8 K-12 School Districts Infected With Pysa Ransomware

You are currently viewing 8 K-12 School Districts Infected With Pysa Ransomware

Pysa Ransomware, a variant of the Mespinoza ransomware family, has infected 8 k-12 school districts in the US. The attacks come after a March report by the Federal Bureau of Investigation’s Cyber Division which alerted schools of a possible ongoing campaign by Pysa Ransomware operators. Pysa Ransomware has also been found targeting government institutions, the educational and healthcare sectors, as well as private organizations, all over the US and the UK.

Ransomware attacks against the educational sector have been growing in number each year, however, this number increased greatly during the COVID-19 pandemic.

The sector is tempting for hackers as by in large, there is not a high priority put on cybersecurity defenses. This may be partly due to budget concerns. Furthers, the educational sector holds significant amounts of sensitive student and staff members’ information, which hackers can either sell of use in further attacks.

Lastly, students behavior on school computers and their own devices within the school is often high-risk, leading to exposure from malware and strains such as Pysa Ransomware. Due to the interconnected nature of a school network, infections can spread quickly between devices.

So far, eight K-12 American public school districts can be seen on the Pysa ransomware cybercriminals leak website.

These are:

  • Winters Independent School District (Texas)
  • Palos Community Consolidated School District 118 (Illinois)
  • Brookfield Public Schools (Connecticut)
  • Gering Public Schools (Nebraska)
  • Affton School District (Missouri)
  • Zionsville Community Schools (Indiana)
  • Logansport Community School Corporation (Indiana)
  • Sheldon ISD (Texas)

It is unknown what price the ransom demands were for each district, however, it has been confirmed that Sheldon ISD has paid the Pysa Ransomware gang for decryption.

Pysa Ransomware has also targeted the medical field lately, and since the start of the year more than 10 healthcare organizations have featured on the Pysa Ransomware Leak site.

Pysa Ransomware Analysis

Both the FBI and independent cybersecurity researchers have done extensive research into the PYSA Ransomware. Notably, Ransomware blogger Sapphire has provided most of the analysis reported here.

PYSA is written in C++, and uses a statically linked library (Crypto++) for its operations. The main structure and the functionalities can be summarized in activating a mutex, encrypting the filesystem, and storing the ransom note in the registry (for persistence of the note). Afterwards it deletes itself by dropping and executing a batch file.

e3da64fd9a0a585ebe00ac7f235104d6 creates the mutex object “Pysa” right after starting to ensure only one instance of the malware is running at one time. This was fundamental for the author to implement not only to avoid reinfecting a machine, which could end in a nonrecoverable host, but to avoid overlapping access to the resources needed to encrypt the files.

Pysa Ransomware

Once this step is completed, the malware spawns a new thread to start the encryption of the filesystem. This is done after initializing the cryptographic variables that the malware uses to encrypt the files.

The malware developers followed the traditional scheme of the embedded public to generate the rest of the keys on the fly. This way the files cannot be decrypted without the private key which is in possession of the attacker. Instead of fully relying on the Windows Crypto API to encrypt the files, Pysa Ransomware contains a statically linked library named Crypto++, a common and open source library for cryptography in C++ language.

Pysa Ransomware contains an embedded 4096-bit RSA key that is imported and used to encrypt additional keys.

Before starting encrypting the filesystem, the malware contains two lists: a whitelist and a blacklist of directories and files. This was implemented to avoid encrypting vital directories of the victim in order to allow the recovery with the attackers’ decryptor.

The following directories are part of the whitelist: Windows, Boot, Bootsect, pagefile, System Volume Information, bootmgr, Recovery and Microsoft. If the file is valid for encryption, the first step the malware takes is to rename the file with the extension .pysa. Files with this extension are excluded from encryption to allow its recovery.

Pysa Ransomware also checks if the encrypted drive is C. Below the encryption loop to check all the directories starting on “C:\” to scan all the files and folders available. The ransom note is printed to all the affected directories.


In their March report, the FBI listed a number of steps to protect not only against Pyra Ransomware, but against most cyberthreats. These include:

  • Regularly back up data, air gap, and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud).
  • Install updates/patch operating systems, software, and firmware as soon as they are released.
  • Use multifactor authentication where possible.
  • Regularly, change passwords to network systems and accounts, and avoid reusing passwords for different accounts. Implement the shortest acceptable timeframe for password changes.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Install and regularly update anti-virus and anti-malware software on all hosts.
  • Consider installing and using a VPN.
  • Focus on awareness and training. Provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities(i.e., ransomware and phishing scams).

Anti-virus, anti-malware, and VPNs are prime tools to protect against Ransomware and all Malware forms. There are a variety of different services an organization can use for this job. One of these services is SaferNet.

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

Leave a Reply