, CERT France issued a warning to French local governments of PYSA’s increased attacks and in May 2020, MyBudget, a money management firm in Australia was hit by a ransomware attack along with a 13-day system outage. In October 2020, London’s Hackney Council suffered an attack whereby they were unable to process housing benefit payments, subsequently leading to a decrease in house purchases.

PYSA typically enters an organisation’s infrastructure using phishing campaigns or through brute-forcing Remote Desk Protocol (RDP) credentials. Thereafter, they conduct a scan on the network using port scanner tools such as Advanced Port Scanner and Advanced IP Scanner and download a number of other open-source tools to aid in the attacks and move throughout the network. They then deactivate firewalls and other security devices, exfiltrate the sensitive files and upload them to a cloud storage service, As a result, The PYSA malware is deployed, encrypting all devices, data, files, databases, virtual machines, backups and applications.

In previous attacks, they have stolen employment information including personally identifiable information (PII) and payroll information. Once complete, attackers leave a ransom message on the victim’s screen containing information on how to decrypt the files if a ransom is paid along with methods to contact the attackers. If the ransom is not met, the attackers threaten to publicly release the sensitive information on underground forums.

Posted in

Shahrain Coovadia

Shahrain Coovadia is a Cyber Security Consultant at Deloitte, South Africa. Prior to joining Deloitte she started a web-design studio, and worked at the University of Cape Town as a teaching facilitator. Shahrain graduated from the University of Cape Town with a Bachelor of Commerce Honours specialising in Information Systems. She currently facilitates web & database management for Ecommerce Forum South Africa (EFSA).

Leave a Comment

You must be logged in to post a comment.

Become a member

Join the Ecommerce Forum South Africa and benefit from industry insights in South Africa and Africa.

Sign up to newsletter

Sign up to our newsletter and stay informed of the progress we are making at the Ecommerce Forum South Africa with government during Coronavirus.