PYSA ransomware, a variant of Mespinoza ransomware, has been actively targeting the education sector in the past months. According to the FBI, ransomware, malware and DDoS attacks have compromised a number of critical sectors, yet educational institutions in the US and the UK seem to be the preferred target for now.

Has online learning triggered an increase in ransomware attacks? The COVID-19 pandemic, remote work and implicitly online learning have likely contributed to expanding the existing threat landscape. While ransomware has long been a challenge for higher education, the FBI now warns the ransomware group is also going after K-12 and seminaries.

Whether it’s students trying to get online to participate in lectures and exams, or members of academia adjusting to home offices and Zoom calls, higher education may not have been properly prepared for full-time remote learning.

These attacks are not random and did not all of a sudden start targeting the education sector. Some may not remember, but last year the University of Utah ended up paying half a million dollars in cryptocurrency to regain access to its data. Even though the FBI and security experts advise against paying the ransom, some victims choose to go against this advice, hoping nobody will find out.

Now the problem with double extortion, as is the case with the PYSA ransomware gang, is not necessarily that they encrypt your system and block access to data, but that they publish the information on their leak site to sell it. Some mistakenly believe that if they pay for a decryption key, they are saved, but there is really no guarantee that the group will refrain from selling the information. Not only will the group feel empowered that their attacks can bring profit, but they may use the money to finance other illicit activities.

Short for “Protect Your System Amigo,” PYSA ransomware emerged some time in October 2019, and it is often used as a Ransomware-as-a-Service tool. Ransomware-as-a-Service has turned into a money-making business model because it allows malicious actors who lack technical skills or expertise to rent or purchase different malware kits to launch attacks.

In our research, we have also identified double extortion ransomware groups that operate similar to legitimate businesses by incorporating various price packages for ransomware-as-a-service tools. For encryption, PYSA ransomware uses Advanced Encryption Standard (AES) with RSA-encrypted keys.

Ransomware leak sites are updated with stolen data almost on a daily basis. If your institution has been hit with ransomware, reach out to law enforcement immediately. Even if you have cyber insurance or are considering paying the criminals to regain access to your data, you should still contact law enforcement. However, if you do choose to pay the ransom, be aware that there is still a chance that you will not be able to regain access because malicious actors might not live up to their word.

Ransomware incidents are likely to increase, so it is good to be prepared. To prevent reputation damage and to identify if any critical data has been published online, spend some time monitoring your digital footprint and invest in awareness and training for your team.