Pysa Ransomware: Complete Guide

The digital landscape has seen a surge in targeted cyber threats, with the PYSA ransomware emerging as a significant concern. It has garnered attention for its sophisticated tactics and high-stakes targets, encompassing government bodies, educational institutions, and healthcare sectors. This ransomware employs a double-extortion strategy, encrypting vital data and leveraging the threat of data exposure or sale unless a ransom is paid, making it imperative for organizations to fortify their cybersecurity measures against such formidable threats.

SalvageData experts recommend proactive data security measures, such as regular backups, strong cybersecurity practices, and keeping software up to date, to protect against malware attacks. And, in case of a malware attack, contact our malware recovery experts immediately.

What kind of threat is Pysa?

With origins traced back to Mespinoza ransomware, PYSA has evolved into a potent cybersecurity menace. Its infiltration tactics primarily involve phishing emails and compromised credentials, leveraging tools like PowerShell Empire, Koadic, and WinSCP for lateral movement and data exfiltration.

PYSA’s hybrid encryption approach, utilizing AES-CBC and RSA algorithms, becomes pivotal in fortifying defenses against this ransomware variant. As defenders grapple with PYSA’s intricate operational methods, proactive detection and robust prevention mechanisms are essential for safeguarding networks and preventing potential data breaches.

Everything we know about Pysa ransomware

Confirmed Name

• Pysa virus

Threat Type

• Ransomware
• Crypto Virus
• Files locker.

Encryption file extension

• .pysa

Ransom note file name

• Readme.README.txt

Detection names

• Avast Win32:RansomX-gen [Ransom]
• Emsisoft Generic.Ransom.Mespinoza.D71AEC53 (B)
• Kaspersky Trojan.Win32.Zudochka.edf
• Malwarebytes Malware.AI.4044204961
• Microsoft Ransom:Win32/Filecoder.PD!MTB

Distribution methods

• Phishing emails
• Outdated software
• Compromised credentials
• Watering hole attacks

Consequences

• Open door for new infections
• Data leakage
• Encryption
• Ransom demand

Pysa Ransomware methods of infection and execution

1. Preparation and Targeting

Pysa orchestrates a meticulous preparation phase, marked by a strategic targeting approach that aligns with a “big game hunting” strategy. This distinctive strategy underscores the ransomware group’s deliberate focus on high-value assets within organizations, aiming for targets that are exceptionally sensitive to the consequences of data loss or system downtime. By adopting this high-stakes targeting methodology, the threat actors behind Pysa maximize the likelihood of their victims capitulating to the ransom demands promptly, irrespective of the financial cost involved.

Healthcare providers, entrusted with sensitive patient data, become prime targets due to the potential for severe disruptions to patient care and the confidentiality of medical records. Government agencies, tasked with safeguarding classified information and ensuring the continuity of essential services, represent another lucrative target for Pysa. Moreover, managed service providers, serving as central IT support hubs for numerous organizations, become focal points, given their pivotal role in maintaining seamless operations for their clients.

2. Initial Access

Pysa employs diverse methods to gain initial access to targeted systems, showcasing a multifaceted approach to infiltrate and compromise security. The threat actors behind Pysa exhibit a sophisticated modus operandi by leveraging publicly available and open-source tools. These tools serve as instruments for various malicious activities, including credential theft, maintaining stealth during operations, escalating privileges within compromised systems, and executing lateral movement across the network. By relying on these tools, the threat actors enhance their ability to navigate and maneuver undetected within the target environment, laying the groundwork for subsequent stages of the attack.

Some of the prominent distribution methods associated with Pysa ransomware include:

Phishing emails

Pysa commonly gains initial access to target systems through phishing emails. Threat actors send deceptive emails with malicious attachments or links, tricking recipients into opening them. Once opened, these attachments may contain payloads or links that facilitate the deployment of the ransomware.

Compromised credentials

Pysa operators often compromise credentials, such as Remote Desktop Protocol (RDP) credentials or other login information. By exploiting weak passwords or using brute-force attacks, the attackers gain unauthorized access to target networks and initiate the ransomware deployment.

Exploit vulnerabilities

Pysa may take advantage of vulnerabilities in software, operating systems, or network configurations. Exploiting these vulnerabilities allows the ransomware to infiltrate systems without the need for user interaction.

Advanced Port and IP Scanning

The use of tools like Advanced Port Scanner and Advanced IP Scanner enables Pysa operators to conduct network reconnaissance. This scanning helps identify potential entry points and vulnerable systems within the target network.

Watering hole attacks

Pysa may employ watering hole attacks, where attackers compromise websites frequently visited by the target audience. By injecting malicious code into these websites, the ransomware can be delivered to unsuspecting visitors.

Use of open-source tools

Pysa operators leverage open-source tools like PowerShell Empire, Koadic, and Mimikatz for various stages of the attack, including credential theft, lateral movement, and privilege escalation.

3. Execution

Upon successful infiltration, Pysa initiates a series of actions to ensure effective execution and encryption of the target’s files. The ransomware creates a mutex named “Pysa” to verify if another instance of Pysa has previously run, preventing double encryption of the user’s files. Two threads are established for the encryption process, enhancing efficiency. Persistence techniques come into play as Pysa adds a reference to the system registry, ensuring the ransom note is displayed every time the system boots up. The ransomware further enhances its stealth by deleting its executables through the deployment of a .bat file.

4. Encryption

Pysa employs the Crypto++ library for encryption, utilizing a combination of RSA-4096 and AES-256-CFB algorithms. Before initiating the encryption process, Pysa calls the SinkArray() function twice per file, generating a unique 256-bit AES key and initialization vector (IV). The master public RSA-4096 key, embedded within the ransomware, is then used to encrypt each file’s key and IV. The ransomware adheres to a predefined allowlist and denylist, determining which files and directories are encrypted. Encrypted files are distinguished by the appended .pysa extension, and the ransomware ensures certain directories are skipped to facilitate potential recovery.

5. Self-Deletion

The final stage in Pysa’s operation involves self-deletion to cover its tracks. The ransomware creates an update.bat file in the %TEMP% directory. This batch script, as outlined in the ransomware’s code, ensures the removal of the malicious executable, its directory, and the batch file itself. By executing this self-deletion mechanism, Pysa aims to erase any traces of its presence, complicating forensic efforts and maintaining a level of anonymity.

6. Communication

Pysa establishes communication with victims through email accounts explicitly indicated in the ransom note. These email addresses serve as the primary channels for negotiating ransom amounts, providing proof of decryption capability, and delivering instructions on the payment process.

Do not pay the ransom! Contacting a ransomware recovery service can not only restore your files but also remove any potential threat.

Pysa ransomware Indicators of Compromise (IOCs)

Indicators of Compromise (IOCs) are artifacts observed on a network or in an operating system that indicate a computer intrusion with high confidence. IOCs can be used for early detection of future attack attempts using intrusion detection systems and antivirus software.

They are essentially digital versions of evidence left at a crime scene, and potential IOCs include unusual network traffic, privileged user logins from foreign countries, strange DNS requests, system file changes, and more. When an IOC is detected, security teams evaluate possible threats or validate its authenticity. IOCs also provide evidence of what an attacker had access to if they did infiltrate the network.

Pysa ransomware-specific IOCs

Cryptographic operations in Pysa: Crypto++ RNG

File Extensions: .pysa (Appended to encrypted files)

Associated files: Readme.README

%TEMP%\update.bat

Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Policies\System\legalnoticecaption

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Policies\System\legalnoticetext

Registry Values: legalnoticetext (Contains contents of the ransom note)

legalnoticecaption (Set to “PYSA”)

Update Script: update.bat (Self-deletion script)

Email Accounts for Communication: [email protected]

[email protected]

MD5 Hash: e9454a2ff16897e177d8a11083850ec7

SHA256 Hash: e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead

Pysa ransom note

The Pysa ransom note, presented in “Readme.README.txt,” is a straightforward communication from the threat actors to the victim company. In a concise yet ominous tone, the note reveals that every byte of data across all devices has been encrypted, cautioning against attempts to use backups as they too have been compromised.

To regain access to their data, victims are instructed to contact the threat actors via specified email addresses. In a cryptic conclusion, the note signs off with the phrase “Protect Your System Amigo,” adding an unsettling touch to the overall message.

How to handle a Pysa ransomware attack

The first step to recovering from a Pysa ransomware attack is to isolate the infected computer by disconnecting it from the internet and removing any connected device. Then, you must contact local authorities. In the case of US residents and businesses, it is the FBI and the Internet Crime Complaint Centre (IC3).

To report a malware attack you must gather every information you can about it, including:

• Screenshots of the ransom note
• Communications with threat actors (if you have them)
• A sample of an encrypted file

However, if you prefer to contact professionals, then it’s best to leave every infected machine the way it is and ask for an emergency ransomware removal service. These professionals are equipped to quickly mitigate the damage, gather evidence, potentially reverse the encryption, and restore the system.

Restarting or shutting down the system may compromise the recovery service. Capturing the RAM of a live system may help get the encryption key, and catching a dropper file, i.e. file executing the malicious payload, might be reverse-engineered and lead to decryption of the data or understanding how it operates.

You must not delete the ransomware, and keep every evidence of the attack. That’s important for digital forensics experts to trace back to the hacker group and identify them. It is by using the data on your infected system that authorities can investigate the attack. A cyber attack investigation is not different from any other criminal investigation: it needs evidence to find the attackers.

1. Contact your Incident Response provider

A Cyber Incident Response is the process of responding to and managing a cybersecurity incident. An Incident Response Retainer is a service agreement with a cybersecurity provider that allows organizations to get external help with cybersecurity incidents. It provides organizations with a structured form of expertise and support through a security partner, enabling them to respond quickly and effectively during a cyber incident.

An incident response retainer offers peace of mind to organizations, offering expert support before and in the aftermath of a cybersecurity incident. An incident response retainer’s specific nature and structure will vary according to the provider and the organization’s requirements. A good incident response retainer should be robust but flexible, providing proven services to enhance an organization’s long-term security posture.

If you contact your IR service provider, they can take over immediately and guide you through every step in the ransomware recovery. However, if you decide to remove the malware yourself and recover the files with your IT team, then you can follow the next steps.

2. Use a backup to restore the data

The importance of backup for data recovery cannot be overstated, especially in the context of various potential risks and threats to data integrity.

Backups are a critical component of a comprehensive data protection strategy. They provide a means to recover from a variety of threats, ensuring the continuity of operations and preserving valuable information. In the face of ransomware attacks, where malicious software encrypts your data and demands payment for its release, having a backup allows you to restore your information without succumbing to the attacker’s demands.

Make sure to regularly test and update your backup procedures to enhance their effectiveness in safeguarding against potential data loss scenarios. There are several ways to make a backup, so you must choose the right backup medium and have at least one copy of your data stored offsite and offline.

3. Contact a malware recovery service

If you don’t have a backup or need help removing the malware and eliminating vulnerabilities, contact a data recovery service. Paying the ransom does not guarantee your data will be returned to you. The only guaranteed way to restore every file is if you have a backup. If you don’t, ransomware data recovery services can help you decrypt and recover the files.

SalvageData experts can safely restore your files and prevent Pysa ransomware from attacking your network again, contact our recovery experts 24/7.

Prevent the Pysa ransomware attack

Preventing malware is the best solution for data security. is easier and cheaper than recovering from them. Pysa ransomware can cost your business’s future and even close its doors.

These are a few tips to ensure you can avoid malware attacks:

• Keep your operating system and software up-to-date with the latest security patches and updates. This can help prevent vulnerabilities that can be exploited by attackers.
• Use strong and unique passwords for all accounts and enable two-factor authentication whenever possible. This can help prevent attackers from gaining access to your accounts.
• Be cautious of suspicious emails, links, and attachments. Do not open emails or click on links or attachments from unknown or suspicious sources.
• Use reputable antivirus and anti-malware software and keep it up-to-date. This can help detect and remove malware before it can cause damage.
• Use a firewall to block unauthorized access to your network and systems.
• Network segmentation to divide a larger network into smaller sub-networks with limited interconnectivity between them. It restricts attacker lateral movement and prevents unauthorized users from accessing the organization’s intellectual property and data.
• Limit user privileges to prevent attackers from gaining access to sensitive data and systems.
• Educate employees and staff on how to recognize and avoid phishing emails and other social engineering attacks.