Pysa Ransomware Gang Targeting Education Sector, Warns FBI

The FBI has issued an alert following a surge in Pysa ransomware attacks on K-12 schools and higher education institutions. The Pysa (Mespinoza) ransomware gang has recently conducted attacks in 12 U.S. states and the United Kingdom.

The ransomware was first identified in 2019, with the FBI aware of targeted Pysa ransomware attacks in the United States and foreign government entities, educational institutions, private companies, and the healthcare sector since March 2020.

The gang most commonly gains access to victims’ networks by compromising Remote Desktop Connection (RDP) credentials and through phishing emails. Once access to networks is gained, the attackers perform network reconnaissance using Advanced Port Scanner and Advanced IP Scanners, disables antivirus solutions on victims’ systems, and uses open-source tools such as Mimikatz, PowerShell Empire, and Koadic. The gang moves laterally within networks and gains access to all connected Windows and Linux devices, then exfiltrates data to the cloud storage site prior to the deployment of the ransomware payload.

The encryption prevents critical files, databases, applications, backups, and virtual machines from being accessed. While victims may be able to recover their files and systems from backups, the gang threatens to monetize all stolen data on the darknet if their ransom demand is ignored.

The FBI has provided Indicators of Compromise in its alert to help network defenders identify and block attacks in progress, and a list of recommended actions to prevent the threat actors from gaining access to networks.

These include creating backups and storing them on an air-gapped device, segmenting networks to hamper attempts at lateral movement, installing patches and software updates promptly, disabling unused RDP ports and monitoring remote access, implementing multi-factor authentication, providing end user security awareness training to help individuals identify ransomware and phishing emails, and ensuring a VPN is used for remote access.

The FBI Alert can be viewed here.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of