Pysa

Pysa is a type of ransomware, a malicious software designed to exploit and damage computer systems by encrypting data and demanding ransom for its decryption. The Pysa ransomware group, known for its organizational hierarchy that includes senior executives, system admins, developers, recruiters, HR, and legal teams, claimed credit for an attack in 2020 where they encrypted 440,000 files. The malware is delivered through brute-force attacks on exposed Active Directory services or other management interfaces, spam or phishing email campaigns, and unauthorized Remote Desktop Protocol (RDP) connections to domain controllers. Once inside the system, Pysa attempts to extract sensitive information before encrypting all accessible non-system files using AES implementations, with the keys then encrypted with RSA. CTU researchers have observed various tools used in Pysa ransomware incidents. Advanced Port Scanner was noted as a common tool in Pysa, Snatch, and Hades ransomware incidents. MegaSync was also observed being used in Nefilim, Pysa, and Hades operations. In addition, the Privilege Escalation Awesome Scripts Suite (PEASS) was found to be utilized in both Pysa and REvil incidents. During investigations, the DNSGo RAT was seen leveraging DNS TXT messages for Command and Control (C2) communications in Pysa incidents. The Pysa ransomware group operates a leak site where they post data from organizations that do not comply with their ransom demands. Data stolen by Pysa is used to extort affected organizations into meeting these demands. The group's activities contributed to the prominence of Ransomware-as-a-Service (RaaS) models, alongside other groups like Conti and REvil. However, a significant drop in such activities was observed due to the disappearance of Conti, REvil, and PYSA. Despite this, Pysa continues to pose a significant threat, with its operators constantly seeking ways to improve their tactics and extend their reach.