Client advisory: New ransomware variant affecting schools

Our incident response team has noticed the emergence of PYSA, a ransomware variant that is disproportionately affecting schools, colleges and universities.

Advisory 3 min Fri, Oct 23, 2020

This cyber advisory was produced by CFC's in-house cyber incident response team. We would encourage all of our brokers to share the below information with policyholders. 

PYSA ransomware

First seen in December 2019, PYSA ransomware is a derivative of Mespinoza ransomware, with one of its defining characteristics being that it exfiltrates data prior to encryption. This means that if a victim's system is encrypted but they choose not to pay the ransom demand, they risk having the exfiltrated data, often sensitive in nature, shared, leading to a range of privacy concerns and costs.

Over the course of 2020, ransomware variants that use this tactic to leverage victims into paying has become mainstream. However, cybercriminals seem to be using PYSA specifically to target organizations in the education sector, including schools, colleges, and universities. 

What policyholders can do the protect themselves

We are using this opportunity to encourage our insureds to review their cybersecurity practices to protect themselves against ransomware more generally. Here are a few things they can do: 

  • Regularly back up your data, verify its integrity, and ensure the backups are not connected to the networks or computers that they are backing up. If you are using cloud-based backups, ensure that you use a cloud-based service designed for this purpose and ensure that most recent backups cannot be immediately deleted.
  • Ensure anti-virus and anti-malware solutions are set to automatically update and that regular scans are conducted.
  • Ensure all operating systems and software applications are kept up-to-date and, where possible, have this done automatically.
  • Block macro scripts in Office files transmitted via email.
  • Employ best practices for use of RDP, including auditing your network for systems using RDP, closing unused RDP ports, applying two-factor authentication wherever possible, and logging RDP login attempts.
  • Implement multi-factor authentication (MFA) on all remote access points into the network.
  • Have a robust password policy with a minimum number of 15 mixed characters and spaces, as longer passwords statistically take longer to crack. A mandatory lockout period after 5 attempts should be considered, and ideally use a password manager.
  • Ensure your users receive awareness training to decrease vulnerability to targeted attacks.

Want more information? 

A link to the mitigation recommendations in relation malware and ransomware provided by the UK National Cyber Security Centre can be found here

A technical report (in technical language) that includes indicators of compromise relating to Mespinoza/PYSA that may be of interest to IT teams can be found here.