Information Technology

Australia and New Zealand cyber megamix CyberCX is hoping to fill the gap left by global security firms, focusing locally to forge ahead with a more regionally appropriate response to countering cyber threats.In its Annual Threat Assessment report [PDF], CyberCX, the group of security companies headed by two of Australia’s most experienced technology and cyber veterans, has offered a handful of recommendations for businesses operating in Australia and New Zealand, with the first, under the banner “strategic”, encouraging the development of an incident response plan.”The faster an organisation can detect and respond to an incident, the less likely the incident is to have a significant impact on data, customer trust, operations, reputation, and revenue,” it said.Although obvious, the report drums in the importance of educating and training staff on practices such as good cyber hygiene, creating a security culture, as well as creating and maintain a consistent, up-to-date cybersecurity policy suite.See also: Australia’s answer to thwarting ransomware is good cyber hygieneCyberCX, backed by private equity firm BGH Capital, was formed a little over one year ago when it brought together 12 of Australia’s independent cybersecurity brands: Alcorn, Assurance, Asterisk, CQR, Diamond, Enosys, Klein&Co, Phriendly Phishing, Sense of Security, Shearwater, TSS, and YellIT.It is headed by Alastair MacGibbon, former head of the Australian Cyber Security Centre and once special adviser on cybersecurity to former Prime Minister Malcolm Turnbull, as well as CEO John Paitaridis, who was formerly Optus Business’ managing director.

Since launch, CyberCX has gone on an expansion spree, scooping up a number of local cybersecurity startups simultaneously. In its report, CyberCX encouraged the use of local cybersecurity firms.”Using Australian and New Zealand cybersecurity vendors drives innovation at home and boosts jobs in the local cybersecurity market. Local vendors offer cybersecurity solutions of global calibre and at the same time provide the added benefit of a local perspective,” it wrote.”Analysis tailored specifically to the Australia-New Zealand context is often missing from international vendors, many of which tend to be US-centric.”See also: Former PM Turnbull suggests Australia boosts its cyber capability by buying localThe next item on its checklist is “technical” and includes practices such as securing the attack surface, increasing network visibility, implementing end-point controls, adopting multi-factor authentication, and adopting the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework.”Australian and New Zealand organisations remain attractive targets for a range of cyber threat actors,” MacGibbon added in his foreword. “Over the past year, we have seen prominent organisations and agencies suffer incidents, and cyber crime soar off the back of COVID-19 … the threat actors involved in these incidents have been both financially motivated cyber criminals and state-sponsored groups.”2020 victim listThe report also details cyber incidents that occurred in the region in 2020. Here’s the timeline of some of the biggest incidents from Australia and New Zealand:In January, Australian logistics provider Toll Group was infected by Netwalker ransomware affecting its entire global infrastructure. In March, the Australian branch of car-auction house, Manheim Auctions, similarly falls victim to ransomware.Intrusion activity is targeted against COVID-19 research in Australian, US, UK, Spanish, South Korean, and Japanese laboratories in April, while Toll Group suffers its second ransomware incident, this time caused by the Nefilim malware.In May, Service NSW reported it was the victim of a phishing attack that compromised the information of 186,000 customers through the accessing of 47 staff email accounts. BlueScope Steel also experienced a ransomware incident triggering manual processes, but resulting in no material impact to operations.The same month, a man was prosecuted for carrying out DDoS attacks against two Australian retail and telecommunications entities in 2019.In June, food and beverage company Lion, with operations in Australia and New Zealand, suffered a ransomware incident, shutting down IT systems and causing disruption to suppliers and customers.Also in June, a spam campaign distributed banking trojan RM3, targeting Australia-based financial institutions, and New Zealand whitegoods manufacturer, Fisher & Paykel, was struck by Nefilim ransomware, impacting its manufacturing and distribution operations.A research company in New Zealand experienced a privacy breach in July that compromised of contact details of people who called the police.Australian provider Regis Healthcare in August suffered a Maze ransomware incident resulting in a breach of client data, while the New Zealand Stock Exchange (NSX) suffered sustained DDoS attacks impacting network connectivity and trading for four days.In September, misconfiguration at the University of Tasmania caused personally identifiable information of 20,000 students to be leaked through SharePoint to the entire staff and student body; while ransomware operators exfiltrated 17GB of sensitive data from aged care provider Anglicare Sydney.MetService, the meteorological service of New Zealand, also experienced a DDoS attack in September, resulting in no notable loss of performance after all web traffic was redirected to a secured back-up site.French maritime shipping giant CMA CGM’s offices in China were also hit by Ragnar Locker ransomware causing significant shipping delays in Australia.Australian media-monitoring company Isentia disclosed a ransomware intrusion in October that reportedly cost at least AU$7 million.Facilities service provider Spotless also experienced a ransomware incident during merger and acquisition activity by Downer, while an Australian gas producer, retailer, and distributor disclosed that it recently discovered a data breach that occurred in 2014 on a third-party software system.Law In Order, an Australian supplier of document and digital services to law firms, suffered a Netwalker ransomware incident a month later in November, at the same time, Nexia, a network of solutions-focused accountancy and consultancy firms in Australia and New Zealand, suffered a REvil ransomware incident.Ending the year, New Zealand-based financial services firm Staircase suffered a Netwalker ransomware incident in December, which saw personal information belonging to its clients published on multiple dark web forums after the company failed to pay the ransom within the designated timeframe.A breach of 2.6 million email addresses and hashed passwords from Nitro PDF then exposed 4,000 .nz email addresses. The effects of one of the largest supply chain attacks in history were felt by Aussies and Kiwis, respectively, with SolarWinds customers including entities in the government, technology, healthcare, research, and extractive sectors in North America, Europe, Asia, and the Middle East. Lastly, multiple Australian and New Zealand organisations were compromised through an exploit of Accellion File Transfer Appliance software. Transport for New South Wales (TfNSW) confirmed being affected, as did the Australian Securities and Investments Commission (ASIC) and the Reserve Bank of New Zealand.Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in AustraliaMORE FROM CYBERCX More

Some surgeries have been cancelled at Eastern Health facilities in Victoria, following a “cyber incident” experienced late Tuesday.Eastern Health operates the Angliss, Box Hill, Healesville, and Maroondah hospitals, and has many more facilities under management. In a statement, Eastern Health said it took many of its systems offline in response to the incident.”Many Eastern Health IT systems have been taken off-line as a precaution while we seek to understand and rectify the situation,” it said.”It is important to note, patient safety has not been compromised.”Eastern Health said Category 1 Elective Surgery will continue as planned, however, the incident has impacted its ability to undertake less urgent — Category 2 and 3 — Elective Procedures.Data breach notification to the Office of the Australian Information Commissioner became mandatory under the Notifiable Data Breaches (NDB) scheme in February 2018.

Since the mandate, health has been the most affected sector. The latest NDB report shows no change, with health accounting for 123 of the total 519 notifications in the six months to December 2020.Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in AustraliaHealth Minister says vaccine booking system ‘glitches’ were just day one rushThe federal government’s COVID-19 vaccine booking service was on Wednesday inundated with people trying to secure their dose, with the Department of Health’s eligibility tool suffering “problems”.According to Minister for Health Greg Hunt, day one was always going to be busy.”The eligibility checker had approximately 243,000 people on health.gov.au, check their eligibility. We had a 98% connection rate, on the advice that we’ve received from the booking engine. And then what happens is that you approach your GP, in the vast majority of cases. Some take online bookings, some take telephone booking,” Hunt said, when asked why the website was not working as expected.”And in addition to that, the Commonwealth vaccination clinics will link through directly from the vaccination information and location service. So yesterday, 98% connection, 243,000 people who checked, 9,000 who actually registered for Phase 2, which is well beyond where we are now. And so what we’ve seen is a high uptake.”And day one was always going to see a significant initial demand and I’m very pleased about that.”Due to the overload, and the fact phase 1b affects many people over the age of 70, the 1,069 GP’s listed as receiving the vaccine were inundated with phone calls.”This is a system that should have been in place well before the commencement, particularly, of phase 1b of the vaccine rollout strategy. Already, we are seeing widespread confusion and widespread frustration,” health and aged care shadow minister Mark Butler said.”The health system website continues to drop out, people are continuing to have problems logging onto a website that is the gateway to the vaccine rollout strategy.”These systems should have been tested and finalised weeks ago. Instead all we are seeing out there today is chaos and confusion.”HealthEngine was selected by the federal government to build its COVID-19 vaccination booking platform.It was reported by The Guardian that day one was actually meant to be Monday and that the medical appointment booking industry had been told to prepare their platforms to feed into HealthDirect, and for their client GP clinics to be trained with the software, by March 22.”We’ve known for months that we would need a national booking system … more than 6 million Australians are due to be able to book their vaccines from next week without a National Booking System,” Butler added. “This is utterly remarkable and irresponsible.”This vaccine rollout is fast becoming a complete mess. It is way behind schedule and the systems that we need in place are still remarkably still being built.”Almost a year ago to the day, the federal government’s myGov portal went down after thousands flocked to the website to sign up for income assistance following forced business closures in the wake of the coronavirus outbreak.The minister in charge of government services Stuart Robert said the portal suffered a distributed denial of service (DDoS) attack while simultaneously blaming the outage on legitimate traffic that pushed past the 55,000 concurrent users limit set by government.Those words were barely two hours old when Robert stood up in Parliament to say it was merely 95,000 people trying to connect to myGov that had triggered a DDoS alert, and not an attack at all.RELATED COVERAGE More

The UK has committed to a new approach to the UK’s cyber capabilities, to better detect, disrupt and deter adversaries.   
Getty Images/iStockphoto
In what has been billed as the largest security and foreign policy strategy revamp since the Cold War, the UK government has outlined new defense priorities – with at their heart, the imperative to boost the use of new technologies to safeguard the country. Prime minister Boris Johnson unveiled the integrated review this week, which has been in the making for over a year and will be used as a guide for spending decisions in the future. Focusing on foreign policy, defense and security, the review sets goals for the UK to 2025; and underpinning many of the targets is the objective of modernizing the country’s armed forces.  

Johnson pledged to pump more money into defense, with a £24 billion ($33.4 billion) multi-year settlement that will represent a sizeable chunk of the UK’s GDP. Up to £6.6 billion ($9.1 billion) will be dedicated to R&D funding to deliver next-generation warfare technologies such as drones, directed energy weapons or advanced high-speed missiles. Where the government seems to be particularly ambitious, however, is in the space of cybersecurity: the review promises commitment to a new, “full-spectrum” approach to the UK’s cyber capabilities, to better detect, disrupt and deter adversaries. Technology has created new opportunities for malicious actors to operate in cyberspace, notes the review, through hacking, spreading disinformation, or carrying out organized crime online, to name a few. State and non-state agents are finding new ways to exploit digital weaknesses, increasing the risk of direct and collateral damage to the UK. “Consequently, cyber power will become increasingly important,” reads the document.  The cyber threat coming from foreign states has been brought to the government’s attention many times in the past. Last year, the UK chief of defense intelligence James Hockenhull warned against the rising challenge posed by Russia and China, which he argued are supercharging conventional methods of conflict while also investing heavily into cyber.  At about the same time, a report from a committee of MPs described Russia’s cyberattack capabilities as an “immediate and urgent threat” to the country’s national security, highlighting examples of Russian hackers intruding into the UK’s critical infrastructure and orchestrating phishing attempts against government departments. 

The new integrated review proposes to draw up a cyber strategy later this year, which is pitched as taking a “whole-of-cyber” approach that looks at a range of capabilities. On top of strengthening the country’s cyber ecosystem and creating a safer online space, the cyber strategy will establish ways for the UK to take the lead in technologies that are vital to cyber power, such as microprocessors, quantum technologies and new forms of data transmission. “The UK is due to publish a new National Cyber Strategy later in 2021 and some of the cyber and technology issues highlighted in the Integrated Review are a useful precursor,” James Sullivan, head of cyber research at the Royal United Services Institute (RUSI) for defence and security studies, tells ZDNet. “Building cyber resilience across the whole of society is the best way to make the most of the opportunities that technology offers.” Notably, the cyber strategy will focus on actively disrupting the activities of adversaries, by imposing costs on them or denying them the ability to harm UK interests – a step up from a purely defensive approach to cyber security.  Central to the UK’s offensive approach will be the formal establishment of the National Cyber Force (NCF), which the prime minister announced will be headquartered in the north of England in an attempt to create a “cyber corridor” across the region. This will see industry and universities in the north of the country working hand-in-hand with government experts to prevent cyberattacks.  Formed only last year, the NCF is a partnership between the Ministry of Defence (MoD) and the Government Communications Headquarter (GCHQ), which draws personnel from both organizations with experts from the Secret Intelligence Service (MI6) and the Defence Science and Technology Laboratory (DSTL). In other words, it brings key players together for the first time with a common task – to conduct targeted offensive cyber operations against terrorists, hostile states and criminal gangs. The exact nature of the NCF’s work is highly secretive. GCHQ has previously asserted that the organization, and the UK at large, is committed to using its cyber capabilities in a responsible way and in line with international law, meaning that the force’s offensives are still tied to legal, ethical, and operational considerations.  It is likely that the NCF, therefore, focuses on cyber operations that can disrupt an adversary’s ability to operate – rather than attacking them head-on. The government specified some of the operations that the force can carry out, which includes interfering with a mobile phone to stop a terrorist from communicating with their contacts, but also preventing cyberspace from being used for serious crimes or keeping military aircraft safe from targeting by weapons system.  Attacks carried out by the NCF are likely to take a similar shape to those described by GCHQ director Jeremy Fleming in 2018, who explained at the time how the organization had been taking offensive action online to stop Daesh from spreading propaganda, and to hinder terrorists’ ability to coordinate attacks. According to some critics, however, some more work is needed to make sure that the NCF now finds a place among all of the government’s well-established security institutions. “It is good to see an emphasis on cyber security holistically with what is an explicitly offensive cyber force, but this sounds more like a sales pitch for what is a significant investment of resources on something that could be unpopular,” Andrew Dwyer, cybersecurity researcher at Durham University, tells ZDNet. “It is unclear what the NCF’s mission really is – it looks like a force that has yet to define what it needs or wants. There is a possibility that a move to the North could give the NCF some identity separate from its main contributors – the MoD and GCHQ – but it is likely to require far more detailed work to get it operationally-ready,” he continues. As online attacks only increase in scale and number, the UK government is unlikely to loosen its focus on cyber security. The integrated review highlighted that the National Cyber Security Centre (NCSC), which was established in 2016, is already working at pace to help protect businesses and the public from cyberattacks; and that the cybersecurity sector in the UK currently boasts over 1,200 companies and 43,000 skilled jobs.  More

Ransomware shows no sign of slowing down as the average ransom paid to cyber criminals by organisations which fall victim to these attacks has nearly tripled over the last year.Cybersecurity researchers at Palo Alto Networks analysed ransomware attacks targeting organisations across North America and Europe and found that the average ransom paid in exchange for a decryption key to unlock encrypted networks rose from $115,123 in 2019 to $312,493 in 2020.That represents a 171 per cent year-over-year increase, allowing cyber criminals to make more money than ever before from ransomware attacks. Ransomware remains an effective tool for cyber criminals, because many organisations remain poorly equipped to deal with the threat, leading many victims to give in to extortion demands and pay a Bitcoin ransom in the hope they’ll get the decryption key required to restore their network.This has been helped along by the rise of additional extortion tactics such as when cyber criminals encrypt and steal data, threatening the victim with publishing the stolen information if the ransom isn’t paid. In some cases, this leads to organisations which could restore the network without paying the ransom giving into the blackmail and paying up anyway.SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) The continued success of attacks has led to some ransomware gangs becoming extremely bold with demands – and it’s paying off. Before 2020, the highest ransom demand paid to cyber criminals stood at $5 million, but during the last year, that has doubled, with data in the report suggesting that one victim paid a ransom of $10 million to cyber criminals following a ransomware attack.

The highest attempted ransom demand during 2020 stood at $30 million – double the previous highest attempted demand of $15 million in previous years.And given the continued success of ransomware attacks – and the emergence of successful new variants of ransomware and easy-to-use ransomware-as-a-service schemes – it’s unlikely that cyber criminals will slow down any time soon.”Ransomware is one of the top threats in cybersecurity,” said John Davis vice president of public sector at Palo Alto Networks.”Organizations around the world are being held hostage by ransomware, and many are being forced to pay cybercriminals because they’re not equipped to combat the threat for varying reasons, from a lack of recoverable backups to the cost of downtime outweighing the cost of paying the ransom,” he added.Ransomware groups including Ryuk, Egregor, DoppelPaymer and many others continue to plague organisations around the world in 2021, but with the right cybersecurity strategy, it’s possible to defend against attacks.Phishing emails remain a common means of cyber criminals infiltrating networks, so researchers recommend that employees should receive training to identify threats. SEE: What is cyber insurance? Everything you need to know about what it covers and how it worksIt’s also recommended that remote desktop services should be secured with strong passwords and multi-factor authentication to protect against brute force attacks, while security patches should be applied to stop attackers taking advantage of known vulnerabilities.Organisations should also regularly store backups of the network – and do somewhere offline – so if the worst happens and hackers do issue a ransom demand, the network can be restored without lining cyber criminal pockets.MORE ON CYBERSECURITY More

Microsoft has released its March 2021 quarterly cumulative updates for Exchange Server 2016 and Exchange Server 2019, which include the security updates to address critical flaws that are currently under attack.  These are notable cumulative updates (CUs) because customers with on-premise Exchange Server software should already be installing the separate security updates that Microsoft released on March 2. 

Exchange attacks

Microsoft released the emergency patches in response to four previously unknown vulnerabilities that were being exploited by state-sponsored hackers and have since been pounced on by ransomware attackers.  Also: Windows 10 Start menu hacks TechRepublic PremiumUS federal government agencies have been put on notice to patch the Exchange flaws immediately amid a spike in attacks on government email servers. The UK’s National Cyber Security Centre (NCSC) has also raised an alarm over an estimated 3,000 Exchange servers that lack Microsoft’s latest patches. Here’s ZDNet’s roundup of the Exchange flaws and recent attacks.But now Exchange Server 2016 and Exchange Server 2019 customers have another way of patching the flaws. That is, by installing the latest quarterly cumulative updates (CU) from Microsoft, which is the most complete mitigation available. “We wanted to highlight that these latest CUs contain the fixes that were previously released as Exchange Server Security Updates on March 2, 2021. This means you don’t have to install the March 2021 Security Updates after installing the March 2021 CUs,” Microsoft’s Exchange team noted. 

Microsoft has separately published more information for security teams responding to the Exchange server bugs CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, and CVE-2021-27065.Attackers are using the flaws to remotely compromise Exchange servers and then install “web shells” to maintain persistence on compromised machines. Hence, Microsoft warns there is more cleaning up to do on a compromised on-premise Exchange server even after applying the security updates.   “Applying the March 2021 Exchange Server Security Updates is critical to prevent (re)infection, but it will not evict an adversary who has already compromised your server,” Microsoft emphasizes in its advisory for incident response teams. “The best, most complete mitigation is to get to a current Cumulative Update and apply all Security Updates. This is the recommended solution providing the strongest protection against compromise,” Microsoft highlights in its advice for incident response teams handling Exchange Server software that isn’t on supported CUs. Microsoft also offers details for isolating an affected Exchange Server from the public internet until the security patches or the March 2021 CUs have been rolled out. Admins can do this by blocking inbound connections over port 443.

However, this route could break Exchange Server as a tool for supporting remote workers. Blocking inbound connections on port 433 “could inhibit work-from-home or other non-VPN remote work scenarios and does not protect against adversaries who may already be present in your internal network,” Microsoft warns. The advisory also highlights scripts included in the Exchange On-premises Mitigation Tool (EOMT) that Microsoft published on its code-sharing site GitHub. Security teams can use this to check for the presence of web shells on Exchange servers. The other option is to enable Microsoft Defender for Endpoint. “If Microsoft Defender for Endpoint is not running, skip directly to the publicly available tools section. If it is running, we recommend that you follow both methods,” Microsoft notes. The advisory contains step-by-step instructions for investigating each of the four vulnerabilities. Reflecting the severity of this security issue, Microsoft is now offering commercial customers using on-premise Exchange Server a three-month trial of Microsoft Defender for Endpoint.   “Microsoft is making publicly available a 90-day Microsoft Defender for Endpoint trial offer exclusively to support commercial on-premises Exchange Server customers that require continuous investigation and additional post-compromise security event detection beyond what Microsoft Safety Scanner (MSERT) offers,” says Microsoft.  More

The teenager responsible for breaking into high-profile Twitter accounts to peddle a cryptocurrency scam has reached a plea agreement with prosecutors. 

Graham Ivan Clark, who was 17 at the time of his arrest, pled guilty for his role in the scam and will spend three years in prison and will accept a further three years of probation. Taking place in July 2020, the incident saw Twitter accounts belonging to Bill Gates, Elon Musk, Joe Biden, Barack Obama, Uber, and Apple, among others, hijacked and used to send promotional tweets for a cryptocurrency scam.  Followers were asked to send Bitcoin (BTC) and were promised a higher return for their participation. However, those responsible kept the proceeds.  Clark has been described as the “young mastermind” of the “Bit-Con” scam, in which two others — Mason Sheppard and Nima Fazeli — were also indicted and charged for participating.While the scam was short-lived, hundreds of transactions were still made. Clark was able to secure Bitcoin worth over $117,000 as of July 15, 2020.Twitter temporarily stopped verified accounts from tweeting while the hijacking was investigated. Internal Twitter tools were used to obtain access to the accounts. 

The Tampa, Florida resident was arrested in the same month and has since spent 7.5 months behind bars, a period of time which will be applied to his sentence.  Clark was charged with counts of organized fraud, communications fraud, the fraudulent use of personal information, and access to a computer or electronic device without authorization. As of now, Clark is 18 years old, and due to his age at the time of prosecution, he has been charged under the Florida Youthful Offender Act. As a result, Clark will spend his time in a juvenile facility, but if he violates his probation afterward, he faces at least a decade in an adult prison.  Clark has since turned over all of the cryptocurrency he acquired. It is hoped the stolen BTC can be returned to its owners, according to federal investigators.  “He took over the accounts of famous people, but the money he stole came from regular, hard-working people,” commented Hillsborough State Attorney Andrew Warren. “Graham Clark needs to be held accountable for that crime, and other potential scammers out there need to see the consequences. In this case, we’ve been able to deliver those consequences while recognizing that our goal with any child, whenever possible, is to have them learn their lesson without destroying their future.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Coalition has raised $175 million from investors to expand the firm’s team and cyber insurance product portfolio. 

Announced on Wednesday, the San Francisco-headquartered company said the latest funding round was led by Index Ventures. Existing investors include General Atlantic, Ribbit Capital, Vy Capital, and Valor Equity Partners. Coalition says the latest cash injection now brings the value of the company to $1.75 billion. Previously, Coalition has raised $140 million through Series A – C funding rounds. Founded in 2017, Coalition primarily serves US and Canadian companies by offering up to $15 million in cyber insurance to cover cyberattacks, data breaches, and other security incidents.  Policies can be taken out to include actual financial loss and stolen funds, incident response, lost business income, extortion, and even “reputational repair” — a common factor when a company is viewed poorly for either becoming a victim of or responding badly to a data breach.  Coalition intends to use the new funding to invest in insurance innovation, the creation of new product lines that tackle problems “not well covered by standard business insurance policies” in the enterprise sector, and to enter new international markets.  To date, the company caters to over 42,000 customers worldwide. Insurers Swiss Re and Arch Insurance have agreed to long-term capacity commitments. 

In 2019, Coalition completed the acquisition of BinaryEdge, a search engine platform for finding internet-facing and exposed devices. The firm’s technology was integrated into Coalition services to alert customers to their exposed — and potentially vulnerable — devices and servers.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The FBI has warned of a surge in attacks against schools in which ransomware operators are stealing data to pile on the pressure for payment. 

In a joint FBI and DHS-CISA flash industry alert (.PDF) this week, law enforcement said a recent increase in attacks leveraging PYSA ransomware, also known as Mespinoza, has been traced to both US and UK educational institutions.  “The unidentified cyber actors have specifically targeted higher education, K-12 schools, and seminaries,” the alert reads. “These actors use PYSA to exfiltrate data from victims prior to encrypting victim’s systems to use as leverage in eliciting ransom payments.” First spotted in 2019, PYSA ransomware encrypts compromised systems through the extensions .locked or .pysa and has been linked to Ransomware-as-a-Service (RaaS) offerings.  Phishing emails, social engineering, and the compromise of Remote Desktop Protocol (RDP) credentials through theft or brute-force are some of the tactics used to gain initial entry into a target system.  In the same way as REvil and Netwalker ransomware operators, among many others,  PYSA users may steal data from their victims ahead of encryption and then threaten to publish it on leak sites unless ransom demands are met.  “Since March 2020, the FBI has become aware of PYSA ransomware attacks against US and foreign government entities, educational institutions, private companies, and the healthcare sector,” law enforcement added. 

In March last year, France’s CERT team warned that local government entities were being targeted by PYSA operators.  Earlier this month, the K12 Security Information Exchange and K-12 Cybersecurity Resource Center published a study on the state of cybersecurity in US schools.  The research says that 2020 was a “record-breaking” year for cybersecurity incidents including data breaches, infrastructure compromise, and now — due to COVID-19 — the disruption of online learning by way of Zoombombing, as well as outright school closures caused by impacted record systems.  According to the report, there are “significant gaps and critical failures in the resiliency and security of the K-12 educational technology ecosystem.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More