Pysa

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
First observed in October 2019, Pysa, also known as Mespinoza, is a human-operated ransomware created by an unidentified advanced persistent threat group. It primarily targets high-value financial and governmental entities but has also been implicated in attacks on healthcare, education, and law enforcement organizations. The malware is delivered via brute-force attacks on exposed Active Directory services or other management interfaces, spam or phishing email campaigns, and unauthorized Remote Desktop Protocol (RDP) connections to domain controllers. Once inside the system, Pysa attempts to extract sensitive information before encrypting all accessible non-system files using AES implementations, the keys for which are then encrypted with RSA. CTU researchers have noted the use of Advanced Port Scanner and Privilege Escalation Awesome Scripts Suite (PEASS) in Pysa ransomware incidents. They've also observed threat actors utilizing MegaSync in Pysa operations. During investigations, the DNSGo RAT was seen leveraging DNS TXT messages for C2 communications. Pysa employs various crypto libraries like CryptoPP, demonstrating its complexity and sophistication. Furthermore, it's worth noting that Pysa operates similarly to other ransomware groups such as Conti, adopting an organizational hierarchy that includes senior executives, system admins, developers, recruiters, HR, and legal teams. If organizations fail to comply with Pysa's ransom demands, their data will be posted on a leak site controlled by Pysa's operators. This data is often used to extort affected organizations into meeting ransom demands. Recent trends show a decrease in ransomware activity driven by the disappearance of Conti, REvil, and PYSA, all of which operated Ransomware-as-a-Service (RaaS) models. However, Pysa remains a significant threat given its ability to provide technically unsophisticated cybercriminals with effective ransomware tools without requiring complex knowledge or skills.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Apt
Phishing
Spam
Rat
Data Leak
Malware
RaaS
Ransom
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
REvilUnspecified
2
REvil, also known as Sodinokibi, is a type of malware that gained notoriety through its use in ransomware attacks. As the Ransomware as a Service (RaaS) model grew in popularity during 2020, relationships between first-stage malware and subsequent ransomware attacks were established. One such connec
ContiUnspecified
2
Conti is a type of malware, specifically ransomware, which was designed to infiltrate systems, disrupt operations, and potentially hold data hostage for ransom. The malware has been used by various threat actors, including ITG23, who have utilized it alongside other malicious software such as Trickb
RyukUnspecified
1
Ryuk is a sophisticated malware, specifically a ransomware variant, that has been extensively used by cybercriminal group ITG23. The group has been employing crypting techniques for several years to obfuscate their malware, with Ryuk often seen in tandem with other malicious software such as Trickbo
Hades RansomwareUnspecified
1
Hades ransomware is a variant of the WastedLocker malware, which is designed to exploit and damage computers or devices. It was observed by CTU researchers being used in conjunction with Advanced Port Scanner, MegaSync, and Malleable C2 tools in various cyberattack incidents. These tools have been l
petyaUnspecified
1
Petya is a type of malware, specifically ransomware, that infected Windows-based systems primarily through phishing emails. It was notorious for its ability to disrupt operations and hold data hostage for ransom. Petya, along with other types of ransomware like WannaCry, NotPetya, TeslaCrypt, and Da
NefilimUnspecified
1
Nefilim is a malware, specifically a ransomware, that has been responsible for significant cyber threats globally. It infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Between 2019 and 2021,
LockbitUnspecified
1
LockBit is a type of malware, specifically ransomware, that infiltrates systems to steal data or disrupt operations, often demanding ransom in return for the release of the compromised data. Notable incidents include the LockBit ransomware gang claiming to have stolen and subsequently leaking data f
EgregorUnspecified
1
Egregor is a variant of the Sekhmet ransomware and operates as Ransomware-as-a-Service (RaaS). It emerged in 2020, suspected to be from former Maze affiliates. Known for its double extortion tactics, Egregor publicly shames its victims by leaking sensitive data if the ransom isn't paid. In one notab
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SodinokibiUnspecified
1
Sodinokibi, also known as REvil, is a significant threat actor first identified in April 2019. This ransomware family operates as a Ransomware-as-a-Service (RaaS) and has been responsible for one in three ransomware incidents responded to by IBM Security X-Force in 2020. The Sodinokibi ransomware st
HadesUnspecified
1
Hades is a notable threat actor, known for its distinctive tactics and infrastructure in executing cyber attacks. The cybersecurity industry first observed Hades' operations in June 2021, with its activities marked by the use of advanced tools such as Advanced Port Scanner, MegaSync, Rclone, and Mal
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Pysa Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
7 months ago
How One Vulnerable Device Can Spell Disaster | #ransomware | #cybercrime | National Cyber Security Consulting
Checkpoint
8 months ago
The Platform Matters: A Comparative Study on Linux and Windows Ransomware Attacks - Check Point Research
CERT-EU
a year ago
Ransomware resurgence in 2023 | Professional Security
MITRE
a year ago
PYSA/Mespinoza Ransomware
MITRE
a year ago
Pysa Ransomware - NHS Digital
MITRE
a year ago
Rclone Wars: Transferring leverage in a ransomware attack
Secureworks
a year ago
Ransomware Evolution
Secureworks
a year ago
Phases of a Post-Intrusion Ransomware Attack
CERT-EU
a year ago
65+ Germany Cybersecurity Statistics, Facts & Trends (2023)
CERT-EU
a year ago
CISA, FBI: Ransomware Gang Exploited PaperCut Flaw Against Education Facilities
CERT-EU
a year ago
Cybersecurity threatscape: year 2021 in review