ADVISORY: Uptick in ransomware targeting higher ed


This information was sent to U-M IT staff groups via email on March 25, 2021.

The FBI is warning of an uptick in extortion attacks targeting higher education institutions, K–12 schools, and seminaries using the Pysa ransomware variant, also known as Mespinoza. Threat actors use Pysa to extract data and then lock affected computers. They threaten to either delete the data or publish it on the Dark Web and monetize it unless the recipient pays a ransom.

The increased attacks are occurring across the U.S. and the U.K. Criminals have used Pysa to steal employment records containing personally identifiable information, payroll tax information, and other sensitive information.

How Pysa Infects Computers

  • Through phishing emails that lure recipients into opening an attachment or shared document containing the ransomware.
  • By remotely accessing systems via compromised credentials.

What Unit IT Staff Can Do

  • If you have not already installed CrowdStrike Falcon endpoint protection on the unit computers you are responsible for, do so as soon as possible. Falcon protects against this and other threats.
  • Implement Duo two-factor on any machine that allows authenticated connections from the internet.
  • Back up U-M data. All U-M units and research programs are required to develop and document backup plans for U-M institutional data.
  • Keep hardware and software up-to-date. Apply all patches and updates as soon as possible after appropriate testing, and only use supported, up-to-date software.
  • Report suspected IT security incidents, including ransomware attacks, to
  • Provide education and awareness in your unit:

Learn more at Ransomware Mitigation.

What Users Can Do

Most importantly:

Learn more: