You have /5 articles left.
Sign up for a free account or log in.

A group of cybercriminals is increasingly targeting colleges, schools and seminaries and attempting to extort them, the FBI’s Cyber Division has warned.

In an advisory to cybersecurity professionals and system administrators published Tuesday, the FBI said that criminals are leveraging software called PYSA ransomware to access IT networks, block access to vital information and systems through encryption, and demand payment to restore access.

In a double-extortion tactic that has also been employed by criminals using other types of ransomware, the criminals are not only requesting payment in exchange for making encrypted data accessible again. They are also threatening to sell sensitive information such as Social Security numbers on the dark web if institutions or affected individuals do not meet demands.

PYSA ransomware, also known as Mespinoza, has recently been used in attacks on educational institutions in 12 U.S. states and the United Kingdom, the FBI reported. The agency became aware of PYSA in March 2020. In addition to educational institutions, the ransomware has been involved in attacks on government entities, private companies and the health-care sector. The criminals behind PYSA ransomware have not been identified.

The FBI said that the criminals often gain access to IT networks through phishing emails or stolen log-in credentials. Files ending in the .pysa extension are characteristic of a compromise, the agency said. It also provided a long list of email addresses associated with ransom demands.

To make it more difficult for criminals to gain access, the FBI advises that institutions use multifactor authentication, regularly patch software and systems, encourage users not to use public Wi-Fi networks, and train employees and staff members on ransomware and phishing scams.

“The FBI does not encourage paying ransoms,” the advisory said. “Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.”

The FBI encourages any institution to report suspected ransomware attacks or attempts to its local FBI field office or the FBI’s Internet Crime Complaint Center.

A list of domains the FBI said are associated with the ransom notes follows: