Go to listing page

A Peek into the Destructive and Expanding Infrastructure of PYSA Ransomware

A Peek into the Destructive and Expanding Infrastructure of PYSA Ransomware

Share Blog Post

Origin: 2018

Alias: Protect Your System Amigo, Mespinoza

Infection Vectors: Phishing, Brute-forcing, RDP credential brute-forcing, spam emails

Targeted Sectors: Information Technology, Government, Non-Profit, Healthcare, Education, and Finance

Targeted Regions: North America, Western Europe, Africa 

Motive: Data theft, Financial gains (via Ransom)

Introduction

Protect Your System Amigo (PYSA) is a ransomware threat that was first spotted in December 2019 when it infected large corporate networks. The ransomware is believed to be a variant of the Mespinoza ransomware family, whose members were seen switching from .locked extension to .PYSA for encrypted files. PYSA ransomware follows a Ransomware-as-a-Service (RaaS) model and refers to victim organizations as ‘partners’ since they earn them money and profits. The group communicates with its victims only via more than one email address (per attack) enclosed within the ransom note and threatens victims with the double extortion tactic.

Lately, the U.K-based NCC Group warned regarding a 50% spike in PYSA ransomware activities with major attempts in North America and Europe in the month of November 2021. With this, it also overtook Conti and joined Lockbit in the top two most dominant malware for the period.

Targeted Organizations

From targeting private enterprise giants to organizations in the healthcare and education sector during the Coronavirus pandemic, the group leaves its strong footprints wherever it goes. According to a Cyble report, there are 190+ victims of PYSA globally at present with the U.S., U.K, Canada, Spain, and Brazil being positioned as the top five targets, respectively. Besides healthcare and education, the group has targeted professional services, manufacturing, technology, critical infrastructure, financial, transportation, and utility industries.


PYSA follows the big-game hunting style when it comes to targeting victims. For the same reason, it has been under the constant watch of the FBI since its appearance in the cyber landscape. The law enforcement body first cautioned against the group’s thriving activity in March 2021 when it was targeting K-12 schools, higher education institutions, and seminaries in about 12 U.S. states and the UK. Months later in June 2021, the BlackBerry Research & Intelligence team spotted PYSA backdooring the education sector with the help of a new Golang-based RAT called ChaChi, which added the obfuscation, port-forwarding, and DNS tunneling capabilities to the ransomware.

PYSA actors have claimed several major victims in the form of Australian financial service firm MyBudget, Haverhill Public Schools and other K-12 schools, and at least 11 U.S. healthcare entities. Hackney London Borough Council was listed in January 2022 as a victim on the leak site of the ransomware group. Still, we believe, the names of many top victims are not yet public.

Decoding the PYSA infection

PYSA ransomware is a human-run malware—like AvosLocker and Epsilon Red—as it was not provided with the self-propagation abilities by the threat actors. Threat actors are required to manually deploy the ransomware to the targeted Windows-based machine or device, wherein they often gain initial access by using stolen credentials or phishing emails. The compromised credential is usually obtained via brute-forcing Remote Desktop Protocol (RDP) and the Active Directory domain. In September 2021, the ransomware group added Linux capabilities to its ChaChi backdoor.

Post-infection activities

Before deploying the ransomware, the hackers execute PowerShell scripts that stop or remove system security mechanisms, such as Windows Defender. Moreover, the ransomware deletes the snapshots of system restore and shadow copies so that victims lose the ability to restore their data locked by ransomware. The hackers also use open-source tools for stealthiness, credential theft privilege escalation, and lateral movement. For instance, they used the Advanced Port Scanner and the Advanced IP Scanner tools for port scanning and information-gathering. The information allows the hackers to discover services running on network computers. Hackers also bring the rich use of tools such as PsExec, Koadic, Mimikatz, and PowerShell Empire for credential theft and lateral movement.

Further, PYSA actors use the WinScp tool for the exfiltration of data from systems before it is encrypted. Additionally, the locked files have the .PYSA filename extension and the ransom note contain the Protect Your System Amigo slogan.

The hybrid model of encryption

The ransomware uses the open-source CryptoPP C++ library for data encryption and encrypts data using hybrid encryption combining Advanced Encryption Standard-Cipher Block Chaining (AES-CBC), Rivest, Shamir, and Adleman (RSA) encryption algorithms. It maximizes encryption performance and security.

Preventive measures

We learned how PYSA utilizes phishing and brute-forcing techniques to enter a victim’s network. While training employees against phishing attempts shall help, enterprises should consider reCAPTCHA authorization, along with two-factor authentication, to better protect users’ credentials and admin accounts. Frequent backups of sensitive enterprise data limit the scope of damage in case of a ransomware attack. You also need to protect your backup data as the PYSA actors are capable of swiping off those too.

On top of all, organizations must leverage threat response automation solutions that can provide them with an automated playbook-driven response capability to quickly mitigate any potential threat at machine speed and stay protected from ransomware attacks.

Some other small but smart recommendations include using network segmentation, disabling unused RDP ports, updating software and OS only from official sources, adding email banners for outside messages, and auditing user accounts.

Conclusion

Pysa focuses on high-value finance, government, and healthcare organizations as it continues to add victims on its leak site. The group’s approach toward attacking its victims remains sophisticated yet simple and highly rewarding for the members. It communicates with so-called partners via emails, which helps the threat actors easily adapt to varying attack scenarios while negotiating efficiently with victims. Not to forget the ransomware group has now been active for more than a year and is among the top trending threats.

Indicators of Compromise

File Extension
.PYSA

MD5
9ff0f8785b73ce6e86b0a269e44c6d1b

SHA1
e524a3f30f42676a38660373c99ad1d919b45202

SSDEEP
12288:aVchT6oi+OeO+OeNhBBhhBBpiOTn5CjGGc4dXOsOjKf:aVc1Jiin5yGpMIj

Filenames
e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead_unpacked
PYSA[.]RANSOM
e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead[.]exe
1[.]exe
1[.]rar
checksum[.]exe[.]config[.]PYSA
f_00006e[.]PYSA
2160417493[.]PYSA
DefaultID[.]pdf[.]PYSA
Readme[.]README[.]txt
verclsid[.]exe
C:\Windows\system32\verclsid[.]exe
1[.]exe
Readme[.]README
%temp%\update[.]bat

Ransom Note Emails
johnfitzgerald@onionmail[.]org
cristianpalmerss@protonmail[.]com
wcraijones@protonmail[.]com
dec_restore1@outlook[.]com
zljanczplaizr@onionmail[.]org
EfreTavernia@protonmail[.]com
lizawilkinson@onionmail[.]org
Makailahuff@protonmail[.]com
Davionfinley@protonmail[.]com
joedansereau@onionmail[.]org
m0arc7bdhsohar@onionmail[.]org
david_ansty@protonmail[.]com
t[.]trstram@protonmail[.]com
aireyeric@protonmail[.]com
ellershaw[.]kiley@protonmail[.]com
minginskilian@protonmail[.]com
schofield_niko@protonmail[.]com
lambchristoffer@protonmail[.]com

SHA256
7fd3000a3afbf077589c300f90b59864ec1fb716feba8e288ed87291c8fdf7c3
e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead
a18c85399cd1ec3f1ec85cd66ff2e97a0dcf7ccb17ecf697a5376da8eda4d327
327934c4c11ba37f42a91e1b7b956d5a4511f918e63047a8c4aa081fd39de6d9
e4287e9708a73ce6a9b7a3e7c72462b01f7cc3c595d972cf2984185ac1a3a4a8
327934c4c11ba37f42a91e1b7b956d5a4511f918e63047a8c4aa081fd39de6d9
f0939ebfda6b30a330a00c57497038a54da359e316e0d6e6e71871fd50fec16a
48355bd2a57d92e017bdada911a4b31aa7225c0b12231c9cbda6717616abaea3
0f0014669bc10a7d87472cafc05301c66516857607b920ddeb3039f4cb8f0a50
61bb42fe06b3511d512af33ef59baa295b29bd62eb4d0bf28639c7910a65e4ae
425945a93beb160f101d51de36363d1e7ebc45279987c3eaf5e7f183ed0a3776
a18c85399cd1ec3f1ec85cd66ff2e97a0dcf7ccb17ecf697a5376da8eda4d327
5510ae74b7e2a10fdafa577dc278612f7796b0252b7d1438615e26c49e1fc560
1a0ff707938a1399e23af000567806a87fff9b8789ae43badb4d28d4bef1fb81
b1381635c936e8de92cfa26938c80a359904c1d709ef11ee286ba875cfb7b330
a18c85399cd1ec3f1ec85cd66ff2e97a0dcf7ccb17ecf697a5376da8eda4d327
e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead

 Tags

brute forcing
chachi trojan
raas
phishing emails
europe
dns tunnelling
the usa
pysa ransomware
powershell scripts
advanced port scanner
protect your system amigo
the fbi

Posted on: January 21, 2022


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.