PYSA Ransomware Operators Targeting Healthcare, Education and Government Institutions, FBI Warns

The Federal Bureau of Investigation has issued a flash alert warning of an increase in PYSA ransomware attacks targeting government entities, educational institutions, private companies and the healthcare sector in the US and the UK.

PYSA, also known as Mespinoza, is capable of exfiltrating and encrypting critical files and data, with the criminals specifically targeting higher education, K-12 schools and seminaries, the bureau warns.

“These actors use PYSA to exfiltrate data from victims prior to encrypting victim’s systems to use as leverage in eliciting ransom payments,” according to the advisory.

The FBI has been tracking PYSA ransomware attacks “by unidentified cyber actors” against US and foreign government entities, educational institutions, private companies and the healthcare sector for over a year.

The group typically gains access to victim networks by compromising Remote Desktop Protocol (RDP) credentials and/or through phishing emails, the FBI notes. The cyber actors conduct network reconnaissance and execute commands to deactivate antivirus capabilities on targeted systems before deploying the ransomware.

“The cyber actors then exfiltrate files from the victim’s network, sometimes using the free opensource tool WinSCP5, and proceed to encrypt all connected Windows and/or Linux devices and data, rendering critical files, databases, virtual machines, backups, and applications inaccessible to users,” according to the advisory.

The document describes various indicators of compromise and offers a list of flagged domains associated with this malicious activity.

The notice also includes mitigation steps like:

  • Regularly back up data, air gap and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
  • Implement network segmentation.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud).
  • Install updates/patch operating systems, software, and firmware as soon as they are released. Use multifactor authentication where possible.

… and others.

In typical fashion, the FBI does not encourage paying ransom, as “payment does not guarantee files will be recovered [and] may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.”

However, the bureau says it “understands that when victims are faced with an inability to function, all options are evaluated to protect shareholders, employees and customers.”

Whatever victims choose to do, the FBI urges them to report ransomware attacks to their local field office or the FBI’s Internet Crime Complaint Center (IC3) at

“Doing so provides the FBI with critical information needed to prevent future attacks by identifying and tracking ransomware attackers and holding them accountable under U.S. law,” the agency notes.