Alias: Protect Your System Amigo, Mespinoza
Infection Vectors: Phishing, Brute-forcing, RDP credential brute-forcing, spam emails
Targeted Sectors: Information Technology, Government, Non-Profit, Healthcare, Education, and Finance
Targeted Regions: North America, Western Europe, Africa
Motive: Data theft, Financial gains (via Ransom)
Protect Your System Amigo (PYSA) is a ransomware threat that was first spotted in December 2019 when it infected large corporate networks. The ransomware is believed to be a variant of the Mespinoza ransomware family, whose members were seen switching from .locked extension to .PYSA for encrypted files. PYSA ransomware follows a Ransomware-as-a-Service (RaaS) model and refers to victim organizations as ‘partners’ since they earn them money and profits.
The group communicates with its victims only via more than one email address (per attack) enclosed within the ransom note and threatens victims with the double extortion tactic.
Lately, the U.K-based NCC Group warned regarding a 50% spike in PYSA ransomware activities with major attempts in North America and Europe in the month of November 2021. With this, it also overtook Conti and joined Lockbit in the top two most dominant malware for the period.
From targeting private enterprise giants to organizations in the healthcare and education sector during the Coronavirus pandemic, the group leaves its strong footprints wherever it goes. According to a Cyble report, there are 190+ victims of PYSA globally at present with the U.S., U.K, Canada, Spain, and Brazil being positioned as the top five targets, respectively. Besides healthcare and education, the group has targeted professional services, manufacturing, technology, critical infrastructure, financial, transportation, and utility industries. PYSA follows the big-game hunting style when it comes to targeting victims. For the same reason, it has been under the constant watch of the FBI since its appearance in the cyber landscape. The law enforcement body first cautioned against the group’s thriving activity in March 2021 when it was targeting K-12 schools, higher education institutions, and seminaries in about 12 U.S. states and the UK. Months later in June 2021, the BlackBerry Research & Intelligence team spotted PYSA backdooring the education sector with the help of a new Golang-based RAT called ChaChi, which added the obfuscation, port-forwarding, and DNS tunneling capabilities to the ransomware.
Decoding the PYSA infection
PYSA ransomware is a human-run malware—like AvosLocker and Epsilon Red—as it was not provided with the self-propagation abilities by the threat actors. Threat actors are required to manually deploy the ransomware to the targeted Windows-based machine or device, wherein they often gain initial access by using stolen credentials or phishing emails. The compromised credential is usually obtained via brute-forcing Remote Desktop Protocol (RDP) and the Active Directory domain. In September 2021, the ransomware group added Linux capabilities to its ChaChi backdoor.
Before deploying the ransomware, the hackers execute PowerShell scripts that stop or remove system security mechanisms, such as Windows Defender. Moreover, the ransomware deletes the snapshots of system restore and shadow copies so that victims lose the ability to restore their data locked by ransomware.
The hackers also use open-source tools for stealthiness, credential theft privilege escalation, and lateral movement. For instance, they used the Advanced Port Scanner and the Advanced IP Scanner
tools for port scanning and information-gathering. The information allows the hackers to discover services running on network computers. Hackers also bring the rich use of tools such as PsExec, Koadic, Mimikatz, and PowerShell Empire for credential theft and lateral movement.
Further, PYSA actors use the WinScp tool for the exfiltration of data from systems before it is encrypted. Additionally, the locked files have the .PYSA filename extension and the ransom note contain the Protect Your System Amigo slogan.
The hybrid model of encryption
The ransomware uses the open-source CryptoPP C++ library for data encryption and encrypts data using hybrid encryption combining Advanced Encryption Standard-Cipher Block Chaining (AES-CBC), Rivest, Shamir, and Adleman (RSA) encryption algorithms. It maximizes encryption performance and security.
We learned how PYSA utilizes phishing and brute-forcing techniques to enter a victim’s network. While training employees against phishing attempts shall help, enterprises should consider reCAPTCHA authorization, along with two-factor authentication, to better protect users’ credentials and admin accounts. Frequent backups of sensitive enterprise data limit the scope of damage in case of a ransomware attack. You also need to protect your backup data as the PYSA actors are capable of swiping off those too.
On top of all, organizations must leverage threat response automation solutions that can provide them with an automated playbook-driven response capability to quickly mitigate any potential threat at machine speed and stay protected from ransomware attacks.
Some other small but smart recommendations include using network segmentation, disabling unused RDP ports, updating software and OS only from official sources, adding email banners for outside messages, and auditing user accounts.
Pysa focuses on high-value finance, government, and healthcare organizations as it continues to add victims on its leak site. The group’s approach toward attacking its victims remains sophisticated yet simple and highly rewarding for the members. It communicates with so-called partners via emails, which helps the threat actors easily adapt to varying attack scenarios while negotiating efficiently with victims. Not to forget the ransomware group has now been active for more than a year and is among the top trending threats.
Indicators of Compromise
Ransom Note Emails