EXECUTIVE OVERVIEW

CALIFORNIA CYBERSECURITY INTEGRATION CENTER

SITUATION REPORT TLP: GREEN

21 May 2021

California College Experienced PYSA Ransomware Attack

Executive Summary

On 19 May 2021, a California-based college suffered a PYSA ransomware attack that encrypted servers
and impacted the college’s main website. The victim engaged external support from an incident
response firm. The Cal-CSIC assesses with high confidence that higher education institutions will
continue to experience targeting by ransomware operators, including schools that lack resources and
funding. Ransomware attacks on education sector entities have increased in frequency during the
COVID-19 pandemic, in part due to increased use of virtual technologies for operational continuity. 1

PYSA Ransomware
PYSA ransomware, a variant of Mespinoza ransomware, was first observed in December 2019. PYSA
stands for “Protect Your System Amigo,” and operates as a Ransomware-as-a-Service (RaaS) variant, a
business model in which the ransomware developers work with affiliates who conduct the actual attacks
and both groups share the proceeds. PYSA operators gain initial access through phishing emails, brute
force attacks against Active Directory accounts and management consoles, or Remote Desktop Protocol
(RDP) connections. Once PYSA operators have accessed a victim network, the threat actors use
commercially available tools to conduct reconnaissance and move laterally including Advanced IP
Scanner, Advanced Port Scanner, PsExec. 2 PYSA operators will seek to exfiltrate critical files such as
personally identifiable information (PII) or payroll data, sometimes through the use of open-source tools
like WinSCP. Stolen data is then used to conduct double extortion, a pressure-to-pay technique in which
a victim is threatened with data leak if they refuse to pay the ransom.

Since March 2021, the FBI has seen an increase in PYSA ransomware operators targeting educational
institutions worldwide. 3 The Cal-CSIC recommends entities reference the accompanying FBI Flash
Report “Increase in PYSA Ransomware Targeting Education Institutions (CP-000142-MW)” for
additional mitigation information and indicators of compromise (IOCs) relating to PYSA Ransomware.

• On 25 February 2021, Affton School District was targeted by PYSA ransomware, which impacted
school networks, phones, and internet access for all schools in the district.4,5
• On 17 March 2021, Millersville University experienced a PYSA ransomware attack that impacted
their school network. The incident resulted in virtual and in-person classes being cancelled, and
online school resources going offline. 6,7
• On 05 November 2020, Affinity Education was likely targeted by PYSA ransomware attack. 8,9

CAL-CSIC-202105-005
WARNING: This document is the exclusive property of the California Cybersecurity Integration Center (CAL-CSIC) and abides by Traffic Light Protocol
(TLP) standards for distribution purposes. It may contain information exempt from public release under the California Public Records Act (Govt. Code Sec. 6250, et seq.). Recipients must
control, store, handle, transmit, distribute and dispose of this product in accordance with the TLP standard relating to shared intelligence. Do not release to the public, media, or other
personnel who do not have a valid need-to-know without prior approval of an authorized CAL-CSIC official.
TLP: GREEN
 EXECUTIVE OVERVIEW
CALIFORNIA CYBERSECURITY INTEGRATION CENTER
TLP: GREEN

Image 1: PYSA shame site; Source: Malwarebytes, https://blog.malwarebytes.com/threat-

spotlight/2021/03/pysa-the-ransomware-attacking-schools/

Mitigation Recommendations
PYSA ransomware is not the only ransomware variant targeting educational entities. To prevent and
detect malicious cyber activity including ransomware, the Cal-CSIC recommends following nationally
recognized cyber security standards such as the National institute of Standards and Technology’s
Cybersecurity Framework. 10Organizations should work from the assumption that some type of cyber
breach is inevitable and practice general preparedness such as maintaining offline, encrypted backups of
crucial systems/data and establishing a cyber incident response plan. Additionally, the Cal-CSIC
recommends implementing the following general mitigation strategies and referring to the
Cybersecurity and Infrastructure Security Agency (CISA) ransomware hub for additional resources
(www.cisa.gov/ransomware):

• Conduct regular phishing training and testing among all levels of staff

• Employ Multi-Factor Authentication (MFA) for all services to the extent possible

CAL-CSIC-202105-005
WARNING: This document is the exclusive property of the California Cybersecurity Integration Center (CAL-CSIC) and abides by Traffic Light Protocol
(TLP) standards for distribution purposes. It may contain information exempt from public release under the California Public Records Act (Govt. Code Sec. 6250, et seq.). Recipients must
control, store, handle, transmit, distribute and dispose of this product in accordance with the TLP standard relating to shared intelligence. Do not release to the public, media, or other
personnel who do not have a valid need-to-know without prior approval of an authorized CAL-CSIC official.
TLP: GREEN
2
 EXECUTIVE OVERVIEW
CALIFORNIA CYBERSECURITY INTEGRATION CENTER
TLP: GREEN

• Apply the principle of least privilege to all systems and services

• Identify organizational crown jewels: what information or technologies are most critical?

• Consider purchasing cyber insurance (individually or as a cooperative) to reduce risk

• Conduct regular phishing training and testing among all levels of staff

• Configure Microsoft Office macro settings to only allow macros executed from trusted locations

• Consider blocking email attachments commonly associated with malware (e.g., .dll and .exe)

• Consider blocking email attachments that antivirus software is unable to scan (e.g., .zip files)

• Implement Group Policy Objects and firewall rules

• Implement a Domain-Based Message Authentication, Reporting and Conformance (DMARC) validation

system

• Develop and regularly update a comprehensive network diagram

• Develop an asset management approach that includes both logical and physical assets

• Employ logical or physical means of network segmentation to separate business units or departmental
IT resources within an organization and maintain separation between IT and operational technology

• Restrict PowerShell usage to specific users on a case-by-case basis

• Retain and adequately secure logs from both network devices and local hosts

• Baseline network activity to distinguish legitimate activity from anomalous activity

• Keep antivirus and anti-malware software/signatures up to date and enable automatic updates

• Consider implementing an intrusion detection system (IDS) to detect potentially malicious network
activity

• Use application directory allow listing on all assets to ensure unauthorized software is blocked from
executing

• Conduct regular vulnerability scanning

• Establish a regular patch implementation plan strategically based on severity and likelihood of
exploitation

• Employ best practices for use of RDP and other remote desktop services

CAL-CSIC-202105-005
WARNING: This document is the exclusive property of the California Cybersecurity Integration Center (CAL-CSIC) and abides by Traffic Light Protocol
(TLP) standards for distribution purposes. It may contain information exempt from public release under the California Public Records Act (Govt. Code Sec. 6250, et seq.). Recipients must
control, store, handle, transmit, distribute and dispose of this product in accordance with the TLP standard relating to shared intelligence. Do not release to the public, media, or other
personnel who do not have a valid need-to-know without prior approval of an authorized CAL-CSIC official.
TLP: GREEN
3
 EXECUTIVE OVERVIEW
CALIFORNIA CYBERSECURITY INTEGRATION CENTER
TLP: GREEN

• Disable or block Server Message Block (SMB) protocol outbound and remove/disable outdated
versions of SMB

Organization, Source, Reference, and Dissemination Information

About the Cal-CSIC California Government Code § 8586.5 established the California Cybersecurity Integration
Center (Cal-CSIC) as the central organizing hub of state government’s cybersecurity
activities, including information sharing, intelligence analysis, incident response, and
overarching cybersecurity strategy. The Cal-CSIC is responsible for reducing the likelihood
and severity of cyber incidents that could damage California’s economy, critical
infrastructure, and public or private sector networks in our state.

Customer Feedback If you need further information about this issue contact the Cal-CSIC at our email address
CalCSIC@caloes.ca.gov or by telephone at (833) REPORT-1. To help us identify ways to
better assist you, please submit feedback here.

Source Summary Statement This report was sourced primarily from open source website Urlscan[.]io. Urlscan[.]io is a
free service to safely scan and analyze websites.

Handling Caveats Traffic Light Protocol (TLP): Recipients may share TLP:GREEN information with peers and
partner organizations within their sector or community, but not via publicly accessible
channels. Information in this category can be circulated widely within a particular
community. TLP:GREEN information may not be released outside of the community.

Information Needs HSEC 1.1; HSEC 1.2; HSEC 1.5; HSEC 1.10; STAC KIQ 1.1; KIQ 1.2; KIQ 1.4

1
Online News Report; Government Technology; Brandon Paykamian; “Record-Breaking' Cyber Attacks on Schools
in 2020;” 26 March 2021; https://www.govtech.com/policy/2020-marks-a-record-breaking-year-for-cyber-attacks-
against-schools.html.
2
Blog Post; Malwarebytes Labs; Jovi Umawing; “PYSA, the ransomware attacking schools;” 30 March 2021;
https://blog.malwarebytes.com/threat-spotlight/2021/03/pysa-the-ransomware-attacking-schools/.

CAL-CSIC-202105-005
WARNING: This document is the exclusive property of the California Cybersecurity Integration Center (CAL-CSIC) and abides by Traffic Light Protocol
(TLP) standards for distribution purposes. It may contain information exempt from public release under the California Public Records Act (Govt. Code Sec. 6250, et seq.). Recipients must
control, store, handle, transmit, distribute and dispose of this product in accordance with the TLP standard relating to shared intelligence. Do not release to the public, media, or other
personnel who do not have a valid need-to-know without prior approval of an authorized CAL-CSIC official.
TLP: GREEN
4
 EXECUTIVE OVERVIEW
CALIFORNIA CYBERSECURITY INTEGRATION CENTER
TLP: GREEN

3
Flash Report; FBI; “Increase in PYSA Ransomware Targeting Education Institutions (CP-000142-MW);” 16 March
2021; https://www.ic3.gov/Media/News/2021/210316.pdf.
4
Online News Report; Fox 2 Now; “Ransomware attack: Network outage forces Affton School District to virtual
learning Thursday;” 25 February 2021; https://fox2now.com/news/missouri/ransomware-attack-network-outage-
forces-affton-school-district-to-virtual-learning-
thursday/#:~:text=AFFTON%2C%20Mo.,across%20all%20of%20the%20schools.
5
Blog Post; Malwarebytes Labs; Jovi Umawing; “PYSA, the ransomware attacking schools;” 30 March 2021;
https://blog.malwarebytes.com/threat-spotlight/2021/03/pysa-the-ransomware-attacking-schools/.
6
Online News Report; The Snapper; Jake Markoff; “Millersville fights back against a cyber attack;” 28 February
2021; http://thesnapper.millersville.edu/index.php/2021/03/17/millersville-fights-back-against-a-cyber-attack/.
7
Malwarebytes Labs; Jovi Umawing; “PYSA, the ransomware attacking schools;” 30 March 2021;
https://blog.malwarebytes.com/threat-spotlight/2021/03/pysa-the-ransomware-attacking-schools/.
8
Malwarebytes Labs; Jovi Umawing; “PYSA, the ransomware attacking schools;” 30 March 2021;
https://blog.malwarebytes.com/threat-spotlight/2021/03/pysa-the-ransomware-attacking-schools/.
9
Blog Post; Hack Notice; “Affinity Education;” 05 November 2021;
https://app.hacknotice.com/#/hack/5ff5c9615a0d24c3ef4055f8.
10
Online Report; National Institute of Standards and Technology; “National Cybersecurity Framework;”
https://www.nist.gov/cyberframework; accessed 7 October 2020.

CAL-CSIC-202105-005
WARNING: This document is the exclusive property of the California Cybersecurity Integration Center (CAL-CSIC) and abides by Traffic Light Protocol
(TLP) standards for distribution purposes. It may contain information exempt from public release under the California Public Records Act (Govt. Code Sec. 6250, et seq.). Recipients must
control, store, handle, transmit, distribute and dispose of this product in accordance with the TLP standard relating to shared intelligence. Do not release to the public, media, or other
personnel who do not have a valid need-to-know without prior approval of an authorized CAL-CSIC official.
TLP: GREEN
5