The following security alert was released on April 13 by the New Jersey Cybersecurity & Communications Integration Cell (NJCCIC), the state agency responsible for cybersecurity information sharing, threat intelligence, and incident reporting.
Over the past year, the education sector has been heavily targeted by ransomware activity as the need for schools to maintain online services became more vital than ever. The NJCCIC observed a recent increase in ransomware activity targeting New Jersey K-12 school districts and educational institutions consistent with open-source reporting.
The education sector is frequently targeted by ransomware attacks during long weekends, holiday breaks, or just prior to busy periods, such as the beginning of the school year and preceding the end of a marking period when final grades are due. Ransomware may lay dormant for months while the threat actors conduct reconnaissance, move laterally within the network, and exfiltrate or steal data, while waiting for the best time to attack.
Top ransomware attack vectors include phishing emails, exploitation of software vulnerabilities, and internet-accessible remote services such as Remote Desktop Protocol (RDP). Even remote connections requiring authentication are a potential attack vector when multi-factor authentication (MFA) is not enabled. Passwords are frequently exposed via various data breaches and subsequently made public online for use by threat actors in ransomware attacks and other cybercrime activity.
The most prolific variant behind these recent attacks is PYSA ransomware, also known as Mespinoza. The Federal Bureau of Investigation (FBI) released Flash Alert CP-000142-MW on March 16, 2021, highlighting recent spikes in PYSA ransomware activity. PYSA is offered as a ransomware-as-a-service (RaaS), in which developers lease the variant to other threat actors for use in their attacks. The most common PYSA infection vector is unauthorized access via unsecured RDP ports, though phishing emails and brute-force attacks may be additional infection vectors. PYSA uses open-source tools, such as PowerShell and Mimikatz , and is capable of encrypting backups. The threat actors apply traditional pressure on victims by threatening to publicly release exfiltrated data if the ransom is not paid.
Another prolific ransomware variant targeting the education sector is Ryuk. Ryuk ransomware is also offered as a RaaS and often gains access to a targeted network through phishing emails or publicly accessible RDP ports. Threat actors then use malware, such as TrickBot , to steal credentials and elevate privileges. Ryuk developers recently deployed a new “living off the land” technique – a fileless malware attack that gains additional access by utilizing tools found on the targeted system. Additionally, Ryuk is now capable of self-replicating for lateral movement across targeted networks.
The FBI and the NJCCIC discourage paying ransoms as this perpetuates attacks and does not guarantee recovery of data. While hackers often provide decryption keys, stolen data may be exposed, and threat actors may attempt to encrypt systems again in future attacks. We recommend reimaging and restoring from valid backups after ensuring backups are free of the infection. There are no decryption tools available for PYSA or Ryuk at this time. As ransomware variants continue to become more sophisticated, decryption tools are unlikely to be readily available to assist victims.
The NJCCIC recommends education sector administrators enable the following mitigation recommendations:
- Perform scheduled backups regularly, keeping an updated and tested copy offline and in a separate, secure location in the event of natural disasters or online backups become encrypted.
- Keep hardware and software up to date and apply patches as they become available.
- Enable multi-factor authentication (MFA), also known as 2FA, where available – particularly in regards to accessing administrative and privileged accounts.
- Avoid making RDP ports publicly-accessible if possible, and consider disabling these ports if not in use.
- Disable or limit macro usage on Microsoft Office software.
- Follow the Principle of Least Privilege for all user accounts and enable User Access Control (UAC) to prevent unauthorized changes to user privileges. Additionally, consider disabling NTLM if still in use.
- Segment networks to avoid full compromise in the event of an attack.
- Establish a cyber incident recovery plan and exercise the plan at documented intervals.
- Enforce good cyber hygiene, and educate students and staff regarding the identification of social engineering tactics such as phishing.
- Enable strong endpoint security and ensure both Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are configured to detect these and other variants.
Additional Resources PYSA indicators of compromise (IOCs) can be found in the FBI Flash Alert, and Ryuk IOCs can be found in the AlienVault post. The NJCCIC provides additional recommendations in our Technical Guide, Ransomware: Risk Mitigation Strategies and our post, Ransomware: The Current Threat Landscape. Incidents may be reported to local police departments, the FBI, and the NJCCIC.
Reporting The NJCCIC encourages recipients who discover signs of malicious cyber activity to contact the NJCCIC via the cyber incident report form here.