Security Experts:

Connect with us

Hi, what are you looking for?



FBI Warns of PYSA Ransomware Attacks on Education Institutions in US, UK

An alert issued on Tuesday by the FBI warns about an increase in PYSA ransomware attacks on education institutions in the United States and the United Kingdom.

An alert issued on Tuesday by the FBI warns about an increase in PYSA ransomware attacks on education institutions in the United States and the United Kingdom.

Last year, authorities in the UK and France also issued alerts for the PYSA ransomware, following attacks on government and other types of organizations.

According to the FBI, PYSA attacks have been launched by “unidentified cyber actors” against higher education, K-12 schools and seminaries in a dozen U.S. states, as well as the U.K.

The threat actors behind PYSA attacks are known to encrypt data on compromised systems, but they also steal information from victims and threaten to leak it in an effort to increase their chances of getting paid.

PYSA, also known as Mespinoza, has been around since at least October 2019 and the FBI has been tracking it since March 2020. PYSA ransomware attacks have been observed against government organizations, educational institutions, the healthcare sector and private businesses.

The threat actors often use phishing and RDP attacks for initial access to targeted networks, and then use tools such as Advanced Port/IP Scanner, PowerShell Empire, Mimikatz and Koadic to gain further access.

After exfiltrating potentially valuable files from the victim’s network — this often includes employment records and financial information — the cybercriminals start encrypting files on Windows and Linux devices.

The FBI’s alert contains some technical information on these attacks, as well as indicators of compromise (IoC). The agency has advised organizations not to pay up, but noted that it “understands that when victims are faced with an inability to function, all options are evaluated to protect shareholders, employees and customers.”

Victims of PYSA ransomware attacks have been advised to file a report with the FBI.

“Educational institutions are big targets for hackers as thousands of people’s sensitive information is potentially involved, and the substantial shift towards e-learning has made them even more appealing to hackers and ransomware,” James Carder, CSO at LogRhythm, told SecurityWeek. “These attacks on schools can bring education to a halt while potentially exposing every student and teacher’s personal data within the organization. Parents are also targets and may be coerced into paying ransom for personal information or school assignments if information falls into bad actors’ hands.”

“This FBI warning is an important reminder that educational institutions need to take a proactive approach and invest in cybersecurity solutions that detect malicious behavior and enable network infrastructure to block any further access attempts. Institutions should patch aggressively, create backups, prepare a response plan, and prioritize educational training to ensure they are equipped to handle attacks and proceed without disruption,” Carder added.

Over the past year, the FBI issued advisories to warn organizations about attacks involving DoppelPaymer, NetWalker and Egregor ransomware.

Related: FBI, CISA and MS-ISAC Warn of Cyberattacks Targeting K-12 Schools

Related: After IT Outage, Carmakers Kia and Hyundai Say No Evidence of Ransomware Attack

Related: Inside the Ransomware Economy

Related: Fonix Ransomware Operators Close Shop, Release Decryption Keys

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.