Skip to content
Ransomware group

Pysa

Pysa, also referred to as Mespinoza, is a ransomware family first observed in October 2019 via malspam.

Profile source: Mallory opens in a new tab

Pysa

Family profile

Pysa, also referred to as Mespinoza, is a ransomware family first observed in October 2019 via malspam. A newer variant appeared in December 2019 and became commonly known as Pysa because it appends the .pysa extension to encrypted files. The malware is associated with double-extortion activity, including encryption and theft of victim data, and has been linked in the provided content to the PYSA ransomware gang’s 2020 attack on Assured Imaging, where patient data was encrypted and stolen, affecting nearly 245,000 individuals. The content also notes Pysa activity impacting K-12 school districts and references a 2021 attack involving a Pysa variant that led to a HIPAA breach investigation.

Documented capabilities in the provided content include use of RSA and AES-CBC to encrypt targeted file extensions; modification of the registry key SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, including adding the ransom note; use of PowerShell scripts to deploy the ransomware; stopping antivirus services and disabling Windows Defender; deletion of shadow copies; credential extraction from the password database before file encryption; OS credential dumping with Mimikatz; brute-force attempts against a central management console and some Active Directory accounts; network reconnaissance using Advanced Port Scanner; and lateral movement via RDP connections. The malware has also been reported using PsExec to copy and execute the ransomware and executing a malicious binary named svchost.exe.

Behavioral analysis in the content states that Mespinoza/Pysa avoids encrypting certain Windows and critical operating system directories, checks removable media and shared network drives using GetDriveTypeW, looks for SQL-related processes, and runs verclsid.exe during execution. The CLSIDs observed were tied to C:\Windows\system32\SearchFolder.dll and a Microsoft SQL Server IDBProperties component. An encrypted key is appended to the end of each encrypted file. One analyzed sample did not delete Volume Shadow Copies, although other provided references state that Pysa has that functionality. Known sample hashes in the content include SHA-256 a18c85399cd1ec3f1ec85cd66ff2e97a0dcf7ccb17ecf697a5376da8eda4d327 and e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead. Ransom note contact addresses mentioned in the content include raingemaximo@protonmail.com, gareth.mckie3l@protonmail.com, aireyeric@protonmail.com, ellershaw.kiley@protonmail.com, mespinoza980@protonmail.com, alanson_street8@protonmail.com, and lambchristoffer@protonmail.com.

Ransomware.live

Operational record

View group record ↗

Credential Theft

  • Mimikatz
  • ProcDump
  • SessionGopher

Discovery Enum

  • ADRecon
  • Advanced IP Scanner
  • Advanced Port Scanner

Exfiltration

  • FileZilla
  • WinSCP

LOLBAS

  • PsExec
  • WMIC

Offsec

  • Chashell
  • Koadic
  • PowerShell Empire
  • PowerSploit

MITRE ATT&CK

Pysa in ATT&CK

30 distinct techniques

Reporting

Research mentioning Pysa

Apr 24
Govinfosecurity

Poor Risk Analysis Cost 4 Firms $1.7 Million in HIPAA Fines

The PYSA ransomware gang in 2020 encrypted and stole Assured Imaging's patient data, affecting nearly 245,000 individuals.

Apr 3
Data Breaches

Questions raised after Cherry Creek students notified of data breach, lawsuit - DataBreaches.Net

Pysa shuttered its leak site before it ever dumped data from more than half a dozen schools. Here's what we know so far. ... k-12 school districts fall prey to Pysa ransomware

Jul 25
Govinfosecurity

Government info security news, training, education - GovInfoSecurity

A HIPAA breach investigation into a 2021 attack involving a variant of Pysa ransomware resulted in a $250,000 fine for an upstate New York specialty surgery practice, which also agreed to a corrective action plan that will be monitored by federal regulators for the next two years.

Jul 25
Govinfosecurity

Latest

A HIPAA breach investigation into a 2021 attack involving a variant of Pysa ransomware resulted in a $250,000 fine for an upstate New York specialty surgery practice, which also agreed to a corrective action plan that will be monitored by federal regulators for the next two years.

Jul 25
Govinfosecurity

Latest

A HIPAA breach investigation into a 2021 attack involving a variant of Pysa ransomware resulted in a $250,000 fine for an upstate New York specialty surgery practice, which also agreed to a corrective action plan that will be monitored by federal regulators for the next two years.

Jul 25
Govinfosecurity

Latest

A HIPAA breach investigation into a 2021 attack involving a variant of Pysa ransomware resulted in a $250,000 fine...

Oct 31
Mitre Attack Website

Inhibit System Recovery, Technique T1490 - Enterprise | MITRE ATT&CK®

Pysa has the functionality to delete shadow copies.

Dec 21
Comodo

All I Want for Christmas Is Ransomware

"These include ‘LockBit, Zeppelin, Crysis/Dharma/Phobos, PYSA, Conti, and RansomEXX."

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.