The PYSA ransomware gang is active again and targeting multiple sectors. Since March 2020, PYSA ransomware attacks have been launched against the U.S. and foreign government entities, private companies, educational institutions, and healthcare facilities.

What is happening?

According to the FBI, the cybercriminal gang is specifically targeting higher education, K-12 schools, and seminaries. 
  • The ransom note includes the organization's name and links to PYSAPysa’s Tor site and data leak site. 
  • The actor steals sensitive files from the victims' networks, including PII, payroll tax information, and other data to force the victims for a ransom.
  • The FBI has, however, issued an alert warning about this threat, which talks about the indicators of compromise to help guard against these ransomware attacks.

PYSA in news

PYSA has been in the news for various attacks lately.
  • In January, PYSA operators had published sensitive data, including personal data of staff and residents, stolen from Hackney Council in the U.K.
  • In the same month, McAfee had released a report stating that the ransomware has been targeting several sectors, including government, finance, healthcare, and law enforcement, for the past several months.

K12 schools under attack

In December 2020, the FBI, the CISA, and MS-ISAC had warned about ransomware, malware, and DDoS attacks targeting K-12 educational institutions in the U.S. In addition, they alerted users about social engineering via phishing, domain typosquatting against faculty, students, and others.


Ransomware gangs such as PYSA will continue to pose a threat to the educational sector, as well as other sectors, in the coming days. The FBI shared a list of suggested mitigations that will help in detecting and blocking PYSA ransomware attacks against educational institutions. Therefore, organizations are suggested to act proactively to defend against such threats.

Cyware Publisher