Credential Theft
- Mimikatz
- ProcDump
- SessionGopher
Pysa, also referred to as Mespinoza, is a ransomware family first observed in October 2019 via malspam.
Profile source: Mallory opens in a new tabPysa
Pysa, also referred to as Mespinoza, is a ransomware family first observed in October 2019 via malspam. A newer variant appeared in December 2019 and became commonly known as Pysa because it appends the .pysa extension to encrypted files. The malware is associated with double-extortion activity, including encryption and theft of victim data, and has been linked in the provided content to the PYSA ransomware gang’s 2020 attack on Assured Imaging, where patient data was encrypted and stolen, affecting nearly 245,000 individuals. The content also notes Pysa activity impacting K-12 school districts and references a 2021 attack involving a Pysa variant that led to a HIPAA breach investigation.
Documented capabilities in the provided content include use of RSA and AES-CBC to encrypt targeted file extensions; modification of the registry key SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, including adding the ransom note; use of PowerShell scripts to deploy the ransomware; stopping antivirus services and disabling Windows Defender; deletion of shadow copies; credential extraction from the password database before file encryption; OS credential dumping with Mimikatz; brute-force attempts against a central management console and some Active Directory accounts; network reconnaissance using Advanced Port Scanner; and lateral movement via RDP connections. The malware has also been reported using PsExec to copy and execute the ransomware and executing a malicious binary named svchost.exe.
Behavioral analysis in the content states that Mespinoza/Pysa avoids encrypting certain Windows and critical operating system directories, checks removable media and shared network drives using GetDriveTypeW, looks for SQL-related processes, and runs verclsid.exe during execution. The CLSIDs observed were tied to C:\Windows\system32\SearchFolder.dll and a Microsoft SQL Server IDBProperties component. An encrypted key is appended to the end of each encrypted file. One analyzed sample did not delete Volume Shadow Copies, although other provided references state that Pysa has that functionality. Known sample hashes in the content include SHA-256 a18c85399cd1ec3f1ec85cd66ff2e97a0dcf7ccb17ecf697a5376da8eda4d327 and e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead. Ransom note contact addresses mentioned in the content include raingemaximo@protonmail.com, gareth.mckie3l@protonmail.com, aireyeric@protonmail.com, ellershaw.kiley@protonmail.com, mespinoza980@protonmail.com, alanson_street8@protonmail.com, and lambchristoffer@protonmail.com.
Ransomware.live
MITRE ATT&CK
Reporting
The PYSA ransomware gang in 2020 encrypted and stole Assured Imaging's patient data, affecting nearly 245,000 individuals.
Pysa shuttered its leak site before it ever dumped data from more than half a dozen schools. Here's what we know so far. ... k-12 school districts fall prey to Pysa ransomware
A HIPAA breach investigation into a 2021 attack involving a variant of Pysa ransomware resulted in a $250,000 fine for an upstate New York specialty surgery practice, which also agreed to a corrective action plan that will be monitored by federal regulators for the next two years.
A HIPAA breach investigation into a 2021 attack involving a variant of Pysa ransomware resulted in a $250,000 fine for an upstate New York specialty surgery practice, which also agreed to a corrective action plan that will be monitored by federal regulators for the next two years.
A HIPAA breach investigation into a 2021 attack involving a variant of Pysa ransomware resulted in a $250,000 fine for an upstate New York specialty surgery practice, which also agreed to a corrective action plan that will be monitored by federal regulators for the next two years.
A HIPAA breach investigation into a 2021 attack involving a variant of Pysa ransomware resulted in a $250,000 fine...
Pysa has the functionality to delete shadow copies.
"These include ‘LockBit, Zeppelin, Crysis/Dharma/Phobos, PYSA, Conti, and RansomEXX."
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.